SlideShare uma empresa Scribd logo

Red Team vs. Blue Team on AWS ~ re:Invent 2018

Transferir como PPTX, PDF
T
Teri Radichel

Red Teaming and Pen Testing steps taken on a vulnerable account followed by Blue Teaming and cloud security defensive strategies. Teri Radichel and Kolby Allen at re:Invent 2018

Tecnologia
1 de 45
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. RedTeam vs. BlueTeam onAWS Teri Radichel CEO 2nd Sight Lab D V C 3 0 4 Kolby Allen Platform Engineer Zipwhip
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Attackervs.Defender
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudAdmin ...
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Would be aboring talk...
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Instead... Let’s search for buried treasure!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AccountSetup Vanilla Account Single Admin User Base VPC & Default Configuration AWS Tutorial: Elastic Beanstalk with WordPress https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/php-hawordpress-tutorial.html AWS Tutorial: Lambda Accessing RDS in VPC https://docs.aws.amazon.com/lambda/latest/dg/vpc.html
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. PilferCredentials
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Look for RDSDatabases aws rds describe-db-instances --filter --query DBInstances[].[DBInstanceIdentifier,MasterUsername, DBSubnetGroup.VpcId,Endpoint.Address] --output=table --color off supersecretdb?! That sounds like a good target…
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ExamineSelectedDatabaseSubnets aws rds describe-db-instances --filter "Name=db- instance-id,Values=supersecretdb" --query DBInstances[].DBSubnetGroup.Subnets[].SubnetIdentifier --output table --color off Hmm… let’s check out: subnet-1ae9df57
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. WhatTrafficdo NACLsAllow? aws ec2 describe-network-acls --filter "Name=association.subnet-id,Values=subnet-1ae9df57" -- query NetworkAcls[].Entries --output table --color off All traffic allowed ~ Sweet.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. WhatTrafficdo DBSecurityGroupsAllow? aws ec2 describe-security-groups --filter "Name=groupid, Values=sg-217f3e4a" --output table --color off Port 3306 172.31.0.0/16
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. FindVPCWithAccess toDatabase aws ec2 describe-vpcs --filter "Name=cidrBlock,Values=172.31.0.0/16" --query Vpcs[].VpcId --output table --color off vpc-96c34cfe is assigned to CIDR 172.31.0.0/16
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPCSecurityGroup – 3306 Egress aws ec2 describe-security-groups -- filter Name=ip-permission.to- port,Values=3306 Name=egress.ip- permission.cidr,Values=vpc-96c34cfe --output table --color off --query 'SecurityGroups[].GroupId' Cool. Let’s see what’s using this.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CheckLambda Functions aws lambda list-functions --query Functions[?VpcConfig.SecurityGroupIds ==[`sg-93aadef8`]].FunctionName --output table --color off
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. QueryLambdaCode aws lambda get-function --function-name CreateTableAddRecordsAndRead --query Code.Location Gives us URL to code location in S3…
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Go toURL...CheckOutTheCode Hmm, what’s in this file?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. About thatrds_config file... Oops. Database credentials.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Look for InstancesThatCanExfil aws ec2 describe-instances --output text --query Reservations[].Instances[].NetworkInterfaces[]. Association.[PublicIp,PublicDnsName] Check the domains in a browser to find web sites.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. SecurityGroups – NoOutbound Restrictions aws ec2 describe-security-groups --filter "Name=egress.ip- permission.cidr,Values='0.0.0.0/0',Name=vpc-id,Values=vpc-96c34cfe" --output table --color off --query SecurityGroups[].GroupId Cool. Wide Open Outbound.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Look for InstancesThatCanExfil Scan Site. Exploit Vulnerability. Upload code to connect to DB. Publish to public web site. Scrape data.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Samplevulnerabilities...
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. InSummary... Super Secret Lambda RDS WordPress RDS Lambda function WordPress EC2 Instance security group security group security group security group VPC subnet 5. Pivot 1. Steal Keys 2. Recon 3. Steal Creds 4. Exploit 6. Exfil Read Only. Single Factor Credentials Open network Secrets in Code And more… *
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ProtectingCredentials • User training - Phishing and handling of credentials • Password policies and rotation • MFA!! • Require frequent re-authentication – especially to sensitive apps • Prevent deployment of code with embedded credentials: https://github.com/awslabs/git-secrets
