SlideShare a Scribd company logo

DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016

In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated: -AWS Hardening -AWS Monitoring -AWS Disaster Recovery -GitHub Monitoring -OPINT -Software Development Practices/Processes -Secure use of Jenkins/Hudson -Developer laptop hardening (OS X)

1 of 155
DevOops, Redux
Chris Gates, Ken Johnson
AppSec USA 2016
Background: KJ
• I’m NOT Kevin Johnson
Background: KJ
•I’m NOT Ken Bone
Background: KJ
•I AM Ken Johnson
•CTO of nVisium - @cktricky
•Former US Navy
•Topics I’ve talked about:
– Rails Security (Railsgoat)
– Building an AppSec Program
– DevOops: Common Flaws in DevOps Tooling
– Exploitation of Web Applications
Background: KJ
• I run engineering (product)
• I work for a security company
• I have some concerns...same as you
Background: CG
• Chris Gates, Sr. Security Engineer - Uber
• Former Army
• Topics I’ve talked about:
– Breaking into Oracle, Windows, lots of stuff
– Phishing
– Low to Pwned
– Purple Teaming
– DevOops – Common Flaws in DevOps Tooling
Ad

Recommended

Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations CenterJimmy Mesta
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
Appsec DC - wXf -2010
Appsec DC - wXf  -2010Appsec DC - wXf  -2010
Appsec DC - wXf -2010Chris Gates
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival GuideKen Johnson
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirusCsaba Fitzl
 

More Related Content

What's hot

Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops Chris Gates
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupDiogo Mónica
 
Security in serverless world (get.net)
Security in serverless world (get.net)Security in serverless world (get.net)
Security in serverless world (get.net)Yan Cui
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...DevSecCon
 
InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017Mandi Walls
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba Fitzl
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
Tw noche geek quito webappsec
Tw noche geek quito   webappsecTw noche geek quito   webappsec
Tw noche geek quito webappsecThoughtworks
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainSecuRing
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with ZapSoluto
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
You wouldn't build a toast, would you?
You wouldn't build a toast, would you?You wouldn't build a toast, would you?
You wouldn't build a toast, would you?Yan Cui
 

What's hot (20)

Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
LasCon 2014 DevOoops
LasCon 2014 DevOoops LasCon 2014 DevOoops
LasCon 2014 DevOoops
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
 
Security in serverless world (get.net)
Security in serverless world (get.net)Security in serverless world (get.net)
Security in serverless world (get.net)
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
DevSecCon London 2017 - MacOS security, hardening and forensics 101 by Ben Hu...
 
InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of Bugs
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 
Tw noche geek quito webappsec
Tw noche geek quito   webappsecTw noche geek quito   webappsec
Tw noche geek quito webappsec
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
You wouldn't build a toast, would you?
You wouldn't build a toast, would you?You wouldn't build a toast, would you?
You wouldn't build a toast, would you?
 

Viewers also liked

Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Chris Gates
 
Running Splunk on AWS
Running Splunk on AWSRunning Splunk on AWS
Running Splunk on AWSAlan Williams
 
Splunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWSSplunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWSAmazon Web Services
 
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'Splunk
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
MSF Auxiliary Modules
MSF Auxiliary ModulesMSF Auxiliary Modules
MSF Auxiliary ModulesChris Gates
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Chris Gates
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
Session Sponsored by Splunk: Splunk for the Cloud, in the Cloud
Session Sponsored by Splunk: Splunk for the Cloud, in the CloudSession Sponsored by Splunk: Splunk for the Cloud, in the Cloud
Session Sponsored by Splunk: Splunk for the Cloud, in the CloudAmazon Web Services
 

Viewers also liked (14)

Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later
 
Running Splunk on AWS
Running Splunk on AWSRunning Splunk on AWS
Running Splunk on AWS
 
Splunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWSSplunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWS
 
