Introduction to Threat Detection and Remediation

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
Introduction to Threat Detection and Remediation on AWS
Cameron Worrell
Solutions Architect
Amazon Web Services

Agenda
• Quick Intro to AWS CAF Security Perspective
• Overview of Threat Detection and Remediation on AWS
– AWS WAF
– AWS Shield
– Amazon GuardDuty
– Amazon Macie
– AWS Lambda
– AWS Config
– Amazon Inspector
– AWS Systems Manager
– AWS Secrets Manager
– Amazon CloudWatch Events
• Putting it all together

Why is security traditionally so hard?
Lack of
visibility
Low degree
of automation

AWS Cloud Adoption Framework
• Each Perspective provides guidance for
different parts of an organization
• Helps YOU adapt existing practices or
introduce new practices for cloud
computing

Directive controls establish the governance, risk, and compliance models the
environment will operate within.
Preventive controls protect your workloads and mitigate threats and
vulnerabilities.
Detective controls provide full visibility and transparency over the operation of
your deployments in AWS.
Responsive controls drive remediation of potential deviations from your
security baselines.
The AWS CAF Security Perspective Controls

The AWS CAF Security Perspective Epics
5 Core Security Epics
Identity and Access Management
Detective controls
Infrastructure security
Data protection
Incident response

Threat Detection and Remediation on AWS
“Life Uh, Finds a Way”
– Ian Malcom

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is a WAF?
Web Application Firewall
Monitors HTTP/S requests and protects
web applications from malicious
activities
Layer 7 inspection and mitigation tool

What is AWS WAF?
Web traffic filtering with
custom rules
• Rate based rules
• IP Match & Geo-IP filters
• Regex & String Match
• Size constraints
• Action: Allow/Block
Malicious request blocking
• SQLi
• XSS
Active monitoring & tuning
• CloudWatch
Metrics/Alarms
• Sampled Logs
• Count Action mode

Where AWS WAF can help
Application
layer
Bad botsDDoS Application attacks
HTTP floods
Content scrapers
Scanners & probes
CrawlersSQL injection
Application exploits
Social engineering
AWS WAF

AWS WAF benefits
Fast incidence
response
Powerful rule
languageEasy to deploy
AffordableSecurity automation Managed
rules

AWS Firewall Manager is a security management
service to centrally configure and manage web
application firewall rules across your accounts and
applications.
Using Firewall Manager, you can roll out WAF rules
all at once for your Application Load Balancers and
AWS CloudFront distributions across accounts.
AWS Firewall Manager

AWS Firewall Manager Key Benefits
Simplified Management
of WAF Rules
Integrated with
AWS Organizations
Centrally managed global
rules, and Account-specific
rules
Ensure Compliance
to WAF Rules
Ensure entire Organization
adheres to mandatory set
of rules
Apply protection even when
new Accounts or resources
are created
Central Visibility
Across Organization
Central visibility of WAF threats
across Organization
Compliance Dashboard for audit
firewall status
An organization’s InfoSec team
learns and operates WAF
instead of each Account owner

Managed rules from security leaders

AWS SHIELD
Standard Protection Advanced Protection
Available to ALL AWS customers at
no additional cost
Paid service that provides additional
protections, features, and benefits

• Automatic defense against the most
common network and transport layer DDoS
attacks for any AWS resource, in any AWS
Region
• Comprehensive defense against all known
network and transport layer attacks when
using Amazon CloudFront and Amazon
Route 53
• Application layer defense available when
using AWS WAF
AWS SHIELD
Standard Protection
Automatically provided to all AWS
customers at no additional cost

• Fast escalation to the AWS DDoS
Response Team (DRT) to assist with
complex edge cases
• Attack visibility and enhanced
detection
• Cost Protection to mitigate economic
attack vectors
• AWS WAF for application-layer defense,
at no additional cost
AWS SHIELD
Advanced Protection
Available globally on Amazon
CloudFront, Amazon Route 53, and in
select AWS Regions

