We are all, now more than ever, spending more time online in our day-to-day lives. More and more startups are using the power of cloud to set up their next disruptive product. The concept of managing information on the cloud and protecting it, thankfully, is not something new and every cloud vendor has an abundance of security tooling available for us to leverage when setting up our next big cloud project. So with that in mind the following presentation aims to provide you with a general overview of AWS Security Tooling and the roles that each of the tools play in the Security & Compliance lifecycle. We will also deep dive a bit into two tools, namely Guard duty and Security Hub.

1. Security & Compliance Overview, and an Introduction to
GuardDuty and Security Hub
Satish Natarajan – 2021.05.19
This presentation contains opinion and does not
constitute advice – any actions taken by a reader
based on the content herein are at the discretion of
the reader, who is solely responsible for the
outcome of those actions.

2. 2
1 – AWS Security Tooling Overview
A map of AWS Security Tooling and the roles that each of the tools play in the Security & Compliance lifecycle.

3. 3
AWS Security Tooling
AWS
Security
Hub
AWS
Organizations
AWS
Control
Tower
AWS
Trusted
Advisor
AWS
Service
Catalog
AWS
Config
Well
Architected
Tool
AWS
Systems
Manager
AWS
Transit
Gateway
Amazon
VPC
Amazon
VPC AWS
PrivateLink
AWS
Direct
Connect
AWS IoT
Device
Defender
Amazon
Cloud
Directory
AWS
Resource
Action
Manager
AWS
Directory
Service
AWS
Shielf
IAM AWS
Secrets
Manager
AWS KMS
AWS WAF AWS Firewall
Manager
AWS
Certificate
Manager
AWS
CloudHSM
Amazon
Cognito
AWS
Single
Sign-On
Amazon
GuardDuty
Amazon
Macie
AWS
Security
Hub
Amazon
Inspector
Amazon
Cloud
Watch
AWS
Step
Functions
AWS
Systems
Manager
AWS
Lambda
Amazon
CloudWatch
AWS
CloudTrail
Personal
Health
Dashboard
Amazon
Route 53
Amazon S3
Glacier
Snapshot Archive
Identify Protect Detect
Automate
Investigate
Respond Recover
This diagram provides an
overview of various AWS
Security Tooling Services, and
where those services fit into a
Security & Compliance
lifecycle.
It should be noted that
services (e.g. AWS Security
Hub) can sit in two different
categories.
Items in RED are discussed in the
remaining sections of this presentation.

4. 4
2 – An introduction to Amazon
GuardDuty

5. 5
What is GuardDuty?
GuardDuty is an Amazon detection service that collects log information and then analyses it for potential threats whilst
providing the ability to use those threats to raise alerts and take affirmative action.
Note: GuardDuty is free for an introductory period
What information does it Collect?
GuardDuty collects information from the following logs:
1. VPN flow logs;
2. DNS Logs (these are based on queries made from EC2 instances to known and unknown domains, and comes from the
internal DNS resolver); and
3. CloudTrail Events.
How does it identify threats?
Amazon GuardDuty identifies threats in the above logs by one of 2 different means:
1. Known threats:
a) Identified using threat intelligence from the following data feeds
i. AWS (in-house) security intelligence;
ii. Commercial partners (CrowdStrike and ProofPoint);
iii. Open source threat intelligence;
iv. Customer-provided intelligence in one of the following formats: TXT, STIX, OTX_CSV, ALIENT_VAULT,
PROOF_POINT, or FIRE_EYE.
b) (continued overleaf….)

6. 6
What is GuardDuty?
b) A list of known malware infected hosts;
c) A list of anonymising proxies;
d) A list of sites hosting malware and hacker tools;
e) Cryptocurrency mining pools and wallets.
2. Unknown Threats – These threats are identified based on standard behaviour rather than intelligence. The ML algorithms
look at standard behaviour and then track that behaviour for any deviation from “standard behaviour”.
a) Because unknown threats are identified by deviation from “standard behaviour” it should be noted that
GuardDuty may need to run for several days before alerts are reliable generated (this allows time for “standard
behaviour” to be defined by GuardDuty). Known threat analysis - of course - has no such restrictions.
When threats are identified using the approaches listed above, GuardDuty then generates findings. Findings can be
retrieved suing the GuardDuty API, however, the main approach is to simply export the findings as CloudWatch events.
Note: Enabling AWS Security Hub will automatically ensure that GuardDuty findings are sent to Security Hub.
Is there anything else I should know about GuardDuty?
GuardDuty continuously monitors logs without impacting performance or requiring additional infrastructure. It can be
enabled with one click. GuardDuty can also consolidate logs across your enterprise.
GuardDuty can be configured to send reminders when findings have not been remediated. Alerts should be followed up and
should continue to flag until they are either filtered-out, or remediated.

