SID301 Threat Detection and Mitigation

© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Holly Willey
AWS Global Solutions Architect
SID301
Threat Detection and Remediation on
AWS

Why is traditional threat detection so hard?
Skills shortageSignal to noiseLarge datasets

Get the Humans Away from the Data

AWS CloudTrail
Track user activity
and API usage
Threat Detection: Log Data Inputs
VPC Flow Logs
IP traffic to/from
network interfaces
in your VPC
CloudWatch Logs
Monitor apps using
log data, store &
access log files
DNS Logs
Log of DNS
queries in a VPC
when using the
VPC DNS resolver

AWS CloudTrail

Detect with VPC Flow Logs
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start & end time
Accept or
reject

Amazon CloudWatch Logs Subscriptions
• Real-time feed of log events
• Delivered to an AWS Lambda
function or an Amazon Kinesis
Data Stream
• Supports custom processing,
analysis, loading into other
systems
• Cross-account data sharing for
centralized log processing

Amazon
GuardDuty
Intelligent threat detection
and continuous monitoring to
protect your AWS accounts
and workloads
Threat Detection: Machine
Learning
Amazon Macie
Machine learning-powered
security service to discover,
classify, & protect sensitive data

What Can Amazon GuardDuty Detect?
RDP brute
force
RAT
Installed
Exfiltrate
temp IAM
creds over
DNS
Probe API
with temp
creds
Attempt to
compromise
account
Malicious or
suspicious IP
Unusual ports
DNS exfiltration
Unusual traffic volume
Connect to blacklisted site
Recon
Anonymizing proxy
Temp credentials
used off-instance
Unusual ISP caller
Bitcoin activity
Unusual instance launch

Amazon GuardDuty Threat Detection
and Notification

Detecting Known Threats
Threat intelligence
• Feeds:
o AWS Security
o Commercial - CrowdStrike, Proofpoint
o Open source
o Customer provided - "format":
"[TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE]",
• Known malware infected hosts
• Anonymizing proxies
• Sites hosting malware and hacker tools
• Cryptocurrency mining pools and wallets

Detecting Unknown Threats
Anomaly detection
• Algorithms to detect unusual behavior
o Inspecting signal patterns for signatures
o Profiling normal activity and looking at deviations
o Machine learning classifiers

Finding Types
Recon
• Port probe on unprotected port
• Outbound port scans
• Callers from anonymizing proxies
Backdoor
• Spambot or C&C activity
• Exfiltration over DNS channel
• Suspicious domain request
Trojan
• Domain Generation Algorithm (DGA)
domain request
• Blackhole traffic
• Drop point
Unauthorized Access
• Unusual ISP caller
• SSH/RDP brute force
Stealth
• Password policy change
• AWS CloudTrail logging disabled
• Amazon GuardDuty disabled in member
account
Cryptocurrency
• Communication with bitcoin DNS pools
• Cryptocurrency related DNS calls
• Connections to bitcoin mining pool

Multi-Account Support
Account B Account C
Security team account
Account A
CloudWatch Events
Amazon
GuardDuty
Amazon
GuardDuty
Amazon
GuardDuty
Amazon
GuardDuty

Visibility to Answer the Tough Questions
• What data do I have in the cloud?
• Where is it located?
• Where does my sensitive data exist?
• What’s sensitive about the data?
• What PII/PHI is possibly exposed?
• How is data being shared and stored?
• How and where is my data accessed?
• How can I classify data in near-real time?
• How do I build workflow remediation for my security and compliance
needs?

