Become a Cloud Security Ninja

Become a Cloud Security Ninja !

RedLock Confidential & Proprietary
Session Description
Become a Cloud Security Ninja
In order to confidently scale your AWS deployments, continuous security must be built into your continuous
integration and continuous delivery architecture. Participate in a series of interactive capture the flag
challenges to get hands on experience with DevSecOps. We’ll teach you how to think like a security ninja,
highlight common mistakes that can have catastrophic consequences, and provide tips to avoid them. More
specifically, learn how to:
● Establish security guardrails in the DevOps process
● Detect and remediate risky configurations
● Identify vulnerable hosts
● Detect and respond to malicious activities
● Rapidly investigate incidents
We provide the infrastructure necessary for the lab - simply show up with your laptop. Get ready to have some
fun and win some exciting prizes!

Agenda
● Welcome & RedLock introduction (10 minutes)
● RedLock console demo (20 minutes)
● Four (4) RedLock Capture the Flag challenges (20 minutes each)
○ Config & Compliance checks and reporting
○ Privileged activity monitoring & user behavior analytics
○ Network Intrusion Detection Monitoring and Alerting
○ Incident investigation & response
● Wrap-up & Prizes (10 minutes)

Participate to win some awesome prizes....
Amazon
Echo Plus
Amazon
Echo Dot
Amazon
Fire TV
Amazon
Gift card
DROCON Blue Bugs
Brushless Drone

About RedLock
Founded 2015 and
headquartered in
Menlo Park, CA
Backed by
Dell Technologies Capital,
Sierra Ventures,
Storm Ventures,
and other high profile investors
Protecting 5+ million
resources for a number of
high profile customers
Finalist for Most Innovative Startup at
RSA 2017 San Francisco

Organizations are
Responsible for
Security “in”
the Cloud
The Shared Responsibility Model
Resource Configurations
User Activities
Network Traffic
Hosts
Applications
Responsible
for security “in”
the cloud
Organization
Hubs
Switches
Routers
Hypervisor
Data Center
Responsible
for security “of”
the cloud
Cloud Service Provider

RedLock Takes
a Holistic
Approach
2. CORRELATES DATA USING AI
Uses AI to correlate network, user,
configuration, and threat intel data.
1. DISCOVERS
ENVIRONMENTIngests data via APIs and automatically discovers resources.
No agents, no proxies.
CLOUD 360 PLATFORM
3.
REMEDIATES
RISKS
Remediate issues via
RedLock or
enterprise integrations.
ENTERPRISE
INTEGRATIONS
EXAMPLES
APIs
Resource
Configurations
User
Activity
Network
Traffic
Hosts
THIRD PARTY
FEEDS
APIs
AWS API’s
CloudTrail
Logs
VPC Flow
Logs
AWS
Inspector
AWS SQS
For

RedLock use case
examples
CISO / SecOps
RedLock Dashboards and Reports
- Central visibility
- Compliance reporting
SecOps / SOC
RedLock Alerts and Compliance View
- Cloud guardrails for DevOps
- Security & Compliance checks
Security analysts / Forensics
RedLock Investigate View
- Incident response

Four (4) Capture the Flag Challenges
• Config & Compliance checks and reporting
• Privileged activity monitoring & user behavior analytics
• Network Intrusion Detection Monitoring and Alerting
• Incident investigation & response

● Capture the flag rules
○ Each challenge has multiple questions, and each correct answer will get a score of 1.
○ The winner of each challenge is the one with the most points for each challenge. *)
○ There will be a prize for each capture the flag challenge.
○ The grand-prize winner is the one with the most points for all 4 challenges. *)
○ An attendee can “only” win once.
Capture the Flag Details & Rules [1/2]
*) If there is a tie we will draw a winner
Answer #1: _____
Answer #2: _____
Answer #3: _____
Answer #4: _____
Ticket
● Capture the flag answer card
○ Raise your hand if you do NOT have the Capture the Flag answer card.
○ Fill in your name and contact details on the top of the answer card.
○ Separate the card into five (5) pieces
○ Hand in one (1) card after each of the four (4) challenges.
○ Keep the ticket (footer) of the answer card.

