O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Threat detection - SEC207 - New York AWS Summit

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio

Confira estes a seguir

1 de 46 Anúncio

Threat detection - SEC207 - New York AWS Summit

Baixar para ler offline

Join us for this hands-on workshop where we walk through some real-world threat scenarios and show you the AWS services involved with threat detection and remediation. Learn about the threat detection capabilities of Amazon GuardDuty, Amazon Macie, AWS Config, and the available remediation options. For each hands-on scenario, we review methods to remediate the threat using the following services: AWS CloudFormation, Amazon S3, AWS CloudTrail, VPC Flow Logs, Amazon CloudWatch Events, Amazon SNS, Macie, DNS logs, AWS Lambda, AWS Config, Amazon Inspector, and of course, GuardDuty.

Join us for this hands-on workshop where we walk through some real-world threat scenarios and show you the AWS services involved with threat detection and remediation. Learn about the threat detection capabilities of Amazon GuardDuty, Amazon Macie, AWS Config, and the available remediation options. For each hands-on scenario, we review methods to remediate the threat using the following services: AWS CloudFormation, Amazon S3, AWS CloudTrail, VPC Flow Logs, Amazon CloudWatch Events, Amazon SNS, Macie, DNS logs, AWS Lambda, AWS Config, Amazon Inspector, and of course, GuardDuty.

Anúncio
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Threat detection - SEC207 - New York AWS Summit (20)

Anúncio

Mais de Amazon Web Services (20)