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
MSF Auxiliary Modules
MSF Auxiliary ModulesMSF Auxiliary Modules
MSF Auxiliary Modules
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone  Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
Session Sponsored by Splunk: Splunk for the Cloud, in the Cloud
Session Sponsored by Splunk: Splunk for the Cloud, in the CloudSession Sponsored by Splunk: Splunk for the Cloud, in the Cloud
Session Sponsored by Splunk: Splunk for the Cloud, in the Cloud
 

Similar to DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016

Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
AD113 Speed Up Your Applications w/ Nginx and PageSpeed
AD113  Speed Up Your Applications w/ Nginx and PageSpeedAD113  Speed Up Your Applications w/ Nginx and PageSpeed
AD113 Speed Up Your Applications w/ Nginx and PageSpeededm00se
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Agile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAgile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAdam Getchell
 
Cloud Platforms for Java
Cloud Platforms for JavaCloud Platforms for Java
Cloud Platforms for Java3Pillar Global
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableDarren Duke
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidMatthew Johnson
 

Similar to DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016 (20)

Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
AD113 Speed Up Your Applications w/ Nginx and PageSpeed
AD113  Speed Up Your Applications w/ Nginx and PageSpeedAD113  Speed Up Your Applications w/ Nginx and PageSpeed
AD113 Speed Up Your Applications w/ Nginx and PageSpeed
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dw
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Agile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAgile Secure Cloud Application Development Management
Agile Secure Cloud Application Development Management
 
Cloud Platforms for Java
Cloud Platforms for JavaCloud Platforms for Java
Cloud Platforms for Java
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 

More from Chris Gates

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVChris Gates
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018Chris Gates
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) Chris Gates
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Chris Gates
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionChris Gates
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsChris Gates
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfChris Gates
 
Hacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With MetasploitHacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With MetasploitChris Gates
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 

More from Chris Gates (12)

Reiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHVReiki 101 - Defcon29 MHHV
Reiki 101 - Defcon29 MHHV
 
WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018WeirdAAL (Awesome Attack Library) CactusCon 2018
WeirdAAL (Awesome Attack Library) CactusCon 2018
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library)
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon Edition
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXfSOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
 
Hacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With MetasploitHacking Oracle Web Applications With Metasploit
Hacking Oracle Web Applications With Metasploit
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 

Recently uploaded

Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defensethirdeyegen65
 
Model Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfModel Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfgalfinprihardiputra0
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Damar Juniarto
 
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxUGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxRitesh Sahu
 
Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspacesttyk
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionalsthirdeyegen65
 
Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...ssuser7b7f4e
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter TuningVarun Garg
 
Biometrics Technology Intresting PPT
Biometrics Technology Intresting PPTBiometrics Technology Intresting PPT
Biometrics Technology Intresting PPTPraveenKumarThota7
 

Recently uploaded (9)

Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defense
 
Model Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfModel Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdf
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023
 
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxUGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
 
Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspace
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
 
Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
 
Biometrics Technology Intresting PPT
Biometrics Technology Intresting PPTBiometrics Technology Intresting PPT
Biometrics Technology Intresting PPT
 

DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016

  • 1. DevOops, Redux Chris Gates, Ken Johnson AppSec USA 2016
  • 2. Background: KJ • I’m NOT Kevin Johnson
  • 4. Background: KJ •I AM Ken Johnson •CTO of nVisium - @cktricky •Former US Navy •Topics I’ve talked about: – Rails Security (Railsgoat) – Building an AppSec Program – DevOops: Common Flaws in DevOps Tooling – Exploitation of Web Applications
  • 5. Background: KJ • I run engineering (product) • I work for a security company • I have some concerns...same as you
  • 6. Background: CG • Chris Gates, Sr. Security Engineer - Uber • Former Army • Topics I’ve talked about: – Breaking into Oracle, Windows, lots of stuff – Phishing – Low to Pwned – Purple Teaming – DevOops – Common Flaws in DevOps Tooling
  • 7. Background: CG • Was a full time breaker • Now full-ish time fixer • Currently doing Blue Team stuff - <3 Python + REST APIs - Astonished at # of ppl who can’t Internet
  • 8. About This Talk • Original talk DevOops was about breaking stuff • We were asked about “Proactive” measures in DevOps/Agile/CI-CD environments – Quick Story • We made a solution focused model based on “Common” architecture and needs
  • 9. Before We Begin • Buckle up, lots of info coming your way • Q&A will be reserved for hallway discussions • Slides will have all the resources you need and will be available • Sections are broken up between Human, Host, and Infrastructure
  • 10. Employee Intelligence (Human) Making it difficult (for employees) to allow attackers to walk into our environment
  • 11. Monitoring External Services • Numerous ways for employees to accidently release data –Pastebin-like sites –Github •Gists •Code • Examples: –Slack tokens in github –AWS configs in .dotfiles back ups –Tokens in logs/dumps/snippets
  • 12. Monitoring GitHub • How you could tackle the problem: –Use GitLab (internal) –Use gitolite (internal) –Use GitHub Enterprise (internal) –Use Phabricator (internal)
  • 13. Monitoring GitHub • But you won’t, you’ll set up a private GitHub for you org like everyone else. – Now you need to monitor when people post your private stuff on their personal repo – It happens. A lot.
  • 14. Monitoring GitHub • How you could tackle the problem: –Have employees join the your GitHub organization –Regularly crawl the list of members –Check out all their repos –Run regex against all files looking for known badness
  • 19. AWS Access Keys Example
  • 20. AWS Access Keys Example
  • 21. AWS Access Keys Example
  • 23. Monitoring Goals • DumpMon https://github.com/jordan-wright/dumpmon
  • 24. Monitoring Goals • For Pay Services
  • 25. Monitoring Goals • For Pay Services
  • 26. Monitoring Goals •For Pay Services - https://gitmonitor.com/
  • 27. Monitoring Goals GitMonitor - Some options they provide
  • 28. Workstation Protection (Host) Protecting and monitoring employees on their development workstations (and servers too)
  • 29. Host Protections Developer Laptop Hardening • osquery (OS X/Linux) • Doorman • BlockBlock • Little Snitch • CarbonBlack / Sysmon • Splunk • Simian
  • 30. Host Protections • osquery (https://osquery.io/) • “osquery is an operating system instrumentation framework for OS X, Linux, and FreeBSD. The tools make low-level operating system analytics and monitoring both performant and intuitive.” • “osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.”
  • 31. Host Protections osquery • Adhoc • Scheduled • Schedule query • Collect logs • Review change • File Integrity Monitoring • Yara rules • Query packs
  • 34. Host Protections • Doorman (https://github.com/mwielgoszewski/doorman) • “Doorman is an osquery fleet manager that allows administrators to remotely manage the osquery configurations retrieved by nodes.”
  • 36. Host Protections • BlockBlock (https://objective-see.com/products/blockblock.html) • Kernel hook to identify any time software wants to persist • Prompt to allow or deny • “The kernel extension tracks process creations, which are consumed by the daemon, which also monitors various persistence locations to detect any new items. Specifically the daemon (currently) watches for new kexts, launch daemon & agents, and new login items via the fsevents device (/dev/fsevents).”