Effective Against:
• HTTP Floods
• Bad Bots
• Suspicious IPs
Effective Against:
• SSL Attacks
• Slowloris
• Malformed HTTP
Effective Against:
• SYN Floods
• Reflection Attacks
• Suspicious
Sources
DEFENSE IN DEPTH
Border Network
Network Layer Mitigations
AWS Services
Web Layer Mitigations
Customer Infrastructure
DDoS
Detection
Internet
Internet-
Layer
Mitigations
DDoS
Effective Against:
• Large-scale
attacks
Effective Against:
• Sophisticated
Layer 7 attacks
DDoS
Response
Team

What is Amazon GuardDuty?
• A threat detection service re-imagined for the cloud
• Continuously monitors and protects AWS accounts, along with the
applications and services running within them
• Detects known and unknown threats
• Makes use of artificial intelligence and machine learning
• Integrated threat intelligence
• Operates on CloudTrail, VPC Flow Logs & DNS
• Detailed & Actionable Findings

Detecting Known Threats
Threat intelligence
• GuardDuty consumes feeds from various sources
• AWS Security
• Commercial feeds
• Open source feeds
• Customer provided threat intel (STIX)
• Known malware infected hosts
• Anonymizing proxies
• Sites hosting malware & hacker tools
• Crypto-currency mining pools and wallets
• Great catch-all for suspicious & malicious activity

Detecting Unknown Threats
Anomaly detection
• Algorithms to detect unusual behavior
• Inspecting signal patterns for signatures
• Profiling normal and looking at deviations
• Machine learning classifiers
• Larger R&D effort
• Highly skilled data scientists to study data
• Develop theoretical detection models
• Experiment with implementations
• Testing, tuning, and validation

What can the service detect?
RDP brute
force
RAT Installed
Exfiltrate
temp IAM
creds over
DNS
Probe API
with temp
creds
Attempt to
compromise
account
Malicious or
suspicious IP
Unusual ports DNS exfiltration
RDP brute force
Unusual traffic volumeConnect to blacklisted site
Recon
Anonymizing proxy
Temp credentials
used off-instance
Unusual ISP caller
Bitcoin activity
Unusual instance launch

• Recon
• Port Probe on unprotected port
• Outbound port scans
• Callers from anonymizing proxies
• Backdoor
• Spambot or C&C activity detected
• Exfiltration over DNS channel
• Suspicious domain request
• Trojan
• DGA Domain Request
• Blackhole traffic
• DropPoint
• Unauthorized Access
• Unusual ISP caller
• SSH BruteForce
• RDP Brute Force
• Stealth
• Password Policy Change
• CloudTrail Logging Disabled
• GuardDuty Disabled in member account
• CryptoCurrency
• Communication with Bitcoin DNS pools
• CryptoCurrency related DNS calls
• Connections to Bitcoin mining pools
Finding Type Categories

Demo: Alexa “Ask GuardDuty”
“Get flash briefing”
“Get statistics for Virginia”
“Get medium severity findings for Oregon”
Amazon
Echo
Alexa
Custom
Skill
(Lambda)
GuardDuty
API
Finding Statistics and
Details
“Alexa, Ask GuardDuty”
read only
“Here is your GuardDuty flash
briefing…”
1
2
3
4
5 Alexa
Service
https://github.com/aws-samples/amazon-guardduty-alexa-sample
**Start Demo GuardDuty to ACL Auto Defense

Demo Part 1: GuardDuty to ACL Auto Defense
EC2
instance
GuardDuty CloudWatch
Events
Lambda
Function
WAF
filtering rule
AWS WAF
VPC Network
Access Control List
Amazon
DynamoDB
172.16.1.x
172.16.1.x
172.16.1.x
172.16.1.x
Blocked
Host
State Data
1
2
3
4
5
Amazon
SNS
6

• AMAZON MACIE
• ML-POWERED VISIBILITY SERVICE IDENTIFIES
SENSITIVE INFORMATION TO HELP AUTOMATE
SECURITY AND COMPLIANCE

Macie overview
Understand
your data
Natural Language
Processing (NLP)
Understand data
access
Predictive User
Behavior Analytics
(UBA)