7. 7
How Amazon Guard Duty Works
VPC
Flow
Logs
DNS
Logs
CloudTrail
Events
(KNOWN) THREAT INTELLIGENCE
• Recon – e.g. Port probes on unprotected ports;
• Backdoor – e.g. Spambot, C&C Activity, Exfiltration over a DNS Channel, Suspicious
Domain Requests;
• Trojan – e.g. Blackhole traffic, drop point, DGA domain requests;
• Unauthorised Access – e.g. Unusual ISP Caller, SSH, d RDP brute-force;
• Stealth – e.g. Password Policy Change, AWS CloudTrail Disabled, Amazon GuardDuty
disabled;
• Cryptocurrency – e.g. Communication with BitCoin DNS pools, cryptocurrency DNS
calls, connections to BitCoin mining pools.
(UNKNOWN) ANOMALY DETECTION (ML)
• Unusual user behaviour, for example:
1. Launch instance;
2. Changing network permissions
• Unusual Traffic Patterns (for example, unusual port or traffic volume).
Logs
Analyse
Analyse
Findings
AWS
Security
Hub
Amazon
S3 Bucket
Amazon
CloudWatch
Metric
Next Step(s)
• Remediate;
• Use partner solutions;
• Send to SIEM.

8. 8
Acting on Findings
Selected Findings & Insights
Detections
Detect Aggregate Report
AWS
Lambda
AWS Step
Functions
Run
Command
Amazon
Kinesis
Firehose
Amazon
Kinesis
Amazon
Inspector
Amazon
SNS
Amazon
SQS
Amazon
GuardDuty
Amazon
Security Hub
Filter
Findings
Amazon
CloudWatch
CloudWatch
Metrics
AWS
CodePipeline
AWS
CodeBuild
Act!
This diagram provides an overview of a typical flow of events from Guard Duty to taking action:
1. Guard Duty detects some issues which are sent to Security Hub automatically (simply by enabling
SecurityHub!);
2. Findings are filtered in Security hub, and some are sent to Amazon CloudWatch;
3. CloudWatch can then raise an event to a number of different targets for taking appropriate action.

9. 9
Scenario: Unusual Activity from Internet IP Address
Amazon
GuardDuty
Amazon
CloudWatch
AWS Step
Function
AWS Lambda
AWS Lambda
AWS Shield
AWS WAF
Amazon
CloudFront
Application Requests
(Static & Dynamic) Application
Load
Balancer

!
Issue
Detected
1
2
Cloudwatch Rule is
Triggered
3
Step
Function is
Called
5
Lambda Called to add
new WAF Rule
6 ACCESS
DENIED
4
Lambda is called to
update NACLs to ban
access.
In this example, unusual
activity has been identified
by GuardDuty on an ALB.
This triggers a Step
Function, which performs 2
tasks:
1. Puts the suspicious IP
Address(es) on the
NACL deny list;
2. Updates the WAF rules
to deny access at the
front end from the
suspicious is
address(es).
This effectively blocks the
nefarious actors from
accessing the platform.
If, for example, the asset
that the actors were
accessing was an EC2
instance, you may now
want to perform some
forensic activity on the EC2
instance (described in the
next slide).

10. 10
Scenario: Capturing Forensic data from an EC2 instance
Amazon
GuardDuty
Amazon
CloudWatch
Rule
Custom
Forensics
Lambda
Issue
Detected
1
2
Cloudwatch
Rule is
Triggered
3
Lambda
Executed
4
#!/bin/bash
top
pcap
lime
6
Snapshot
EBS
Volume
5
Capture
Output
Files
Run
Command
AWS
Systems
Manager
Amazon
CloudWatch
So, you are now using GuardDuty, and are tracking unusual events, closing ports, and shutting instances. But are you capturing the state of
the instance for future use?
Forensics is an important part of Security & Compliance in the cloud. The following illustration shows you how we use GuardDuty, CloudWatch,
SSM and Lambda to get the list of programs executing on an EC2 box, dump packet information, dump memory, and then snapshot the volume
for future use. This allows you to retain information which could be vital in identifying nefarious activity and “freezing” evidence in time for
future use.