Amazon Macie
Understand
your data
Natural Language
Processing (NLP)
Understand data
access
Predictive User
Behavior Analytics
(UBA)

PII and personal data
Source code
SSL certificates, private keys
iOS and Android app signing keys
Database backups
OAuth and Cloud SaaS API Keys
Macie Content Classification

• Use behavioral
analytics to
baseline normal
behavior
patterns
• Contextualize
by value of data
being accessed
Macie User Behavior Analytics (UBA)Large increase in viewed
content—possible
indicator of early stage
reconnaissance

0. Feature extraction
from event data
1. Map into user
time series
2. Cluster
peer groups
3. Predict user activity,
update models
4. Identify anomalies
5. Attempt to explain
statistically
6. Alert and
narrative
explanation
created
Normal accesses
Macie User Behavior Analytics (UBA)

• Works on Amazon S3 bucket AND object policies
• Use AWS Lambda to approve or automatically
remediate overly permissive policies
o Delete the object
o Revoke access—bucket or object
o Update IAM policies
o Suspend user
• Prioritize by PII impact and Data Loss Prevention (DLP) risk
Discover and Alert on Global Permissions

Threat Detection: Triggers
Amazon CloudWatch
Events
Delivers a near real-time stream
of system events that describe
changes in AWS resources
AWS Config rules
Continuously tracks your
resource configuration changes
and if they violate any of the
conditions in your rules

AWS Config Rules
A continuous recording and assessment service
Changing resources
AWS Config
AWS Config rules
History
snapshot
Notifications
API access
Normalized
• How are my resources configured over time?
• Is a change that just occurred to a resource, compliant?

Amazon CloudWatch Events
{
"source": [
"aws.guardduty"
]
}
CloudWatch
Event
GuardDuty
findings
Lambda
function

Threat Remediation: Network
AWS WAF
Web application firewall to
help detect and block
malicious web requests
targeted at your web
applications
AWS Shield
Advanced
Managed service providing
DDoS protection against and
visibility into large, sophisticated
attacks, plus access to DDoS
experts

DDoS Targeted Attacks
Reflection and
amplification Layer 3 & 4
floods
Slowloris
SSL abuse
HTTP floods
Bots and probes
SQL injection
XSS
RFI/LFI
Application
exploits
Certificate
hijacking
Spear
Phishing
CSRF
Authorization
exploits
Web Application Firewall
AWS WAF
Amazon CloudFront
Elastic Load Balancing
AWS Shield
Amazon Inspector
Amazon Macie
AWS Certificate Manager
AWS Marketplace:
IDS/IPS, Anti-malware
Spectrum of Attacks

DDoS
Response
Team
HTTP Floods
Bad Bots
Suspicious IPs
Border network
Network layer
mitigations
AWS services
Web layer mitigations
Customer resources
DDoS
Detect-
ion
Internet
Internet-
Layer
Mitigations
DDoS
SSL Attacks
Slowloris
Malformed HTTP
Large-scale attacks
SYN floods
Reflection attacks
Suspicious sources
Defense in Depth
DDoS
Respons
e Team
(DRT)
Sophisticated Laye
7 attacks

AWS Shield: DDoS Attack Detection
Data sources:
1. Network layer
telemetry from routers
2. AWS services
• Amazon S3
• Amazon CloudFront
• Amazon Route 53
• AWS WAF

AWS Shield: Data Aggregation
Agg
Agg
Agg
Agg
Agg
DB
API
Eval
Detection systems use
machine learning to
find anomalies and
detect DDoS attacks

AWS Shield: DDoS Attack Mitigations
Agg
Agg
Agg
Agg
Agg
DB
API
Eval
DB
Customer B
Customer A
CloudWatch
Shield API
Automated workflows capture attack details and kick off
mitigations specific to the size, type, and target of the attack

Always-on Monitoring and Detection
Signature-based detection
Heuristics-based
anomaly detection
Baselining

• Inline inspection and scoring
• Preferentially discard lower priority (attack) traffic
• False positives are avoided and legitimate viewers are protected
Traffic prioritization based on:
High-suspicion
packets dropped
Low-suspicion
packets retained
Layer 3/4 Infrastructure Protection

Amazon
Route 53
ALB Security Group
Amazon
EC2
Instances
Application
Load Balancer
Amazon
CloudFront
Public Subnet
Web Application
Security Group
Private Subnet
AWS WAF
Amazon
API Gateway
DDoS
Attack
Users
Globally distributed attack mitigation capability
SYN proxy feature that verifies three-way handshake
before passing to the application
Slowloris mitigation that reaps long-lived connections
Mitigates complex
attacks by allowing
only the most reliable
DNS queries
Validates DNS
Provides flexible rule
language to block or
rate-limit malicious
requests
DDoS Resilient Architecture