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ProtectingCredentials – git-secrets
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM BestPractices Roles Least Privilege Segregation of Duties Minimum Permissions to manage self Create Amazon EC2 Set MFA token
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sid: AllowUserstoListAccounts Effect: Allow Action: - "iam:ListAccountAliases" - "iam:ListUsers" - "iam:GetAccountPasswordPolicy" - "iam:GetAccountSummary" Resource: "*" Allows users to view enough information to get into IAM Can get the password policy IMPORTANT so it can apply List Users – needed in order to find themselves IAM – InitialRoles
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sid: AllowUserstoManageOwnAccount Effect: Allow Action: - "iam:ChangePassword" - "iam:CreateAccessKey" - "iam:CreateLoginProfile" - "iam:DeleteAccessKey" - "iam:DeleteLoginProfile" - "iam:GetLoginProfile" - "iam:ListAccessKeys" - "iam:UpdateAccessKey" - "iam:UpdateLoginProfile" - "iam:ListSigningCertificates" - "iam:DeleteSigningCertificate" - "iam:UpdateSigningCertificate" - "iam:UploadSigningCertificate" - "iam:ListSSHPublicKeys" - "iam:GetSSHPublicKey" - "iam:DeleteSSHPublicKey" - "iam:UpdateSSHPublicKey" - "iam:UploadSSHPublicKey" Resource: "arn:aws:iam::*:user/${aws:username}" Actions allow users to manage their account – BUT NOT CHANGE PERMISSIONS Resource only allows them to perform on their username – can’t modify anyone else IAM – InitialRoles
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sid: AllowUserstoListOnlyThierMFA Effect: Allow Action: - "iam:ListVirtualMFADevices" - "iam:ListMFADevices" Resource: - "arn:aws:iam::*:mfa/*" - "arn:aws:iam::*:user/${aws:username}" Sid: AllowUsertoManageThierMFA Effect: Allow Action: - "iam:CreateVirtualMFADevice" - "iam:EnableMFADevice" - "iam:ResyncMFADevice" Resource: - "arn:aws:iam::*:mfa/${aws:username}" - "arn:aws:iam::*:user/${aws:username}" User can only ADD MFA Administrators must reset MFA enrollment IAM – InitialRoles
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Initial role has no permissions except to assume other roles MFA Required to assume role with temp creds IAM –AssumedRoles
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Failure due to default policy not having permissions MFA! Commands work! Temporary credential request and setting at environmental variable IAM –AssumedRoles
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monitor all API Actions Feed data to events Respond CloudTrail
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Encryption in flight with only specific IAM role with rights Instance retrieves encrypted value Instance IAM Role allows rights to use key to decrypt EC2 Parameter Store for secrets SecretManagement
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. New: No password in rds_config.py Instance retrieves encrypted value OLD: Password embedded in rds_config.py SecretManagement
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Calls AWS SSM EC2ParameterStore
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monitoring • AWS GuardDuty • VPC Flow Logs • CloudTrail • AWS Config • Log shipping • Secure log backups • Automate Remediation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monitoring
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Patch all software & servers regularly – AWS System Manager CVE Scanning – AWS Inspector CVE
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. WAFSecurity
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NetworkArchitecture Presentation Layer Application Layer Data Layer Limited NACL & Security Groups between subnets Limit all outbound traffic
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NACLs are wide open Wide open outbound rules on security groups Security Groups all full VPC CIDR Allows Lateral movement NetworkArchitecture:Original
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NACLs limit access between subnets Security Groups are only allowed access from other security groups Blocking internet where not needed NetworkArchitecture:Better
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Red Team: Attackers can use the same tools used by DevOps teams. Cloud APIs provide a means for mapping out an entire account. Read only access can be powerful. Wide open networks are an attacker’s best friend. Blue Team: Restrict access Automated deployment Architect networks to minimize open ports and pivoting Protect secrets - don't embed in code! Monitor everything Conclusion
Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Teri Radichel @teriradichel Kolby Allen @kolbyallen
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Recomendados

Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack VectorsTeri Radichel
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Teri Radichel
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyChris Farris
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Teri Radichel
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 

Recomendados

Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack VectorsTeri Radichel
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Teri Radichel
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyChris Farris
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Teri Radichel
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Amazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponseAmazon Web Services
 
Become a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabBecome a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabAmazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Incident Response: Eyes Everywhere - AWS Security Week at the SF Loft
Incident Response: Eyes Everywhere - AWS Security Week at the SF LoftIncident Response: Eyes Everywhere - AWS Security Week at the SF Loft
Incident Response: Eyes Everywhere - AWS Security Week at the SF LoftAmazon Web Services
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...Amazon Web Services
 
Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS Amazon Web Services
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAmazon Web Services
 
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Amazon Web Services
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slideCloudVillage
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Puma Security, LLC
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Amazon Web Services
 
Automating DDos and WAF responses - AWS Summit Cape Town 2018
Automating DDos and WAF responses - AWS Summit Cape Town 2018Automating DDos and WAF responses - AWS Summit Cape Town 2018
Automating DDos and WAF responses - AWS Summit Cape Town 2018Amazon Web Services
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServicePuma Security, LLC
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Puma Security, LLC
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Amazon Web Services
 
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Amazon Web Services
 

Mais conteúdo relacionado

Mais procurados

Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Amazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 
Become a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabBecome a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabAmazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Incident Response: Eyes Everywhere - AWS Security Week at the SF Loft
Incident Response: Eyes Everywhere - AWS Security Week at the SF LoftIncident Response: Eyes Everywhere - AWS Security Week at the SF Loft
Incident Response: Eyes Everywhere - AWS Security Week at the SF LoftAmazon Web Services
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...Amazon Web Services
 
Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS Amazon Web Services
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAmazon Web Services
 
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Amazon Web Services
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slideCloudVillage
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Puma Security, LLC
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Amazon Web Services
 
Automating DDos and WAF responses - AWS Summit Cape Town 2018
Automating DDos and WAF responses - AWS Summit Cape Town 2018Automating DDos and WAF responses - AWS Summit Cape Town 2018
Automating DDos and WAF responses - AWS Summit Cape Town 2018Amazon Web Services
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServicePuma Security, LLC
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Puma Security, LLC
 

Mais procurados (20)

Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponse
 
Become a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabBecome a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock Lab
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Incident Response: Eyes Everywhere - AWS Security Week at the SF Loft
Incident Response: Eyes Everywhere - AWS Security Week at the SF LoftIncident Response: Eyes Everywhere - AWS Security Week at the SF Loft
Incident Response: Eyes Everywhere - AWS Security Week at the SF Loft
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
 
Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & Remediation
 
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slide
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
 
Automating DDos and WAF responses - AWS Summit Cape Town 2018
Automating DDos and WAF responses - AWS Summit Cape Town 2018Automating DDos and WAF responses - AWS Summit Cape Town 2018
Automating DDos and WAF responses - AWS Summit Cape Town 2018
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata Service
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
 

Semelhante a Red Team vs. Blue Team on AWS ~ re:Invent 2018

Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Amazon Web Services
 
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Amazon Web Services
 
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...Amazon Web Services
 
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Amazon Web Services
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
 
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018Amazon Web Services
 
SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDuty SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDutyAmazon Web Services
 
Automate Your Alexa Lambda Function Deployment Workflows Using AWS CodeCommit...
Automate Your Alexa Lambda Function Deployment Workflows Using AWS CodeCommit...Automate Your Alexa Lambda Function Deployment Workflows Using AWS CodeCommit...
Automate Your Alexa Lambda Function Deployment Workflows Using AWS CodeCommit...Amazon Web Services
 
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...Amazon Web Services
 
Mastering Kubernetes on AWS - Tel Aviv Summit
Mastering Kubernetes on AWS - Tel Aviv SummitMastering Kubernetes on AWS - Tel Aviv Summit
Mastering Kubernetes on AWS - Tel Aviv SummitArun Gupta
 
