More Related Content Similar to An Active Case Study on Insider Threat Detection in your Applications (20) More from Amazon Web Services (20) An Active Case Study on Insider Threat Detection in your Applications1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Nathan Case
Detection techniques
They’re inside the walls
June, 2018
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to Expect from the Session
• Introduction
• Discussion of the services used
• The insider threat
• The crunchy outer shell defense!
• Auto remediation
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
They’re inside the walls!
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Cognito
AWS Directory Service
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application
Firewall (WAF)
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
Certificate Manager
Server Side Encryption
AWS Config Rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS security solutions
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS CloudTrail
Track user activity and API
usage
What can you do?
• Simplify your compliance audits by
automatically recording and storing
activity logs for your AWS account
• Increase visibility into your user and
resource activity
• Discover and troubleshoot security and
operational issues by capturing a
comprehensive history of changes that
occurred in your AWS account
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS Config
Record and evaluate
configurations of your AWS
resources. Enable compliance
auditing, security analysis,
resource change tracking, and
troubleshooting
Detective
control
AWS Account Level Controls
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change
• Know resource relationships dependencies
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Amazon
GuardDuty
Intelligent threat detection
and continuous monitoring to
protect your AWS accounts
and workloads
What can you do?
• Quickly find the threats (needle) to your
environments in the sea of log data
(haystack) so you can focus on hardening
their AWS environments
• Analyzes billions of events across your AWS
accounts for signs of risk
• Monitors for activity such as unusual API
calls or potentially unauthorized
deployments that indicate a possible
account compromise
• Rapidly respond to malicious or suspicious
behavior
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
VPC Flow Logs
Capture information about the
IP traffic going to and from
network interfaces in your VPC.
Flow log data is stored using
Amazon
CloudWatch Logs
What can you do?
Simplify your compliance audits by
automatically recording and storing
activity logs for your AWS account
Increase visibility into your user and
resource activity
Discover and troubleshoot security and
operational issues by capturing a
comprehensive history of changes that
occurred in your AWS account
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Amazon
CloudWatch
Monitoring service for AWS
cloud resources and the
applications you run on AWS.
What can you do?
• Monitor resource utilization, operational
performance, and overall demand patterns
• Collect metrics include CPU utilization, disk
reads / writes, and network traffic
• Accessible via the AWS Management Console,
web service APIs, or Command Line Tools
• Add custom metrics of your own
• Alarms (which tie into auto-scaling, SNS, SQS)
• Billing Alerts to ID unusual account activity
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Rabbit Hole!
What Can You Detect Using AWS Services?
Infrastructure
VPC Resources
Connectivity
On-instance
...
Service
IAM
S3 buckets
Billing
...
Application
Patching
Coding hole
...
Other?
11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Humans and data don’t mix
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
So who is inside the walls, exactly…?
- All of the enterprise employees, consultants,
contractors, and you… are the vector of breach for
your systems.
- You are the threat to your systems.
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
So who is inside the walls, exactly…?
- For Today.
- Pretend that Insider threat is handled by your team and that
Insider threat includes:
- Bad Actors
- Actors acting outside their associated role
- Actors doing something they should be doing to an incorrect resource
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Who is responsible?
- Please Note:
- Ownership and Classification of an event is a question your team
needs to talk about. Its different in each enterprise.
- You must have one group that is a catch all. If an action does not
fall into anyone’s bucket, that team is responsible.
15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Target of the discussion
The simple environment to the left has specific
needs and allows for direct detection of threats,
if:
• The system has little human interaction
• Normal patterns, and timed procedures
• Limited well defined scope and functions
AWS cloud
virtual private cloud
Availability Zone BAvailability Zone A
Web Server
App Server
Web Server
App Server
RDS DB instance instance standby (multi-AZ)
16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Target of the discussion
This is more realistic:
• The system has lots of human
interaction
• No patterns, or timed procedures
• No scope
17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building a crunch outer shell
• Does not defend complex systems from an
insider threat
• Does not defend simple systems either
• Do not make assumptions about the target of
an insider threat
• Do not assume that the target with be
malicious
18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Gosl of the discussion
• Unify Logs/Trail
• Implement similar checks in all accounts
• Unify events/findings into CloudWatch
Dashboards
• Trigger CloudWatch Events based on
actions in the environment
• Watch for changes, not just actions
• Setup SNS Topics
19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
So … that happened.
20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example Walkthrough: CloudWatch Events
Your AWS Account, GuardDuty generates Finding and sends to CloudWatch Events. CloudWatch
Events forwards to CloudWatch Event Bus in AWS Master Account.
{
"account": "123456789012",
"region": "us-west-2",
"detail": {
"description": "EC2 instance i-99999999 is querying a domain name that is associated
with Bitcoin-related activity.",
"resource": {
"resourceType": "Instance",
"instanceDetails": {
...
"instanceId": "i-99999999",
"instanceState": "running",
...
"instanceType": "p2.xlarge”},
...
"title": "Bitcoin-related domain name queried by EC2 instance i-99999999.",
...