Capture the Flag Details & Rules [2/2]
● Capture the flag flow
○ 20 minutes for each challenge.
○ Each Capture the flag challenge will be presented (one at a time).
○ Participants will get 10 minutes to solve the challenge.
○ Answer cards will be collected after each challenge.
○ 3-5 minutes Use Case lecture after each challenge.
○ 3-5 minutes demonstration of how to find the answers.
The RedLock team is here to help address questions !

WIFI and Console Login Details
● WIFI:
○ SID: <SID>
○ Password: <password>
● RedLock console access
○ Console: https://app-lab.redlock.io
○ Userid: customersuccess@redlock.io
○ Password: AWSloft1!
● AWS console access
○ Console: Hint: Use the RedLock console to get to the AWS console.
○ Userid: customersuccess
○ Password: AWSloft1!

Capture the Flag Challenge #1
- Config & Compliance checks and reporting (https://app-lab.redlock.io)
• Question #1: How many S3 buckets has been accessible anonymously from the internet within the
last month?
• Question #2: How many documents are accessible from the internet within the “finance-aws-loft” S3
bucket?
• Question #3: The compliance report indicates an EBS snapshots is accessible to the public. What’s
the AWS CLI command that can be executed to remediate this security risk?
• Question #4: Find the RDS snapshot accessible to the internet and provide the unique identifier
(ARN) associated with the instance?
• Question #5: The security team has noticed that a number of AWS Security Groups allow internet
traffic, including the “default” Security Group. Your security team wants to understand the number of
workloads that has accepted TCP traffic through the “default” security group from 10/21 to 10/30.
Your security and compliance team reviewed the last compliance report, and wants to leverage the
RedLock console to find answers for the following questions:

- Config & Compliance checks and reporting
Summary:
• RedLock provides out-of-the-box config & compliance checks
• RedLock provides out-of-the-box security and compliance reports
• RedLock provides central visibility into your multi- / cross- platform cloud environment(s)
Use case examples
• DevOps teams need transparent Security Guardrails implemented.
• SecOps requires Central visibility into the dynamic cloud environments.
• Automated config and compliance checks for corporate compliance teams.
• SOC teams needs automated notification and visibility if policies are violated.

• Q #1: How many S3 buckets has been accessible anonymously from the internet within the last month?
Answer: Two (2) S3 buckets
Alerts -> Last Month -> S3 buckets are accessible to public
• Q #2: How many documents are accessible from the internet within the “finance-aws-loft” S3 bucket?
Answer: Three (3) documents
Alerts -> Last Month -> S3 buckets are accessible to public
Click AWS link for the “finance-aws-loft” S3 bucket in RedLock console
OR https://finance-aws-loft.s3.amazonaws.com/

• Question #3: The compliance report indicates an EBS snapshots is accessible to the public. What’s
the AWS CLI command that can be executed to remediate this security risk?
Answer: Alerts -> EBS snapshots are accessible to public -> resolve button for the snapshot
aws ec2 --region us-east-2 modify-snapshot-attribute --snapshot-id snap-01e2c12ff197d9b48
--attribute createVolumePermissionsGroup --operation-type remove --values-to-remove "all"

• Question #4: Find the RDS snapshot accessible to the internet and provide the unique identifier
(ARN) associated with the instance?
Answer: "arn:aws:rds:us-east-2:091488320301:snapshot:finance-db-snapshot"
Alerts -> RDS snapshot are accessible to the public -> click the “finance-db-snapshot”
resource name
• Question #5: The security team has noticed that a number of AWS Security Groups allow internet
traffic, including the “default” Security Group. Your security team wants to understand the number
of workloads that has accepted TCP traffic through the “default” security group from 10/21 to
10/30.
Answer: Four (4) workloads.
Alerts -> Security Groups Allow internet traffic -> default Security Group
-> Investigate button -> From 10/21 – 10/30