  • 38. Host Protections • Little Snitch (https://www.obdev.at/products/littlesnitch/index.html) • Host based firewall • Prompt to allow or deny and for how long • “Little Snitch intercepts these unwanted connection attempts, and lets you decide how to proceed.”
  • 40. Host Protections • CarbonBlack (https://www.carbonblack.com/) • Host based agent • Monitor process create, writes, registry queries, net connections • Create rules/watchlist for known bad behavior –Mimikatz-->company_name:*gentilkiwi* –FileVault Encryption Disabled -->process_name:fdesetup cmdline:disable –Unsigned JAR exec-->process_name:*.jar digsig_result: (digsig_result:"Unsigned") –OSX dump user hashes-->process_name:dscl cmdline:ShadowHashData
  • 43. Host Protections • Sysmon • https://www.root9b.com/sites/default/files/whitepapers/R9B_blog_005_white paper_01.pdf • https://jon.glass/tag/sysinternals/ • http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon • https://www.bsk-consulting.de/2015/03/21/detect-system-file-manipulations- with-sysinternals-sysmon/ • https://www.firemon.com/enhance-windows-anomaly-detection-sysmon/
  • 48. Host Protections OSX Patch Management - Simian • “Simian is an enterprise-class Mac OS X software deployment solution.” • Allows you to push munki updates • Free / OSS • Runs on google cloud • Project: https://github.com/google/simian
  • 49. Host Protections Why do we bring this up? • Some people aren’t aware you can perform free OSX patch management • There are a lot of OSX developer shops without an “enterprise budget” • Patch management is a no-brainer and security 101
  • 51. Host Protections Simian Consists of 2 parts: • Client – Private and Public SSL Keys used to authenticate – Configuration unique per OSX client • Web Application/Server – Runs on Google Cloud – Keep in mind its free but… not for long (eventually costs a little for storage) Takes about a week to learn and get setup
  • 52. Host Protections Web Application used to Manage Updates
  • 54. Host Protections Simian Recap: • Learning curve is moderately difficult IMO • Free-ish (eventually storage costs but still very minimal) • Useful for patch updates and monitoring clients systems for low disk space, uptime, etc.
  • 55. Production Protection (Infra) Protecting and monitoring production environments (AWS)
  • 56. My AWS Goals • Harden – Make it difficult to reach your AWS environment • Monitor – If your AWS environment is breached, you need to know and alert yourselves • Restore – Have the ability to reconstruct data/configs after a “hack”
  • 57. AWS’s Plan • Took the AWS Security Fundamentals Course and… – Fortunately, our strategy lines up with AWS recommendations – You are responsible for leveraging the tools AWS provides (financially) – Your configuration… that is on you – https://aws.amazon.com/training/course-descriptions/security- fundamentals/
  • 58. AWS Hardening Basics Making it difficult (for attackers) to reach our environment
  • 59. Hardening Checklist 1. Don’t Use The Root Account! 2. Disable Access Keys for Root Account 3. Multi-Factor Authentication 4. API + MFA 5. Strong Password Policy
  • 60. Don’t Use Root Account • Every AWS env has a root account, only necessary to use for very specific circumstances • When these circumstances arise, notify your team that the account will be used • We will discuss why this is important when we talk about CloudWatch metrics
  • 61. Disable/Delete Root Account Access Keys • Just delete them if they exist – Disable the access keys in the event you are unable to delete them completely for some reason • Make sure your admins have a (verbal/written) policy that states “we don’t create access keys for the root account”
  • 62. MFA • If credentials are stolen or guessed, we want a second layer of protection • You can use apps or hardware to do this – Google Authenticator (Apps) – Gemalto (Hardware) • Find the full list of MFA devices here: https://aws.amazon.com/iam/details/mfa/ • This is so ridiculously easy to do, everyone should do it