11. 11
3 – An introduction to AWS Security
Hub

12. 12
What is AWS Security Hub?
AWS Security Hub is a service for the identification and detection of threats. It acts as a central pane for accessing security
and compliance findings. It ingests information from Amazon GuardDuty, Amazon Macie, Amazon Inspector, and is also
capable of ingesting information from third parties.
Security Hub continually aggregates findings, conducts automated compliance and configuration checks, and is capable of
taking action on those findings.
Security Hub should be enabled for all accounts.
The following are examples of what AWS Security Hub can detect:
1. Enablement of CloudTrail in all regions;
2. Not using the <root> account;
3. No “open ingress” routes;
4. *:* administrative privileges.
A Cloudwatch event can be raised from Security Hub findings.
So you don’t get overwhelmed with many “false positives”, you can create an “archive filter” in security hub that specifies
conditions under which an event can be safely ignored (filters can only be applied from the “Master” account for security
reasons).
Note: A common scenario for the use of “archive filters” is when Internet-bound traffic on an EC2 instance is re-routed back
through the client’s corporate Network (and associated security tooling and firewalls) – this looks suspicious to Security Hub!

13. 13
Automating Remediation
When findings are generated you should consider the automation of remediation of important findings as soon as is
practicable.
However, Security Hub and its feeder systems will identify many different findings and alerts and it therefore can be difficult
to determine which you should focus on first! I have therefore listed a number of Security Hub alerts that should be
remediated as a priority as these are high-severity alerts:
1. UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration
2. UnauthorizedAccess:IAMUser/TorIPCaller
3. CryptoCurrency:EC2/BitcoindTool.B!DNS
4. CryptoCurrency:EC2/BitcoindTool.B
5. Recon:EC2/PortProbeEMRUnprotectedPort
6. UnauthorizedAccess:EC2/TorClient
7. UnauthorizedAccess:EC2/TorRelay
As you continue to deploy infrastructure (as code hopefully!) you can start operationalising additional remediation activities;
again, I would recommend that you work through the remaining findings based on their severity.

14. 14
Automating Remediation
I am ready to start operationalising remediation, what do I need to consider?
Get your tagging right
Firstly, a solid tagging strategy is essential when writing procedures to remediate security findings on AWS. The tagging
strategy should be well-defined and rigorously enforced. If this is in place, finding infrastructure components becomes much
easier. For example: tags can be built into Archive Rules, and Alert Rules to allowing different servers to be treated in
different ways, depending on their business purpose.
Work with the application teams
Every successful IT project requires security and compliance teams to work hand-in-hand with application teams.
Behaviours such as calling-out application teams when you have an audience then going through a list of everything that is
wrong doesn’t help anyone and doesn’t move the process forward. Instead, work closely with the application team(s) and
come up with a joint plan to remediate findings.
What about automated remediation?
Automated remediation allows you to deal with findings in one of 3 different ways:
1. Notify – let someone know there is an issue;
2. Isolate – remove access to the asset so it can be triaged
3. Terminate/Replace – shut down or replace the instance that is causing the issue.
If you are starting with empty AWS accounts automated remediation might be for you. However, for most customers - who
are actively using (or developing on) AWS – this is often not an option. Therefore, start with a “Notify” approach. This
allows you to manually triage and resolve issues (potentially in the IaC libraries) before considering using automated
remediation.

15. 15
Contact Details
Satish Natarajan
AWS Capability Lead
Deloitte UK
Email: satnatarajan@deloitte.co.uk
Linked In: @nsatishk

16. About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company
limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and
each of its member firms are legally separate and independent entities. DTTL (also referred to
as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers
to one or more of the US member firms of DTTL, their related entities that operate using the
“Deloitte” name in the United States and their respective affiliates. Certain services may not
be available to attest clients under the rules and regulations of public accounting. Please see
www.deloitte.com/about to learn more about our global network of member firms.
Copyright © 2020 Deloitte Development LLC. All rights reserved.