Beating Sophisticated Attackers at Their Game Using AWS

P U B L I C S E C T O R
S U M M I T
WASHINGTON, DC

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Beating Sophisticated Attackers at
Their Game Using AWS
Tim Rains
Regional Leader Security & Compliance Business Acceleration EMEA
Worldwide Public Sector
3 0 2 8 3 3

S U M M I T
Agenda
Ingredients for a successful strategy
Popular Cybersecurity strategies and approaches
Implementation example using AWS
Building blocks & Getting started

S U M M I T
Related breakouts
Building Next Generation Cybersecurity with Today's
Machine Learning Solutions
Balaji Iyer and Brian Calkin
Aligning to the NIST Cybersecurity Framework in
the AWS
Michael South
Beyond Security Automation: How to Move Past
Developing Ad-hoc Tools and Make Tools that
Develop Automatically
Brad Dispensa

S U M M I T

S U M M I T
Ingredients for a Successful Cybersecurity Strategy
• Business objective alignment
• Senior executive and Board support
• Cybersecurity Vision, Mission, Imperatives shared with stakeholders
• High-value assets (Crown Jewels) are defined, executive buy-in
• Principles to help govern risk appetite and approach, executive buy-in
• Realistic view of current cybersecurity capabilities and technical talent
• Compliance program and control framework alignment
• Effective relationship with IT
• Security culture where everyone participates, executives evangelize

S U M M I T
Critical Ingredient: How Initial Compromise Happens
1. Unpatched vulnerabilities
2. Security misconfigurations
3. Weak, leaked, stolen passwords
4. Social engineering
5. Insider threat
Preventing, detecting, and responding to initial compromise minimizes
damage and costs to the organization

S U M M I T
Strategies, Frameworks, Models & Standards
• ISO, NIST
• OWASP
• CIS Benchmarks
• STRIDE
• SABSA
• Risk management frameworks
• SOC 2 Type II, PCI, HIPAA, etc
• Cloud Security Alliance CCM
• AWS Cloud Adoption Framework Security Perspective
• AWS Well Architected – Security Pillar
• Etc.

S U M M I T
Popular Cybersecurity Strategies
• Protect & Recover
• Endpoint Protection
• Compliance as Security
• Application-centric
• Identity-centric
• Data-centric
• Security clearances
• Attack-centric

S U M M I T
Protect & Recover Strategy
• Underlying assumption: the
organization has adequate
protection, so it doesn’t need to
invest in detection and response
capabilities
• Focus: protection and recovery
processes and technology
• Characterized by: investments
primarily in perimeter and network
protection, backup and recovery

S U M M I T
Endpoint Protection Strategy
• Underlying assumption: protecting
endpoints and devices is an effective
proxy for protecting the
organization’s data
• Focus: protecting endpoints and
devices that process, store, and
transmit data
• Characterized by: investments in
host-based protection technologies

S U M M I T
Compliance as a Security Strategy
• Underlying assumption: meeting
compliance obligations is sufficient
for protecting the organization’s data
• Focus: meeting organization’s
regulatory compliance obligations,
such as PCI, HIPPA, GDPR, etc.
people, processes, and technologies
that help meet compliance
obligations

S U M M I T
Application-centric Strategy
• Underlying assumption: protecting
applications that handle data protects
the organization’s data
• Focus: securing applications that
process, store, and transmit data
security development lifecycles,
static/dynamic code analysis tools,
penetration testing, mobile
device/application management, bug
bounties

S U M M I T
Identity-centric Strategy
• Underlying assumption: the
organization can better protect data
by better protecting the identities
used to access the data
• Focus: protecting the identities and
credentials used to access the
organization’s data and used to
administrate key systems
identity management technologies
and credential hygiene practices

S U M M I T
Data-centric Strategy
• Underlying assumptions:
• Data, not the systems that process it, are
the high valued assets
• Data will move without the organization’s
approval or knowledge
• Data must be protected regardless of
where it is
• Data needs to be shared internally and with
authorized partners
• Focus: protect data wherever it is transmitted,
processed and stored…forever
• Characterized by: investments in Data Loss
Prevention (DLP), encryption, key management
technologies, potentially data classification