Threat detection - SEC207 - New York AWS Summit

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection Ross Warren Specialized Solutions Architect AWS S E C 2 0 7
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Workshop agenda Module 1: Environment setup (20 min.) Module 2: Attack kickoff and presentation (40 min.) Module 3: Detect, investigate, and respond (45 min.) Module 4: Review, questions, and lessons learned (15 min.) Use US West (Oregon) us-west-2 Please follow directions
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS event engine We will use the AWS event engine; please don’t use one of your own accounts https://dashboard.eventengine.run You will enter the hash that is provided at the URL above Event name: Scaling threat detection and response in AWS 1. Click AWS Console 2. Click Open Console 3. Verify that you are in the AWS Management Console in the us-west-2 Region
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Data breach patterns Verizon 2018 Data Breach Investigations Report, 11th Edition
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Workshop scenario Internet Public subnet AWS Cloud Availability zone Web server VPC Amazon S3 bucket Bare minimum architecture for POC Users
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 1: Build detective controls Run the AWS CloudFormation template (~5 min.) • Before moving on, make sure the stack status = CREATE_COMPLETE • You will get an email from Amazon SNS asking you to confirm the subscription; do this so that you can receive email alerts from AWS services during the workshop Manual setup steps (~15 min.) • Create a Amazon CloudWatch event rule • Enable Amazon GuardDuty • Enable AWS Security Hub
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 1: Build detective controls Detect and investigate AWS Security Hub Amazon Macie Amazon GuardDuty AWS CloudTrail Amazon CloudWatch Events Amazon CloudWatch logs Amazon VPC flow logs DNS logs Amazon Inspector Amazon S3 AWS Lambda Amazon SNS Security analyst Respond
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 1: Build detective controls https://dashboard.eventengine.run https://tinyurl.com/yyc6tvph Directions 1. Browse to the URL 2. Read through the workshop scenario 3. Choose Module 1: Environment Build in the outline on the left 4. Complete the module (~15 min.), and then stop Use US West (Oregon) us-west-2 Please follow directions Do not skip the manual steps
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 2: Attack kickoff Run the AWS CloudFormation template (~5 min.) Do not move on to Module 3 Threat detection and response presentation (~30 min.) Workshop walk-through (~5 min.)
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 2: Attack kickoff https://dashboard.eventengine.run https://tinyurl.com/yyc6tvph Directions 1. Browse to the URL 2. Choose Module 2: Attack Simulation in the outline on the left 3. Complete the module (~5 min.), and then stop 4. Do not move on to Module 3 Use US West (Oregon) us-west-2
  11. 11. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why is threat detection so hard? Skills shortageSignal to noiseLarge datasets
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Identity and Access Management (IAM) AWS Single Sign-On AWS Directory Service Amazon Cognito AWS Organizations AWS Secrets Manager AWS Resource Access Manager AWS Security Hub Amazon GuardDuty AWS Config AWS CloudTrail Amazon CloudWatch Amazon Virtual Private Cloud (Amazon VPC) flow logs AWS Systems Manager AWS Shield AWS WAF (web application firewall) AWS Firewall Manager Amazon Inspector Amazon VPC AWS Key Management Service (KMS) AWS CloudHSM AWS Certificate Manager Amazon Macie Server-side encryption AWS Config rules AWS Lambda AWS Systems Manager Identity Detect Infrastructure protection Respond Data protection Deep set of security tools
  14. 14. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection: Log data inputs DNS logs Track user activity and API usage IP traffic to and from network interfaces in a VPC Monitor applications using log data; store and access log files Log of DNS queries in a VPC when using the VPC DNS resolver AWS CloudTrail Flow logs Amazon CloudWatch
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection: Machine learning Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads Machine learning-powered security service to discover, classify, and protect sensitive data Amazon GuardDuty Amazon Macie
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection: Amazon GuardDuty
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection: AWS Security Hub • Comprehensive view of your security and compliance state within AWS • Aggregates security findings generated by other AWS security services and partners • Analyze security trends and identify the highest-priority security issues Amazon Inspector Amazon GuardDuty Amazon Macie AWS Security Hub Security findings providers Findings Insights & standards Other AWS Config Partner solutions
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat detection: Evocations and triggers Continuously tracks your resource configuration changes and whether they violate any of the conditions in your rules Delivers a near real-time stream of system events that describe changes in AWS resources Amazon CloudWatch Events AWS Config
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Attacker lifecycle: Stages Reconnaissance Establish foothold Escalate privileges Internal reconnaissance Maintain persistence
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Attacker lifecycle: Attacker actions RDP brute force RAT installed Exfiltrate data over DNS Probe API with temporary credentials Attempt to compromise account
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Attacker lifecycle: Amazon GuardDuty findings RDP brute force RAT installed Exfiltrate data over DNS Probe API with temporary credentials Attempt to compromise account Malicious or suspicious IP Unusual ports DNS exfiltration Unusual traffic volume Connect to blacklisted site Recon:EC2/PortProbeUnprotectedPort Anonymizing proxy Temporary credentials used off-instance Unusual ISP caller Bitcoin activity Unusual instance launch
  23. 23. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat response: Amazon CloudWatch Events Amazon GuardDuty findings AWS Lambda function Partner solutions Automated response Anything else Amazon CloudWatch Events
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Lambda Threat response: Services AWS Systems Manager Amazon Inspector Run code for virtually any kind of application or backend service— zero administration Gain operational insights and take action on AWS resources Automate security assessments of Amazon EC2 instances
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat response: High-level playbook Adversary or intern Your environment AWS Lambda function Amazon CloudWatch Events
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat response: Detailed playbook Amazon CloudWatch Events AWS Config AWS Lambda function AWS APIs Detect Investigate Respond Team collaboration (e.g., Slack) Amazon Inspector AWS Security Hub Amazon GuardDuty Amazon Macie Amazon Inspector
  28. 28. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  29. 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 2: Attack target InternetUsers Public subnet AWS Cloud Availability zone Web server VPC Amazon S3 bucket
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 2: Setup AWS Lambda Amazon SNS Security analyst RespondDetect and investigate AWS Security Hub Amazon Macie Amazon GuardDuty AWS CloudTrail Amazon CloudWatch Events Amazon CloudWatch logs DNS logs Amazon Inspector Amazon S3 Amazon VPC flow logs Public subnet AWS Cloud Availability zone Web server VPC Environment Amazon S3 bucket
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 2: The attack AWS Cloud Amazon API Gateway endpoints Amazon S3 bucket Public subnet AWS Cloud Availability zone VPC Amazon EC2 compromised instance Malicious host Internet
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 3: Detect and response https://dashboard.eventengine.run https://tinyurl.com/yyc6tvph Directions 1. Browse to the URL 2. Choose Module 3: Detect & Respond in the outline on the left 3. Run through the module (~45 min.) Use US West (Oregon) us-west-2
  33. 33. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  34. 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 4: What happened? Review (5 min.) Questions (10 min.) Lessons learned
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 4: What happened? https://tinyurl.com/yyc6tvph Directions 1. Browse to the URL 2. Choose Module 4: Discussion in the outline on the left 3. We will summarize the workshop, then answer questions 4. Do not need to do – Cleanup Use US West (Oregon) us-west-2
  36. 36. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  37. 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 4: The attack AWS Cloud Amazon API Gateway endpoints Bucket Public subnet AWS Cloud Availability Zone VPC Amazon EC2 compromised instance Malicious host Internet 1 2 3 4 API calls Bucket changes SSH brute force attack
  38. 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Module 4: What really happened? AWS Lambda Amazon SNS Security analyst RespondDetect and investigate AWS Security Hub Amazon Macie Amazon GuardDuty AWS CloudTrail Amazon CloudWatch Events Amazon CloudWatch logs DNS logs Amazon Inspector Amazon S3 Amazon VPC flow logs AWS Cloud VPC Public subnet Compromised instance Subnet 2 Elastic IP in custom threat list Availability zone Public subnet Malicious host Subnet 1 Bucket The attack 1 2 43 API calls Bucket changes API Gateway endpoints SSH brute force attack 5 Amazon Inspector Inspector assessment
  39. 39. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  40. 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Workshop questions 1 Which of the following AWS services have direct access to your Amazon EC2 instances? What performance impact does Amazon GuardDuty have on your account if you have more than 100 VPCs? How do you kick off notifications or actions based on events in Amazon GuardDuty? What is the difference between Amazon Macie and Amazon GuardDuty?
  41. 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Workshop questions 2 The lab mentions that you can ignore the high-severity SSH brute force attack finding; why? Why did the API calls from the malicious host generate Amazon GuardDuty findings? What is required for Amazon CloudWatch logs to capture evidence to help investigate an SSH brute force attack? What key remediation step was missed regarding the SSH brute force attack?
  42. 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lessons learned from incident response Use a strong tagging strategy!
  43. 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lessons learned from incident response Questions to ask during the investigation • Is this finding a true positive? • Is the event an unusual activity or more? • Where did the incident occur? • Who reported or discovered the incident? • How was it discovered? • Are there any other areas that have been compromised by the incident? If so, what are they and when were they discovered? • What is the scope of the impact? • What is the business impact? • Have the source(s) of the incident been located? If so, where, when, and what are they?
  44. 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lessons learned from incident response Enrich findings and get the full picture of your environment • Network intrusion detection • Firewall alerts • AWS WAF alerts • Identity (UBA) • Endpoint and compute events (AV, EDR) • OS-level Information • Application level logs Centralize GuardDuty findings into a SIEM
  45. 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Useful links https://aws.amazon.com/security/ https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf https://www.nist.gov/cyberframework https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf https://aws.amazon.com/security/penetration-testing/ https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf
  46. 46. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Ross Warren ross@amazon.com

×