  • 63. MFA See the published slide deck for step by step instructions
  • 64. MFA • At this point, it's worth mentioning that non- administrators or those without IAM privileges cannot enable MFA on their own account • Why is this a problem? Well, they need to be able to enable MFA on their own device… not the administrator’s • Fortunately, we have a solution!
  • 65. MFA
  • 66. MFA • Okay so that wasn’t the easiest to read, so here is the link: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_c redentials_delegate-permissions_examples.html#creds- policies-mfa-console • Basically this IAM policy allows a user to manage their *OWN* MFA device
  • 67. MFA (for Root Account) • Need a shared MFA for root? TOTP! • Recommend using something like 1password for teams, can share the TOTP code: https://support.1password.com/guides/mac/totp.html https://www.youtube.com/watch?v=eZyb-ArMK9g
  • 68. API + MFA • You have the ability to place a restriction where resources can only be interacted with if the user has authenticated with MFA • This helps prevent (ab)use should someone steal access keys or credentials
  • 69. API + MFA • This entry enforces MFA for Web/API • Do this for Admin & Power-User groups at a minimum
  • 70. API + MFA • Truth be told, doing this can be painful at first • Things that used to work, might not (via the API) • Fortunately, we have some answers for you • Firstly, let’s discuss STS or SecurityToken Service
  • 71. API + MFA • Leverage STS in order to interact with the AWS API should this MFA restriction be placed on resources (and it should ☺ ) • Example of using STS: https://gist.github.com/cktricky/127be4e431563a986f0f
  • 72. API + MFA Output of script
  • 73. API + MFA Use the creds to leverage tools like ec2-api-tools (-O <access key id>–W <secret> and –T <session token>)
  • 74. API + MFA And in case you don’t like Ruby… https://github.com/jimbrowne/aws-sts-helpers
  • 75. API + MFA • ElasticBeanstalk does not work with STS. Le Terrible. • However, there is a workaround, use CodePipeline • Very simple process to setup but only works with: – GitHub – AWS CodeCommit – Amazon S3
  • 76. Password Policy • Password policies are important because historically people do not choose complex passwords • MFA should help, but we’re talking about a layered approach • Again, making our AWS environment harder to reach
  • 78. Hardening Recap • Make credentials hard to guess • If guessed or stolen, we still have MFA • Remember MFA only protects against the web and NOT the API… unless you change your policies and use STS • Root account is King, protect your King
  • 79. Hardening Recap • Things we did not (and won’t discuss) – S3 bucket policies – Security Group configurations – SSH Key Management – Encrypting Data (Volumes, S3 buckets) • Trusted Advisor – Use it, because it catches a lot of “low hanging fruit” style issues
  • 80. Hardening Recap • Links to resources that discuss the items we’re not covering: – https://d0.awsstatic.com/whitepapers/compliance/AWS_Auditing_Securi ty_Checklist.pdf – http://aws-de-media.s3.amazonaws.com/images/Produktblaetter/AWS- Security-Check-List_eng.pdf – http://www.slideshare.net/AmazonWebServices/masterclass-advanced- security-best-practices • Frankly you can’t throw a rock without hitting some basic info regarding AWS Security Checklists
  • 82. AWS Monitoring • Assuming hardening (prevention) has failed, how would we know? • Luckily, AWS provides several services which alert to anomalies • We will walk through examples of using these services, but ultimately decide what is right for you • Fair warning, some of these services will provide a lot of noise
  • 83. AWS Monitoring 4 important services: • CloudTrail – Logs • SNS – Notifications • Config – Alerts for modifications & noncompliance • CloudWatch – Alerts for specific types of behavior
  • 87. AWS Monitoring (CloudTrail) • CloudTrail is primarily used for log collection • Other services like CloudWatch, for example, use those logs to filter relevant data
  • 88. AWS Monitoring (CloudTrail) Pretty easy, first turn it on..