- Privileged activity monitoring & user behavior analytics
• Question #1: How many unusual user activities has been detected for user = ‘rich’ from
10/29 to 11/1?
• Question #2: Why was the user activity for user = ‘Ankur’ identified as suspicious?
• Question #3: Analyze login behavior within your environment to identify and count the
number of users whose credentials may have been compromised due to “impossible time
travel” (account compromise) scenarios in October.
• Question #4: Unusual privileges user activities have been detected within your
environment. Leverage the RedLock console to find the number of 'DeleteAccessKey',
'DeleteBucket' , 'DeleteSecurityGroup' actions performed by user ‘allan_admin’ within your
environment in October.
Your security team has detected some suspicious user activities for your users, and needs
answers for the following questions:
https://app-lab.redlock.io

Summary:
• RedLock provides centralized activity monitoring and alerting.
• RedLock also provides out-of-the-box user behavior analytics.
• Alerting based on anomaly detection as well as config policy violations
Use case examples
• SecOps requires Central visibility into the dynamic user behaviors.
• SOC teams needs automated notification and visibility if user policies
are violated.
• Security Analytics needs advanced alerting to analyze and understand
the more and more sophisticated user attacks.

• Question #1: How many unusual user activities has been detected for user = ‘rich’ from
10/29 to 11/1?
Answer: Four (4)
Alerts -> 10/29 – 11/1 -> Unusual user activity (beta)
-> look for resource name =‘rich’
• Question #2: Why was the user activity for user = ‘Ankur’ identified as suspicious?
Answer: Unusual location and Resource activity
Alerts -> Unusual user activity (beta) -> expand event for ‘Ankur’

• Question #3: Analyze login behavior within your environment to identify and count the
number of users whose credentials may have been compromised due to “impossible time
travel” (account compromise) scenarios in October.
Answer: Three (3)
Alerts -> October -> Account Hijacking attempts
-> count impossible time travel alerts
• Question #4: Unusual privileges user activities have been detected within your environment.
Leverage the RedLock console to find the number of 'DeleteAccessKey', 'DeleteBucket' ,
'DeleteSecurityGroup' actions performed by user ‘allan_admin’ within your environment in
October.
Answer: Four (4)
Investigate -> October -> event where operation IN ( 'DeleteAccessKey’ ,
'DeleteBucket’ ,'DeleteSecurityGroup' ) and user =‘allan_admin'

- Network Intrusion Detection monitoring and alerting
• Question #1: How many DB and RDS servers has received inbound traffic from the internet
from 10/25 – 10/30?
• Question #2: Which security group has led to that the “MySQL” DB workload received
MySQL DB traffic (port 3306) directly from the internet between 10/20 – 10/30?
• Question #3: How many DB workloads sent more than 10,000 bytes from 10/25 – 10/30?
• Question #4: How many egress attempts were made from EC2 instances to external server
on port 25 potentially indicating that the EC2 instance was compromised and used as a
spam bot? I am interested in data for 10/21 – 10/30.
Your DevOps team provisioned a number of new database servers, and accidentally exposed
them to the internet.
https://app-lab.redlock.io

Summary:
• RedLock network monitoring helps you understand what’s happening in your
environment vs. config monitoring, which tells you what CAN happen.
• Workload classification based on network traffic is critical to ensure the correct
security policies can be applied to your cloud infrastructure
Use case examples
• SecOps requires Central visibility into network activities in your cloud env.
• SOC teams needs automated notification and visibility if network policies
are violated.
• Security Analytics needs advanced alerting to analyze and understand the
more and more sophisticated multi-vector network attacks.

• Question #1:How many DB and RDS servers has received inbound traffic from the internet
from 10/25 – 10/30?
Answer: Two (2).
Investigate -> 10/25 – 10/30 -> network where dest.resource IN ( resource where role IN
( 'Database' , 'AWS RDS' )) and bytes > 0
• Question #2: Which security group has led to that the “MySQL” DB workload received
MySQL DB traffic (port 3306) directly from the internet between 10/20 – 10/30?
Answer: finance-application-sg (description: Finance Application Access)
Investigate -> 10/20 – 10/30 -> network where dest.port = 3306 and bytes > 0
-> select “MySQL” workload -> Expand “Network summary” on the right
-> Find security group that allows inbound communication with port 3306