Macie Content Classification
• PII and personal data
• Source code
• SSL certificates, private keys
• iOS and Android app signing keys
• Database backups
• OAuth and Cloud SAAS API Keys

Automated actions on alerts
• Simplify with Lambda
• Delete the object
• Revoke access—bucket or object
• Perimeter guard
• Update IAM policies
• Suspend user

Cost-effective and
efficient
No infrastructure
to manage
Pay only for what you use
Bring your
own code
Productivity-focused compute service to build powerful, dynamic, modular
applications in the cloud
Run code in standard
languages
Focus on business logic
Benefits of AWS Lambda
1 2 3

AWS Lambda: Run Code in Response to Events
FUNCTION SERVICES (ANYTHING)
Changes in
data state
Requests to
endpoints
Changes in
resource state
Node
Python
Java
C#
EVENT SOURCE

• A W S C o n f i g a n d
• A W S C o n f i g R u l e s
• A W S C l o u d T r a i l a n d
• A m a z o n C l o u d W a t c h L o g s
Active Auditing with AWS Lambda

AWS Config & AWS Config Rules
• A continuous recording and continuous assessment service
Changing resources
AWS Config
Config Rules
History, Snapshot
Notifications
API Access
Normalized
Answer the questions:
How are my resources configured over time?
Is a change that just occurred to a resource, compliant?
Multi-Account, Multi-Region Data Aggregation

AWS Lambda as Auditor
App Account 1
App Account n
Security Team Account

Amazon Inspector
• Vulnerability Assessment Service
– Built from the ground up to support DevSecOps
– Automatable via APIs
– Integrates with CI/CD tools
– On-Demand Pricing model
– Static & Dynamic Rules Packages
– Generates Findings

Amazon Inspector
• Rules Packages
– Common Vulnerabilities & Exposures
– CIS Operating System Security Configuration Benchmarks
– Security Best Practices
– Runtime Behavior Analysis

Automating Remediation
• Findings are JSON formatted and taggable
• Name of assessment target & template
• Start time, end time, status
• Name of rule packages
• Name & severity of the finding
• Description & remediation steps
• Lamd-ify your incident response
• Integrate with Jira-like services
• Integrate with Pagerduty-like services

AWS Systems Manager
• A set of capabilities that:
• enable automated configuration
• support ongoing management of systems at scale
• work across all of your Windows and Linux workloads
• run in Amazon EC2 or on-premises
• carry no additional charge to use

Why should I care?
Support for hybrid
Architecture
Cross-platform Scalable
Secure Easy-to-write
automation
Expected Reduction
in Total Cost of
Ownership (TCO)

AWS Systems Manager capabilities
state manager maintenance
window
inventory
automation parameter store
run command
patch manager

Introducing AWS Secrets Manager
Lifecycle management for secrets such as database
credentials and API keys.
Rotate Secrets
Safely
Pay as you goManage access
with fine-grained
policies
Secure and
audit secrets
centrally

AWS Secrets Manager Key Features
Safe rotation of
secrets
Built-in integrations,
extensible with
Lambda
On-demand or
automatic rotation with
versioning
Fine-grained access
policies
Encrypted storage Logging and
monitoring

CloudWatch Events
• Delivers a near real-time stream of system events that describe changes in
Amazon Web Services (AWS) resources.
• Using simple rules, you can match events and route them to one or more target
functions or streams.
• CloudWatch Events becomes aware of operational changes as they occur and
responds to these operational changes and takes corrective action as
necessary, by sending messages to respond to the environment, activating
functions, making changes, and capturing state information.