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructureAWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructureMassimo Ferre'
 
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...Amazon Web Services
 
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Amazon Web Services
 
Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Amazon Web Services
 
Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...
Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...
Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...Amazon Web Services
 
Easily transform compliance to code using AWS Config, Config Rules, and the R...
Easily transform compliance to code using AWS Config, Config Rules, and the R...Easily transform compliance to code using AWS Config, Config Rules, and the R...
Easily transform compliance to code using AWS Config, Config Rules, and the R...Amazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 

Semelhante a Red Team vs. Blue Team on AWS ~ re:Invent 2018 (20)

Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
 
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
 
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
 
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
 
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
 
SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDuty SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDuty
 
Automate Your Alexa Lambda Function Deployment Workflows Using AWS CodeCommit...
Automate Your Alexa Lambda Function Deployment Workflows Using AWS CodeCommit...Automate Your Alexa Lambda Function Deployment Workflows Using AWS CodeCommit...
Automate Your Alexa Lambda Function Deployment Workflows Using AWS CodeCommit...
 
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
Supercharge GuardDuty with Partners: Threat Detection and Response at Scale (...
 
Mastering Kubernetes on AWS - Tel Aviv Summit
Mastering Kubernetes on AWS - Tel Aviv SummitMastering Kubernetes on AWS - Tel Aviv Summit
Mastering Kubernetes on AWS - Tel Aviv Summit
 
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructureAWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
 
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
Ensuring Your Windows Server Workloads Are Well-Architected - AWS Online Tech...
 
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
 
Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access Management
 
Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...
Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...
Easily Transform Compliance to Code using AWS Config, Config Rules, and the R...
 
Easily transform compliance to code using AWS Config, Config Rules, and the R...
Easily transform compliance to code using AWS Config, Config Rules, and the R...Easily transform compliance to code using AWS Config, Config Rules, and the R...
Easily transform compliance to code using AWS Config, Config Rules, and the R...
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 

Mais de Teri Radichel

So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
Cloud Offense Informs Cloud Defense.pptx
Cloud Offense Informs Cloud Defense.pptxCloud Offense Informs Cloud Defense.pptx
Cloud Offense Informs Cloud Defense.pptxTeri Radichel
 
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Teri Radichel
 
Real World Cloud Compromise
Real World Cloud CompromiseReal World Cloud Compromise
Real World Cloud CompromiseTeri Radichel
 
Top Priorities for Cloud Application Security
Top Priorities for Cloud Application SecurityTop Priorities for Cloud Application Security
Top Priorities for Cloud Application SecurityTeri Radichel
 
How the Cloud Changes Cyber Security
How the Cloud Changes Cyber SecurityHow the Cloud Changes Cyber Security
How the Cloud Changes Cyber SecurityTeri Radichel
 
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTop 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTeri Radichel
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the CloudTeri Radichel
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your CloudTeri Radichel
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWSTeri Radichel
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWSTeri Radichel
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016Teri Radichel
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachTeri Radichel
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 

Mais de Teri Radichel (17)

So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
Cloud Offense Informs Cloud Defense.pptx
Cloud Offense Informs Cloud Defense.pptxCloud Offense Informs Cloud Defense.pptx
Cloud Offense Informs Cloud Defense.pptx
 
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
 
Real World Cloud Compromise
Real World Cloud CompromiseReal World Cloud Compromise
Real World Cloud Compromise
 
Top Priorities for Cloud Application Security
Top Priorities for Cloud Application SecurityTop Priorities for Cloud Application Security
Top Priorities for Cloud Application Security
 
Azure for Auditors
Azure for AuditorsAzure for Auditors
Azure for Auditors
 
How the Cloud Changes Cyber Security
How the Cloud Changes Cyber SecurityHow the Cloud Changes Cyber Security
How the Cloud Changes Cyber Security
 
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTop 5 Priorities for Cloud Security
Top 5 Priorities for Cloud Security
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWS
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWS
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target Breach
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 

Último

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Último (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Red Team vs. Blue Team on AWS ~ re:Invent 2018