• Question #3: How many DB workloads sent more than 10,000 bytes from 10/25 – 10/30?
• Answer: One (1)
Investigate -> 10/25 – 10/30 -> network where source.resource IN ( resource where role IN (
'AWS RDS' , 'Database' )) and bytes > 10000
• Question #4: How many egress attempts were made from EC2 instances to external server
on port 25 potentially indicating that the EC2 instance was compromised and used as a spam
bot? I am interested in data for 10/21 – 10/30
Answer: Five (5)
Investigate -> 10/21 – 10/30 -> network where dest.port = 25 and bytes > 0 -> click outbound
communication link for the “Windows Server A” workload -> click the “View Details” button
-> count the number of egress attempts

- Incident investigation & response (https://app-lab.redlock.io)
• Question #1 How many new Security Groups were created in the environment from October
24th to October 29th?
• Question #2: How many workloads received traffic through the “RDP-sg” Security Group
from 10/28 – 10/31?
• Question #3: How many AWS workloads with the tag “Environment” = ”Production” received
traffic from suspicious IP addresses from 10/28 – 10/31?
• Question #4: Your security team has received reports that some of your Database and Web
Servers has been compromised due to known host vulnerabilities, and need your help with
the following: How many workloads has reported a known host vulnerability from 10/31 –
11/3?
Your AWS team has noticed changes and suspicious activities in core AWS configuration
settings, and are looking for answers for the following questions:

- Incident investigation & response
Summary:
RedLock provides security analysts with a centralized incident response
management solution.
RedLock overlays multiple data sources, including: config, user, network and
vulnerability scan information.
RedLock provides out-of-the-box workflow integrations
Use case examples
• Security Analytics needs advanced alerting and forensic tools to analyze and
understand the more and more sophisticated multi-vector attacks.
• SecOps requires Central visibility into their dynamic cloud environments.

• Question #1 How many new Security Groups were created in the environment from October
24th to October 29th?
Answer: Fifteen (15)
Investigate -> 10/24 – 10/29 -> event where operation IN ( 'CreateSecurityGroup’ )
• Question #2: How many workloads received traffic through the “RDP-sg” Security Group
from 10/28 – 10/31?
Answer: Two (2)
Alerts -> “Security Groups Allow Internet Traffic from internet to RDP port (3389)”
-> “RDP-sg” -> “Investigate” -> 10/20 – 10/29
OR run the following from the investigate view: network where source.ip = 0.0.0.0 and
dest.resource IN ( resource where securitygroup.name = ‘RDP-sg' )

• Question #3: How many AWS workloads with the tag “Environment” = ”Production” received
traffic from suspicious IP addresses from 10/28 – 10/31?
Answer: Two (2)
Investigate -> 10/28 – 10/31 -> network where bytes >0 and dest.resource IN ( resource
where tag ( 'Environment' ) = 'Production’)
OR network where bytes >0, and manually go through each workload to identify tags.

• Question #4: Your security team has received reports that some of your Database and Web
Servers has been compromised due to known host vulnerabilities, and need your help with
the following: How many workloads has reported a known host vulnerability and has
received traffic from the internet from 10/31 – 11/3?
Answer: One (1)
Investigate -> 10/31 – 11/3 -> network where source.ip = 0.0.0.0 AND dest.resource IN (
resource where alert.type IN ( 'cve' ))
OR network where bytes > 0, and manually find workloads with a known vulnerability, which
has received traffic from the internet.

3 Simple Steps
to Cloud
Confidence
Provide RedLock with
API access to
environment
We will set up an
account on the
RedLock Cloud 360
platform
See results
immediately
1 2 3
RedLock POC Process

The RedLock team is here to help.
Please swing by to discuss any
additional questions you might have !

Prizes
● Grand prize (Drone)
● Capture the flag Challenge #1 (Amazon Gift Card)
● Capture the flag Challenge #2 (Amazon Fire TV)
● Capture the flag Challenge #3 (Amazon Dot)
● Capture the flag Challenge #4 (Amazon Echo Plus)
*) If there is a tie we will draw a winner

Become a Cloud Security Ninja

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Become a Cloud Security Ninja

Similar to Become a Cloud Security Ninja (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Become a Cloud Security Ninja