S U M M I T
Security Clearances Strategy
• Underlying assumptions:
• End-to-end physical control of networked devices protects data
• Data center staff that have physical access to hardware also have access to data
• Therefore, only people with select citizenships and clearances can be permitted access to data centers
• Focus: security assurance of hardware, periodic background checks of data center staff and administrators
• Characterized by: investments in people, processes, and technologies that help maintain physical security and
assurance as well as confidence in the character of data center staff and administrators

S U M M I T
Attack-centric Strategy
• Underlying assumption: by
categorizing and modelling cyber
attackers’ behaviors and designing
controls around them, organizations
can implement effective and
measurable protection, detection,
response, and identify protection
gaps
• Focus: preventing, detecting,
responding, analyzing all modelled
phases of a cyberattack
numerous areas to cover all phases

S U M M I T
Intrusion Kill Chain Strategy
• Underlying assumption: forcing
attackers to be successful multiple
times during intrusion attempts helps
identify protection gaps, decreases
detection and recovery times
• Focus: detecting, denying, disrupting,
degrading, and deceiving attackers in
all seven phases of kill chain
numerous areas to cover the 7 phases
of the intrusion kill chain
https://lockheedmartin.com/content/dam/lockheed-
martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

S U M M I T
Modified Courses of Action Matrix
Intrusion Kill Chain Phase
Detect
Deny
Disrupt
Degrade
Deceive
Contain
Respond
Restore
Reconnaissance: pre-intrusion
Reconnaissance: post-intrusion
Weaponization
Delivery
Exploitation
Installation
Command and Control
Actions on Objectives

S U M M I T
Courses of Action Example: Exploitation
Detect
To discover or discern the existence,
presence, or fact of an intrusion
into information systems
Control Names Descriptions
Amazon GuardDuty
Detects reconnaissance activity, such as unusual API
activity, intra-VPC port scanning, unusual patterns of
failed login requests, or unblocked port probing from a
known bad IP.
AWS WAF, WAF Managed Rules
+ Automation
Malicious sources scan and probe internet-facing web
applications for vulnerabilities. They send a series of
requests that generate HTTP 4xx error codes, and you can
use this history to help identify and block malicious source
IP addresses.
Amazon Virtual Private Cloud
(Amazon VPC)
Amazon VPC can help prevent attackers from scanning
network resources during reconnaissance. Amazon VPC
Black Hole Routes (as a whitelist or blacklist of network
reachable assets before Security Groups or NACLs).
AWS Systems Manager State
Manager, or third-party or OSS
file integrity monitoring
solutions on Amazon EC2
Automates the process of keeping your Amazon EC2 and
hybrid infrastructure in a state that you define.
AWS Config Assess, audit, and evaluate the configurations of your AWS
resources.
Third-party security tools for
Containers
Implement advanced security protection and behavioral
security solutions for containers.
Third-party security tools for
AWS Lambda functions
Implement advanced security protection and behavioral
security solutions for Lambda functions.
AWS Partner offerings: anti-
malware protection Detect and block malicious payloads.
AWS Lambda Partners Complement the security properties of Lambda functions.
Container Partners - Security Complement the security properties of containers
solutions.
Defined in 2006 version of JP 3-13, as documented in Mitre, "Characterizing Effects on the Cyber Adversary, A Vocabulary for Analysis and Assessment",
https://www.mitre.org/sites/default/files/publications/characterizing-effects-cyber-adversary-13-4173.pdf

S U M M I T
Deny
To prevent the adversary from
accessing and using critical
information, systems, and services
AWS Identity and Access
Management (IAM) Roles
Helps deny or contain the blast radius of attacks.
Amazon Simple Storage
Service (S3) bucket policies,
object policies
Control access to objects and prevent upload of that
malicious object into the bucket.
AWS Secrets Manager Protect secrets needed to access your applications,
services, and IT resources.
Amazon EC2: Linux: SELinux
- Mandatory Access Control
As non-overridable system policy mediating access to
files, devices, sockets, other processes, and API calls.
Amazon EC2: FreeBSD
Trusted BSD – Mandatory
Access Control
As non-overridable system policy mediating access to
files, devices, sockets, other processes, and API calls.
Amazon EC2: Linux,
FreeBSD: Hardening and
minimization
Disable / Remove unused services and packages.
Amazon EC2: Linux,
Windows, FreeBSD: Address
Space Layout
Randomization (ASLR)
ASLR is a technology used to help prevent shellcode
from being successful.