  • 90. AWS Monitoring (CloudTrail) Allow the creation of an IAM role by CloudTrail
  • 91. AWS Monitoring (CloudTrail) • At this point you have cloudtrail enabled • Next step, BEFORE moving to CloudWatch or Config, is configuring SNS topics
  • 93. AWS Monitoring (SNS) • Fantastic offering, <3 it – Examples of ways to be notified by SNS • SMS • Email • JSON Post to your Application’s API endpoint
  • 94. AWS Monitoring (SNS) • Receive SMS/Email/Slack notifications for important events • ^ This is so you get immediate notifications • You can have multiple subscribers, I’d suggest you use that functionality • Basic gist? Receive immediate updates for things you want to see… immediately ☺
  • 97. AWS Monitoring (SNS) Create SMS (or whatever, but in this case, SMS)
  • 98. AWS Monitoring (SNS) Example of creating email subscription… bottom line you can have multiple ways of notifying people
  • 100. AWS Monitoring (Config) • Config: – AWS resource inventory, configuration history, and configuration change notifications – Can either design custom Config rules or use managed (pre-packaged) AWS Config rules – Discovery -Change Management – Compliance -Incident Response
  • 101. AWS Monitoring (Config) • Pre-packaged “Managed” AWS Rules – CLOUD_TRAIL_ENABLED – EIP_ATTACHED – ENCRYPTED_VOLUMES – INCOMING_SSH_DISABLED – INSTANCES_IN_VPC – REQUIRED_TAGS – RESTRICTED_INCOMING_TRAFFIC https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html
  • 102. AWS Monitoring (Config) • Examples of things you can have alerts set for: – Change in Firewall (Security Group) ports – Changes in VPC – Any change… at all
  • 103. AWS Monitoring (Config) Go to the Config service and choose resources to track
  • 104. AWS Monitoring (Config) Or choose to track everything
  • 105. AWS Monitoring (Config) Create a bucket, create an SNS topic (…we’ll discuss next)
  • 106. AWS Monitoring (Config) Allow the role to be created and you’re all set!
  • 108. AWS Monitoring (CloudWatch) • We can be very particular here about what it is we want to see • Some very interesting things you can monitor • Some examples: – Billing Alerts (Important for detection of abuse or mistakes) – Track Root Account Usage – Failed login attempts
  • 110. AWS Monitoring (CloudWatch - Billing) • Used to prevent abuse or mistakes from costing your organization money • Analyze and approximate your monthly spend • Configure via CloudWatch • Use SNS for instantaneous alerting
  • 111. AWS Monitoring (CloudWatch - Billing) Navigate to billing & cost management; enable billing alerts
  • 112. AWS Monitoring (CloudWatch - Billing) Create an SNS topic
  • 113. AWS Monitoring (CloudWatch - Billing) Subscribe to Topic
  • 114. AWS Monitoring (CloudWatch - Billing) Navigate to CloudWatch -> Metrics -> Billing
  • 115. AWS Monitoring (CloudWatch - Billing) Choose USD/Estimate Charges -> Create Alarm
  • 116. AWS Monitoring (CloudWatch - Billing) Set price point, SNS topic, and create alarm
  • 117. AWS Monitoring (CloudWatch - Billing) Exact steps to enable can be found here: http://docs.aws.amazon.com/awsaccountbilling/latest/about v2/free-tier-alarms.html
  • 119. AWS Monitoring (CloudWatch – Root Login) • Remember how I said don’t use the Root account routinely? • BUT… if this account is used, you should know about it • This is the reason you’ll want to notify others (who receive SNS alerts) of the fact you are about to use the account
  • 120. AWS Monitoring (CloudWatch – Root Login) Choose log group, create metric
  • 121. AWS Monitoring (CloudWatch – Root Login) Define Logs Metric Filter
  • 122. AWS Monitoring (CloudWatch – Root Login) Assign/Create Filter
  • 123. AWS Monitoring (CloudWatch – Root Login) Click “Create Alarm”
  • 124. AWS Monitoring (CloudWatch – Root Login) Define Alarm and you’re good…
  • 125. AWS Monitoring (CloudWatch – Root Login) Exact steps (with pics) exist here: https://blogs.aws.amazon.com/security/post/Tx3PSPQSN8 374D/How-to-Receive-Notifications-When-Your-AWS- Account-s-Root-Access-Keys-Are-Used