Web traffic filtering
with custom rules
Malicious request
blocking
Active monitoring &
tuning
AWS WAF
Detect and filter malicious web requests

Add a count action to analyze
details of matching requests:
Client IP
Country
Headers
HTTP
Version
Method
URI
AWS WAF: Sample Requests

Protects against known
attackers identified in third-
party IP reputation list
• Spamhaus Don’t Route Or
Peer (DROP) and Extended
Drop (EDROP) lists
• Proofpoint Emerging
Threats IP list
• Tor exit node list
AWS WAF: Security Automations
AWS Shield
https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/welcome.html

• Protection against new and emerging threats
• Security research teams monitor, tune, and
update rules regularly
• Rule updates happen within minutes
• No extra cost for updates
• Unsubscribe anytime
Managed WAF Rules with Auto-Updates

NEW! – AWS Firewall Manager
Centrally manage AWS
WAF rules across
account
Integrated with
Managed Rules for AWS
WAF
Ensure
compliance of
rules across your
organization
Available today

NEW! – AWS Firewall Manager
Set the master
AWS Account
Specify policy
scope
Create policyCreate custom
RuleGroup
or use Managed Rules
from AWS Marketplace

Threat Remediation: Automation
AWS Systems
Manager
Automate patching and
proactively mitigate threats
at the instance level
AWS Lambda
Capture info about the IP
traffic going to and from
network interfaces in your
VPC

Example Response Timeline
Time
Analyze
Trace origin
Remediate
Event delivered
Rule matched
Alert sent
Correlate
Check baseline
Remediate
Incidentdetected
Traditional
Response
Response
Locate
Get logs
Correlate

High-Level Playbook
Adversary
or intern
Your environment Lambda
responder
CloudWatch
Events

Demo

AWS Lambda: Run Code in Response to Events
Function Services
Changes
in data
state
Requests to
endpoints
Changes
in resource
state
Node
Python
Java
C#
Event source

Amazon
CloudWatch
AWS
CloudTrail
AWS Config
Lambda
function
AWS
APIs
AWS WAF
Pattern for Automated Remediation
AWS Shield
Detection
Alerting
Remediation
Countermeasures
Forensics
Team
collaboration
(Slack etc.)
Amazon GuardDuty
VPC Flow Logs

• Asynchronously
execute
commands
• No need to
SSH/RDP
• Commands and
output logged
Remediating Threats on Amazon EC2 Instances
Amazon EC2 Systems Manager -
Run Command
EC2 Instances
Lambda
function
AWS Systems
Manager
Amazon
EC2

CloudWatch + Lambda + Systems Manager
AWS
Systems
Manager
Documents
Amazon
CloudWatch
EC2 instance
contents
EC2 instance:
ec2-user$ top
ec2-user$ pcap
AWS
Lambda
Amazon
GuardDuty
Lambda
function
EBS volume
Amazon EBS
snapshot
Event

Threat Detection and Remediation Partner
SolutionsConsulting, data analysis, threat detection, and managed security operations

Open Source Resources
ThreatResponse
https://threatresponse.cloud
Cloud Custodian
https://github.com/capitalone/cloud-custodian
Security Monkey
https://github.com/Netflix/security_monkey
CloudSploit
https://github.com/cloudsploit
StreamAlert
https://github.com/airbnb/streamalert
AWS CIS Foundation Framework
https://github.com/awslabs/aws-security-benchmark
AWS IR
https://github.com/ThreatResponse/aws_ir

Submit Session Feedback
1. Tap the Schedule icon. 2. Select the session
you attended.
3. Tap Session
Evaluation to submit your
feedback.

SID301 Threat Detection and Mitigation

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to SID301 Threat Detection and Mitigation

Similar to SID301 Threat Detection and Mitigation (20)

More from Amazon Web Services

More from Amazon Web Services (20)

SID301 Threat Detection and Mitigation