}
21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
In the AWS Master Account, CloudWatch Events triggers the Response Handler Lambda function to analyze
the event by processing signature logic for conditional evaluation.
{
"account": "123456789012",
"region": "us-west-2",
"detail": {
"description": "EC2 instance i-99999999...
with Bitcoin-related activity.",
"resource": {
"resourceType": "Instance",
"instanceDetails": {
...
"instanceId": "i-99999999",
"instanceState": "running",
...
"instanceType": "p2.xlarge”},
...
“type": “CryptoCurrency:EC2/Bitcoin...”
...
}
Example Walkthrough: Lambda Trigger
"account": "123456789012",
"region": "us-west-2",
"instanceId": "i-99999999",
“type": “CryptoCurrency:EC2/Bitcoin...”
22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch Rules
CloudWatch Dashboard POLICY
23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch Rules
CloudWatch Dashboard POLICY
24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
In the AWS, the Response Handler Lambda function analyzes the event by processing conditional
logic to determine responsive Action, which in this case is to terminate the instance(s).
Example Walkthrough: Response Handler
"account": "123456789012",
"region": "us-west-2",
"instanceId": "i-99999999",
“type": “CryptoCurrency:EC2/Bitcoin...”
TerminateInstanceTest:
cloudwatch.event:
- name: guardduty
- identifier: “CryptoCurrency:EC2/Bitcoin...”
- actions:
- "ec2:TerminateInstance"
- onlyif:
- and:
- region: 'us-west-2'
- or:
- account: 123456789012
- account: 123456789013
25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
In the AWS Master Account, if the event matches a signature the Response Handler Lambda
function initiates a StepFunction execution of the Raptor Response Action State Machine.
Example Walkthrough: Response Handler
TerminateInstanceTest:
cloudwatch.event:
- name: guardduty
- identifier: “CryptoCurrency:EC2/Bitcoin...”
- actions:
- "ec2:TerminateInstance"
- onlyif:
- and:
- region: 'us-west-2'
- or:
- account: 123456789012
- account: 123456789013
{
"Account": “123456789012",
"SnsNotification": true,
"ec2": {
"RemoveEip": false,
"ApplySecurityGroup": false,
"SecurityGroupName": null,
"instanceId": [“i-99999999”],
"region": “us-west-2”,
"Snapshot": {
"ShareSnap": null
},
"StopInstance": false,
"CreateSnapshot": false,
"TerminateInstance": true
},
"sns": {...}
}
26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GuardDuty Findings: Threat Purpose Details
• Backdoor: resource compromised and capable of contacting source home
• Behavior: activity that differs from established baseline
• Crypto Currency::detected software associated with Crypto currencies
• Pentest::activity detected similar to that generated by known pen testing tools
• Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc.
• Stealth::attack trying to hide actions / tracks
• Trojan::program detected carrying out suspicious activity
• Unauthorized Access::suspicious activity / pattern by unauthorized user
Describes the primary purpose of the threat. Available at launch, more coming!
27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Remediate a Compromised Instance
• Remediate Compromised AWS Credentials
Responding to Findings: Remediation
Automatic Remediation
GuardDuty CloudWatch Events Lambda
Amazon
GuardDuty
Amazon
CloudWatch
CloudWatch
Event
Lambda Function
AWS Lambda
28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Remediation Actions
• Account Remediation
• Remediate AWS credentials
• PenTest
• Recon (Black Listed IP)
• Stealth
• UnauthorizedAccess
• Investigate before Credential Remediation
• Behavior
• UnauthorizedAccess
• Architecture Change
• Recon
• Instance Remediation
• Remediate Compromised
Instances
• Backdoor
• CryptoCurrency
• Recon (out going)
• Trojan
• UnauthorizedAccess
• Investigate before EC2
Remediate
• Behavior
29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
Lambda
function
30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
Lambda
function
31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
Lambda
function
32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
elastic network
adapter
Lambda
function
33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
elastic network
adapter
Lambda
function
EBS Volume
34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
elastic network
adapter
Lambda
function
EBS Volume
80, 443->DataSG
35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
elastic network
adapter
Lambda
function
EBS Volume
3389 -> 0.0.0.0/0
80, 443->DataSG
36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
Lambda
function
EBS Volume
80, 443->DataSG
37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$
top
Instance:~ ec2-user$
pcap
Instance:~ ec2-user$
lime
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
elastic network
adapter
Lambda
function
EBS Volume
38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$
top
Instance:~ ec2-user$
pcap
Instance:~ ec2-user$
lime
AWS
Lambda
Amazon
GuardDuty
Lambda
function
EBS Volume EBS Forensics
39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ top
Instance:~ ec2-user$ pcap
Instance:~ ec2-user$ lime
AWS
Lambda
Amazon
GuardDuty
Lambda
function
EBS Volume
40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
AWS
Lambda
Amazon
GuardDuty
Lambda
function
EBS Volume
Amazon EBS
snapshot
41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Policies
LAMBDA POLICY
42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Policies
LAMBDA POLICY
43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo