This document outlines an agenda for a threat detection and remediation workshop. The agenda includes: - Module 1: Building and configuring the environment in about 20 minutes. - Module 2: Simulating an attack and presenting on threat detection and remediation for about 40 minutes, including a live role playing demo. - Module 3: Investigating the attack and detection/remediation techniques for about 45 minutes. - Module 4: Reviewing, discussing, and cleaning up for about 15 minutes. The workshop guides participants through setting up resources, simulating an attack, detecting the attack, and remediating threats using AWS security services.

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jesse Fuchs, Security Solutions Architect
August 2018
Threat Detection and
Remediation Workshop

2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Workshop Agenda
• Quick introduction to the workshop
• Module 1: Environment build and configuration (20 min)
• Run CloudFormation template and some setup
• Module 2: Attack simulation (and presentation) (40 min)
• Run CloudFormation template
• Presentation and live role playing exercise
• Module 3: Detection and remediation (45 min)
• Investigate the attack
• Module 4: Review and discussion (15 min)
• Presentation / group Q&A
• Cleanup

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Verizon Report
https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
Verizon - Data Breach Investigations Report
Data Breach Patterns

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Workload XYZ
What could
possibly go
wrong here?

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 1
Environment Build and Configuration

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Start Module 1
https://tinyurl.com/y84cc3pj
(https://github.com/aws-samples/aws-security-workshops/tree/master/threat-detection-wksp)
Directions:
• Browse to https://tinyurl.com/y84cc3pj
• Read through the workshop scenario
• Click on Environment Build and Configuration at the end
• Complete module (~15 min) then stop
• We will later start module 2 and do a presentation
use
us-west-2

7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 2
Attack Simulation and Presentation

8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 2 Agenda
• Run the CloudFormation template (~5 min)
• Threat detection and remediation presentation (~20 min)
• Live role playing demo (~10 min)
• Environment walkthrough (~10 min)

9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Start Module 2
https://tinyurl.com/y84cc3pj
(https://github.com/aws-samples/aws-security-workshops/tree/master/threat-detection-wksp)
Directions:
• Browse to https://tinyurl.com/y84cc3pj
• Click on Attack Simulation at the end
• Complete this module (~5 min) then stop
• We will then do a presentation
use
us-west-2

10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat Detection and Remediation Intro

11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why is threat detection so hard?
Skills shortageSignal to noiseLarge datasets

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Get humans away from the data and analysis
AWS CISO Stephen Schmidt, at re:Invent 2017: “It's people who make mistakes, it's people who have good
intentions but get phished, it's people who use the same credentials in multiple locations and don't use a
hardware token for a multi-factor authentication… Get the humans away from the data.”

13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Detecting breaches
https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf

14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Top Actions Taken to Address Security Issues
Source: 2017 Forbes Insights – “Enterprises Reengineer Security in the Age of Digital Transformation”
2017 Forbes Insights –
“Enterprises Reengineer
Security in the Age of
Digital Transformation”

15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
AWS Config Rules
Amazon
CloudWatch Logs
Amazon GuardDuty
VPC Flow Logs
Amazon Macie
AWS Shield
AWS WAF
AWS
Systems Manager
Amazon Inspector
VPC
KMS
AWS CloudHSM
IAM
AWS Organizations
AWS Cognito
AWS Directory Service
AWS Single Sign-On
Certificate Manager
Amazon Inspector
AWS Config Rules
AWS Lambda
AWS
Systems Manager
Amazon
CloudWatch Events
Pro Services Raptor
Protect RespondDetect RecoverIdentify
AWS Lambda
AWS DR and Backup
Solutions
AWS
Systems Manager
AWS Config
AWS Security Solutions https://www.nist.gov/cyberframework

16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GDPR and threat detection & remediation
Under GDPR, Controllers and Processors are required to implement
appropriate Technical and Organizational Measures (“TOMs”)
(1) Pseudonymisation and
encryption of personal data
(2) Ensure ongoing confidentiality,
integrity, availability, and
resilience of processing systems
and services
(3) Ability to restore availability
and access to personal data in a
timely manner in the event of a
physical or technical incident
(4) Process for regularly testing,
assessing, and evaluating the
effectiveness of TOMs

17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat Detection Services

18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat Detection: Log Data Inputs
AWS CloudTrail VPC Flow Logs CloudWatch Logs DNS Logs
Track user
activity and API
usage
IP traffic to/from
network interfaces
in your VPC
Monitor apps using
log data, store &
access log files
Log of DNS queries
in a VPC when
using the VPC DNS
resolver

19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat Detection: Machine Learning
Amazon
GuardDuty
Intelligent threat detection
and continuous monitoring
to protect your AWS
accounts and workloads
Amazon Macie
Machine learning-powered
security service to discover,
classify & protect sensitive data

20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat Detection: Evocations/Triggers
Amazon CloudWatch
Events
Delivers a near real-time stream
of system events that describe
changes in AWS resources
AWS Config rules
Continuously tracks your
resource configuration changes
and if they violate any of the
conditions in your rules

21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon CloudWatch Events
{
"source": [
"aws.guardduty"
]
}
CloudWatch
Event
GuardDuty
findings
Lambda
function

22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat Remediation Services

23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat Remediation Services
AWS Systems
Manager
AWS
Lambda
Amazon
Inspector
Run code for virtually
any kind of application
or backend service –
zero administration
Gain operational
insights and take
action on AWS
resources
Automate security
assessments of EC2
instances

24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
High-Level Playbook
Adversary Your
environment
Lambda
function
CloudWatch
Events

25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
High-Level Playbook
Amazon
CloudWatch
Events
AWS
CloudTrail
AWS Config
Lambda
function
AWS
APIs
Detection
Alerting
Remediation
Countermeasures
Forensics
Team
collaboration
(Slack etc.)
Amazon
GuardDuty
VPC Flow Logs
Amazon
Inspector

26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Live Role Playing Demo

27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Environment Walkthrough

28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Review Questions
• How can you create custom rules for Config?
• How do GuardDuty and Macie differ when it comes to CloudTrail analysis?
• What services are important for automation of remediations?
• What performance impact does GuardDuty have on your account if you
have more then 100 VPCs?
• Which of the services discussed have direct access to your EC2 Instances?

29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 3
Detection and Remediation

30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Start Module 3
https://tinyurl.com/y84cc3pj
(https://github.com/aws-samples/aws-security-workshops/tree/master/threat-detection-wksp)
Directions:
• Browse to https://tinyurl.com/y84cc3pj
• Click on Detection & Remediation at the end
• Run through this module (~45 min)
• We will then finish up with module 4 and cleanup
use
us-west-2

31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 4
Review, Discussion, & Cleanup

32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Attack

33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Setup

34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Simulation

35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Workshop Questions

36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Question 1
Why did the AWS API calls from the “malicious
host” generate GuardDuty findings?

37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Question 2
How many unique AWS API calls were made from
the “malicious host” and how did you identify the
them?

38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Question 3
The lab mentions you can ignore the high severity
SSH brute force attack finding.
Why can you ignore it and how is it different from
the low severity brute force finding?

39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Question 4
What type of server-side encryption was used to
encrypt the objects in the data bucket?
Would Macie be able to classify the objects if you
were to use SSE-KMS?

40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Question 5
Macie had an alert for “S3 Bucket IAM policy
grants global read rights.” We investigated that
bucket in the workshop. Were the objects in the
bucket actually publicly accessible?
If the public had a policy that allowed for global
read right, would the encrypted objects be
accessible?

41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thanks!