  • 127. AWS Monitoring (CloudWatch – Failed Logins) • In the event someone is trying to break in, let’s alert ourselves to this! • Failed logins typically suggest either someone forgot their password or… someone is trying to guess yours
  • 128. AWS Monitoring (CloudWatch – Failed Logins) • In the interest of time… the steps are pretty much the same as the root login alarm • The Regex Filter however, is different
  • 129. AWS Monitoring (CloudWatch – Failed Logins) Relevant filter pattern
  • 130. AWS Monitoring (CloudWatch – Failed Logins) • Exact steps exist here: http://docs.aws.amazon.com/awscloudtrail/la test/userguide/cloudwatch-alarms-for- cloudtrail.html#cloudwatch-alarms-for- cloudtrail-signin
  • 132. AWS Monitoring (Unauthorized Activity) • Remember the aws-interrogate tool? • This alarm is the antidote • Alerts us when someone is trying to access something in AWS, and does not have permissions
  • 133. AWS Monitoring (Unauthorized Activity) • Again, in the interest of time, steps are same as root login • Regex is of course, different
  • 134. AWS Monitoring (Unauthorized Activity) Set up regular expression
  • 135. AWS Monitoring (Unauthorized Activity) What happens when we run interrogate
  • 136. AWS Monitoring (Unauthorized Activity) The result of doing that is a nice nifty email to the engineering & security team
  • 137. AWS Monitoring (CloudWatch) – Filter Patterns • If you’d like to create your own custom filter patterns, here is a resource for that: http://docs.aws.amazon.com/AmazonCloudWatch/latest/De veloperGuide/FilterAndPatternSyntax.html
  • 139. AWS + Splunk • Splunk is a pretty great resource for monitoring activity – Two separate plugins: • Splunk App for AWS – https://splunkbase.splunk.com/app/1274/ • Splunk Add-On – https://splunkbase.splunk.com/app/1876/
  • 140. AWS + Splunk • Examples of things you can view: – Billing – Topology – Usage – IAM Activity – SSH Key Pair Activity – User Activity – Network ACL(s) – VPC Activity – and a lot more…
  • 144. AWS + Splunk • Splunk will need an AWS account in order to retrieve data • Create account(s) for Splunk, grab the necessary permission policy from here: http://docs.splunk.com/Documentation/AddOns/released/A WS/ConfigureAWSpermissions
  • 145. AWS + Splunk Configure AWS App for Splunk, add account(s), configure each input accordingly:
  • 146. AWS + Splunk •To view things like IAM Activity… –Subscribe to a cloudtrail log via SNS –Utilize SQS and subscribe SQS to an SNS Topic
  • 147. Monitoring Recap • Alert yourself when things change • This will get noisy, find a way to filter that which is important – If it’s a high risk event, send an SMS/Slack/Email blast • At a minimum, alert yourself when odd things occur… like: – Billing increases past your normal spend – When somebody authenticates as Root – When someone has a login failure
  • 148. Monitoring Recap • Interesting Quora thread: – https://www.quora.com/My-AWS-account-was-hacked-and-I-have-a-50-000-bill-how-can-I- reduce-the-amount-I-need-to-pay • Highlights from the article: – AWS has “a review board of sorts” to determine if you should be refunded – Bots are scouring GitHub searching for exposed access keys – One of the more AWS-seasoned responders mentioned doing part of what we discussed here today to avoid it – A decent number of the people posting on this thread said “Yes, happened to me too”
  • 149. AWS Restoration & Recovery Plan to fail, just don’t fail to plan
  • 150. AWS Restoration & Recovery • Do not USE AWS TO BACKUP YOUR AWS • Offsite backups (meaning, off AWS site) • Common things to back-up: – Databases/ Snapshots – S3 Buckets – EBS Volumes – CloudFormation Templates
  • 151. AWS Restoration & Recovery • Resources: – http://stackoverflow.com/questions/17087542/backup- solutions-for-aws-ec2-instances – https://github.com/Scalr/installer-ng – http://www.n2ws.com/blog/3-ways-ec2-windows- backup-and-recovery.html
  • 152. AWS Incident Response Plan to fail, just don’t fail to plan
  • 153. AWS Incident Response • Could be its own talk • Scout 2 -- https://github.com/nccgroup/Scout2 •Andrew Krug & Alex McCormack – Hardening AWS Environments and Automating Incident Response – https://www.youtube.com/watch?v=cmEUxxYFjK8