Supported Services
• AWS CodeStar
• AWS Console Sign-In
• Auto Scaling
• Batch
• Certificate Manager
• Chime
• Cloud Directory
• CloudFormation
• CloudFront
• CloudHSM
• CloudSearch
• CloudTrail
• CloudWatch Events
• CloudWatch Logs
• CodeBuild
• CodeCommit
• CodeDeploy
• CodePipeline
• Cognito Identity
• Cognito Sync
• Cognito User Pool
• Config
• Data Pipeline
• Database Migration Service
• Direct Connect
• Directory Service
• DynamoDB
• EC2
• EC2 Container Registry
• EC2 Container Service (ECS)
• EC2 Simple Systems Manager (SSM)
• EMR
• ElastiCache
• Elastic Beanstalk
• Elastic File System (EFS)
• Elastic Load Balancing
• Elastic Map Reduce (EMR)
• Elastic Transcoder
• Elasticsearch
• Gamelift
• Glacier
• Glue
• GuardDuty
• Health
• IAM
• Inspector
• IoT
• Key Management Service (KMS)
• Kinesis
• Kinesis Firehose
• Lambda
• Machine Learning
• Macie
• Managed Services
• MediaConvert
• MediaLive
• Metering Marketplace
• Monitoring
• OpsWorks
• OpsWorks for Chef Automate
• Organizations
• Polly
• RedShift
• Relational Database Service (RDS)
• Route 53
• Security Token Service (STS)
• Server Migration Service (SMS)
• Service Catalog
• Simple Email Service (SES)
• Simple Notification Service (SNS)
• Simple Queue Service (SQS)
• Simple Storage Service (S3)
• Simple Workflow Service (SWF)
• Step Functions
• Storage Gateway
• Support
• Trusted Advisor
• WAF Regional
• Web Application Firewall (WAF)
• WorkDocs
• WorkSpaces
* As of 2/20/18

Supported Targets
• Amazon EC2 instances
• AWS Lambda functions
• Streams in Amazon Kinesis Data Streams
• Delivery streams in Amazon Kinesis Data Firehose
• Amazon ECS tasks
• AWS Batch Jobs
• SSM Run Command
• SSM Automation
• Step Functions state machines
• Pipelines in AWS CodePipeline
• AWS CodeBuild projects
• Amazon Inspector assessment templates
• Amazon SNS topics
• Amazon SQS queues
• Built-in targets
• The default event bus of another AWS account

Not just API

Putting it all together

Service Outputs
Service Outputs
WAF CloudWatch Metrics
Shield CloudWatch Metrics
GuardDuty CloudWatch Events
Macie CloudWatch Events
Lambda CloudWatch Logs
Config Config Rules
Inspector CloudWatch Events
Systems Manager CloudWatch Events

Remediation through CloudWatch Events and LambdaA
Macie Finding
Remediation
Lambda
function
CloudWatch
Event

Remediation through CloudWatch Events and Lambda
Remediation
Lambda
function
GuardDuty
Finding
CloudWatch
Event

Demo Part 2: GuardDuty to ACL Auto Defense
EC2
instance
GuardDuty CloudWatch
Events
Lambda
Function
WAF
filtering rule
AWS WAF
VPC Network
Access Control List
Amazon
DynamoDB
172.16.1.x
172.16.1.x
172.16.1.x
172.16.1.x
Blocked
Host
State Data
1
2
3
4
5
Amazon
SNS
6

Multiple Accounts and Aggregation

Threat Detection and Remediation in Multiple Accounts
• GuardDuty and Macie Support Master / Member accounts
– Centralized Console for many accounts, per region
• CloudWatch Events supports receiving events from multiple accounts through
the Event Bus feature
– All CloudWatch Events across your organization can be sent to an Event Bus owned
by your InfoSec team
• CloudFormation
– All services discussed today support CloudFormation directly or through custom
Lambda resources
– CloudFormation allows you to deploy services discussed today as code
– CloudFormation StackSets allows you to centrally deploy templates across accounts
and regions

Automation and Aggregation
AWS Lambda
Amazon
CloudWatch Events
GuardDuty
Finding
Amazon
Kinesis Firehose
Amazon ES
Macie
Finding
Inspector
Finding
Amazon S3
Amazon
Athena

Security Event Pipeline
Kinesis Firehose
Amazon ES
Security
Analysis
SNS Topic
Central Processing
Lambda
Central
CloudWatch
EventBus
Account C
Account B
Account A
Amazon S3
Notification

Pop-up Loft
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS

Introduction to Threat Detection and Remediation

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Introduction to Threat Detection and Remediation

Similar to Introduction to Threat Detection and Remediation (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Introduction to Threat Detection and Remediation