S U M M I T
Disrupt
To break or interrupt the flow
of information
AWS WAF, WAF Managed
Rules + Automation
Malicious sources scan and probe Internet-facing
web applications for vulnerabilities. They send a
series of requests that generate HTTP 4xx error
codes, and you can use this history to help identify
and block malicious source IP addresses.
Amazon Simple Storage
Service (S3) bucket policies,
object policies
Control access to objects and prevent upload of that
malicious object into the bucket.
AWS Secrets Manager Protect secrets needed to access your applications,
services, and IT resources.
As non-overridable system policy mediating access
to files, devices, sockets, other processes, and API
calls.
Amazon EC2: FreeBSD
Access Control
As non-overridable system policy mediating
accessto files, devices, sockets, other processes, and
API calls.
Amazon EC2: Linux,
Windows, FreeBSD: Address
Space Layout Randomization
(ASLR)
ASLR is a technology used to help prevent shellcode
from being successful.

S U M M I T
Degrade
To reduce the effectiveness or
efficiency of adversary command
and control (C2) or communications
systems, and information collection
efforts or means
Deceive
To cause a person to believe
what is not true; deception
attempts to mislead
adversaries by manipulating
their perception of reality
Amazon GuardDuty +
AWS Lambda
Detects reconnaissance activities and modifies
security configurations to degrade/block traffic
associated with an attack.
AWS WAF
Protects from common web exploits that could
affect application availability, compromise security,
or consume excessive resources.
Load balancing
All entities providing the load-balanced service
need to be compromised to guarantee a client
interacting with a compromised instance.
Immutable Infrastructure-
short-lived environments
Rebuilt or refresh environments periodically to
make it a harder task to make an attack payload
persist.
Honeypot and Honeynet
Environments
Helps to deceive and contain the attack.
Honeywords and
Honeykeys
When an attacker attempts to use stolen false
credentials, it helps detect, contain, and recover
faster.
AWS WAF + AWS Lambda
Trap endpoint to detect content scrapers and bad
bots. When the endpoint is accessed a function add
the source IP address to a block list.

S U M M I T
Contain
The action of keeping
something harmful under
control or within limits
AWS Identity and Access
Management (IAM) Roles Helps deny or contain the blast radius of attacks.
AWS Organizations + Service
Control Policies (SCPs) +
AWS Accounts
Implement strong least-privilege and need-to-know
security principles for both users and services across
a multi-account structure. Control administrators
privileges in child accounts.
calls.
Amazon EC2: FreeBSD
Access Control
calls.
Amazon EC2: Linux,
FreeBSD: Hardening and
minimization
Disable / Remove unused services and packages.
Amazon EC2: Linux: Role
based Access Control (RBAC)
and Discretionary Access
Control (DAC)
Implement least-privilege account profiles.

S U M M I T
Respond
Capabilities that help to react
quickly to an adversary’s or
others’ IO attack or intrusion
Amazon GuardDuty Partners Complement GuardDuty.
Third-party security tools
for Containers
Implement advanced security protection and
behavioral security solutions for containers.
Third-party security tools
for AWS Lambda functions
Implement advanced security protection and
behavioral security solutions for Lambda functions.
AWS Partner offerings:
behavioral monitoring /
response tools and services
Provides insights into the threats in your
environment.
AWS Managed Services
AWS Managed Services monitors the overall health
of your infrastructure resources, and handles the
daily activities of investigating and resolving alarms
or incidents.

S U M M I T
Restore
To bring information and
information systems back to
their original state
Autoscaling Adjusts capacity to maintain steady, predictable
performance.
AWS Systems Manager
State Manager Helps you define and maintain consistent OS
configurations.
AWS Partner offerings: File
Integrity Monitoring Help maintain the integrity of the operating system
and application files.
AWS CloudFormation +
Service Catalog
Provision your infrastructure in an automated and
secure manner. This file serves as the single source
of truth for your cloud environment.
Immutable Infrastructure –
short-lived environments
Rebuilt or refresh environments periodically to make
it a harder task to make an attack payload persist.

S U M M I T
Measuring Performance & Effectiveness

S U M M I T
Perform intrusion reconstructions on successful, partially successful, and failed
intrusion attempts
Key questions
• How far did attackers get with their intrusion kill chain before detected?
• Was data exfiltration attempted/successful?
• What controls failed to protect and detect?
• Where did gaps in protection and detection controls contribute to attacker success?
• Where did attackers and/or defenders get lucky?
• How long did it take for the attack to be detected?
• Did the SOC/CSOC get the data they needed to detect intrusion?
• Did the IR process work as designed?
• Did IT partner during the intrusion as planned?
• How did your vendor(s) help?

S U M M I T
Intrusion reconstructions can be very helpful
• Identifies which controls work as advertised/expected
• Identifies which controls failed to perform as expected
• Identifies which control integrations worked/failed
• Can help confirm security controls/investment gap analysis
• Can help confirm you have the correct investment priorities
• Identifies people and processes that performed/underperformed
• Can help inform pen test/red team exercises
• Helpful data on control/capability efficacy
• Helpful data for vendor renewal discussions/negotiations
• Data can help inform governance, risk, and compliance, and build a business case for
appropriate changes

S U M M I T
Threat Detection: Log Data Inputs
Amazon VPC
Flow Logs
DNS Logs
Track user activity
and API usage
IP traffic to/from network
interfaces in a VPC
Monitor apps using log
data, store & access log
files
Log of DNS queries in a
VPC when using the VPC
DNS resolver
Amazon CloudWatch
Logs
AWS CloudTrail

S U M M I T
Attacker lifecycle: Amazon GuardDuty findings
RDP brute
force
RAT
Installed
Exfiltrate
data over
DNS
Probe API
with temp
creds
Attempt to
compromise
account
Malicious or
suspicious IP
Unusual ports
DNS exfiltration
Unusual traffic volume
Connect to blacklisted site
Recon:EC2/PortProbeUnprotectedPort
Anonymizing proxy
Temp credentials
used off-instance
Unusual ISP caller
Bitcoin activity
Unusual instance launch

S U M M I T
Threat Detection: Evocations/Triggers
Amazon CloudWatch
Events
AWS Config Rules
Continuously tracks your resource
configuration changes and if they violate
any of the conditions in your rules
Delivers a near real-time stream of
system events that describe changes in
AWS resources

S U M M I T
Amazon
CloudWatch
Dashboard: Visualize threats
Events: Kick off remediation
workflows
AWS Lambda
Run code for virtually
any kind of application or
back end service – zero
administration
AWS Systems
Manager
Automate patching and
proactively mitigate
threats at the instance
level
Threat Remediation: Automation

S U M M I T
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule
EC2 instance contents
Instance:~ ec2-user$ top
Instance:~ ec2-user$
pcap
Instance:~ ec2-user$
lime
AWS
Lambda
Amazon
GuardDuty
Elastic Network
Adapters
Lambda
function
Amazon EBS volume

S U M M I T
Automating Responses Based on Multiple Controls
Detect
Investigate
RespondLambda
function
Amazon
CloudWatch
Events
Amazon GuardDuty
Amazon
Inspector
AWS CloudTrail
VPC Flow Logs
AWS Config
AWS APIs
Team
collaboration
(Slack etc.)
Amazon Macie

S U M M I T
AWS Identity & Access
Management (IAM)
AWS Organizations
Amazon Cognito
AWS Directory Service
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
AWS Security Hub
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application
Firewall (WAF)
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service
AWS CloudHSM
Server/Client Side
Encryption
Certificate Manager
Secrets Manager
S3 bucket policy, VPC
Private Endpoints
AWS Config Rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
Where to Start: Cloud Adoption Framework
https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf

S U M M I T
AWS Well-Architected - Security Design Principles
Keep people away from data
Implement a strong identity foundation
Enable traceability
Automate security best practices
Protect data in transit and at rest
Apply security at all layers
Prepare for security events

S U M M I T
S U M M I T

S U M M I T
Thank you!
S U M M I T
Tim Rains
rainstim@amazon.co.uk

Beating Sophisticated Attackers at Their Game Using AWS

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Beating Sophisticated Attackers at Their Game Using AWS

Similar to Beating Sophisticated Attackers at Their Game Using AWS (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Beating Sophisticated Attackers at Their Game Using AWS