  • 1.
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. RedTeam vs. BlueTeam onAWS Teri Radichel CEO 2nd Sight Lab D V C 3 0 4 Kolby Allen Platform Engineer Zipwhip
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Attackervs.Defender
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudAdmin ...
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Would be aboring talk...
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Instead... Let’s search for buried treasure!
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AccountSetup Vanilla Account Single Admin User Base VPC & Default Configuration AWS Tutorial: Elastic Beanstalk with WordPress https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/php-hawordpress-tutorial.html AWS Tutorial: Lambda Accessing RDS in VPC https://docs.aws.amazon.com/lambda/latest/dg/vpc.html
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. PilferCredentials
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Look for RDSDatabases aws rds describe-db-instances --filter --query DBInstances[].[DBInstanceIdentifier,MasterUsername, DBSubnetGroup.VpcId,Endpoint.Address] --output=table --color off supersecretdb?! That sounds like a good target…
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ExamineSelectedDatabaseSubnets aws rds describe-db-instances --filter "Name=db- instance-id,Values=supersecretdb" --query DBInstances[].DBSubnetGroup.Subnets[].SubnetIdentifier --output table --color off Hmm… let’s check out: subnet-1ae9df57
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. WhatTrafficdo NACLsAllow? aws ec2 describe-network-acls --filter "Name=association.subnet-id,Values=subnet-1ae9df57" -- query NetworkAcls[].Entries --output table --color off All traffic allowed ~ Sweet.
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. WhatTrafficdo DBSecurityGroupsAllow? aws ec2 describe-security-groups --filter "Name=groupid, Values=sg-217f3e4a" --output table --color off Port 3306 172.31.0.0/16
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. FindVPCWithAccess toDatabase aws ec2 describe-vpcs --filter "Name=cidrBlock,Values=172.31.0.0/16" --query Vpcs[].VpcId --output table --color off vpc-96c34cfe is assigned to CIDR 172.31.0.0/16
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPCSecurityGroup – 3306 Egress aws ec2 describe-security-groups -- filter Name=ip-permission.to- port,Values=3306 Name=egress.ip- permission.cidr,Values=vpc-96c34cfe --output table --color off --query 'SecurityGroups[].GroupId' Cool. Let’s see what’s using this.
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CheckLambda Functions aws lambda list-functions --query Functions[?VpcConfig.SecurityGroupIds ==[`sg-93aadef8`]].FunctionName --output table --color off
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. QueryLambdaCode aws lambda get-function --function-name CreateTableAddRecordsAndRead --query Code.Location Gives us URL to code location in S3…
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Go toURL...CheckOutTheCode Hmm, what’s in this file?
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. About thatrds_config file... Oops. Database credentials.
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Look for InstancesThatCanExfil aws ec2 describe-instances --output text --query Reservations[].Instances[].NetworkInterfaces[]. Association.[PublicIp,PublicDnsName] Check the domains in a browser to find web sites.
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. SecurityGroups – NoOutbound Restrictions aws ec2 describe-security-groups --filter "Name=egress.ip- permission.cidr,Values='0.0.0.0/0',Name=vpc-id,Values=vpc-96c34cfe" --output table --color off --query SecurityGroups[].GroupId Cool. Wide Open Outbound.
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Look for InstancesThatCanExfil Scan Site. Exploit Vulnerability. Upload code to connect to DB. Publish to public web site. Scrape data.
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Samplevulnerabilities...
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. InSummary... Super Secret Lambda RDS WordPress RDS Lambda function WordPress EC2 Instance security group security group security group security group VPC subnet 5. Pivot 1. Steal Keys 2. Recon 3. Steal Creds 4. Exploit 6. Exfil Read Only. Single Factor Credentials Open network Secrets in Code And more… *
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ProtectingCredentials • User training - Phishing and handling of credentials • Password policies and rotation • MFA!! • Require frequent re-authentication – especially to sensitive apps • Prevent deployment of code with embedded credentials: https://github.com/awslabs/git-secrets
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ProtectingCredentials – git-secrets
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM BestPractices Roles Least Privilege Segregation of Duties Minimum Permissions to manage self Create Amazon EC2 Set MFA token
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sid: AllowUserstoListAccounts Effect: Allow Action: - "iam:ListAccountAliases" - "iam:ListUsers" - "iam:GetAccountPasswordPolicy" - "iam:GetAccountSummary" Resource: "*" Allows users to view enough information to get into IAM Can get the password policy IMPORTANT so it can apply List Users – needed in order to find themselves IAM – InitialRoles
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sid: AllowUserstoManageOwnAccount Effect: Allow Action: - "iam:ChangePassword" - "iam:CreateAccessKey" - "iam:CreateLoginProfile" - "iam:DeleteAccessKey" - "iam:DeleteLoginProfile" - "iam:GetLoginProfile" - "iam:ListAccessKeys" - "iam:UpdateAccessKey" - "iam:UpdateLoginProfile" - "iam:ListSigningCertificates" - "iam:DeleteSigningCertificate" - "iam:UpdateSigningCertificate" - "iam:UploadSigningCertificate" - "iam:ListSSHPublicKeys" - "iam:GetSSHPublicKey" - "iam:DeleteSSHPublicKey" - "iam:UpdateSSHPublicKey" - "iam:UploadSSHPublicKey" Resource: "arn:aws:iam::*:user/${aws:username}" Actions allow users to manage their account – BUT NOT CHANGE PERMISSIONS Resource only allows them to perform on their username – can’t modify anyone else IAM – InitialRoles
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sid: AllowUserstoListOnlyThierMFA Effect: Allow Action: - "iam:ListVirtualMFADevices" - "iam:ListMFADevices" Resource: - "arn:aws:iam::*:mfa/*" - "arn:aws:iam::*:user/${aws:username}" Sid: AllowUsertoManageThierMFA Effect: Allow Action: - "iam:CreateVirtualMFADevice" - "iam:EnableMFADevice" - "iam:ResyncMFADevice" Resource: - "arn:aws:iam::*:mfa/${aws:username}" - "arn:aws:iam::*:user/${aws:username}" User can only ADD MFA Administrators must reset MFA enrollment IAM – InitialRoles
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Initial role has no permissions except to assume other roles MFA Required to assume role with temp creds IAM –AssumedRoles
  • 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Failure due to default policy not having permissions MFA! Commands work! Temporary credential request and setting at environmental variable IAM –AssumedRoles
  • 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monitor all API Actions Feed data to events Respond CloudTrail
  • 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Encryption in flight with only specific IAM role with rights Instance retrieves encrypted value Instance IAM Role allows rights to use key to decrypt EC2 Parameter Store for secrets SecretManagement
  • 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. New: No password in rds_config.py Instance retrieves encrypted value OLD: Password embedded in rds_config.py SecretManagement
  • 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Calls AWS SSM EC2ParameterStore
  • 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monitoring • AWS GuardDuty • VPC Flow Logs • CloudTrail • AWS Config • Log shipping • Secure log backups • Automate Remediation
  • 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Monitoring
  • 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Patch all software & servers regularly – AWS System Manager CVE Scanning – AWS Inspector CVE
  • 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. WAFSecurity
  • 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NetworkArchitecture Presentation Layer Application Layer Data Layer Limited NACL & Security Groups between subnets Limit all outbound traffic
  • 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NACLs are wide open Wide open outbound rules on security groups Security Groups all full VPC CIDR Allows Lateral movement NetworkArchitecture:Original
  • 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NACLs limit access between subnets Security Groups are only allowed access from other security groups Blocking internet where not needed NetworkArchitecture:Better
  • 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Red Team: Attackers can use the same tools used by DevOps teams. Cloud APIs provide a means for mapping out an entire account. Read only access can be powerful. Wide open networks are an attacker’s best friend. Blue Team: Restrict access Automated deployment Architect networks to minimize open ports and pivoting Protect secrets - don't embed in code! Monitor everything Conclusion
  • 44. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Teri Radichel @teriradichel Kolby Allen @kolbyallen
  • 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Notas do Editor

  1. Fix parameter store image
  2. Fix 1st line