Who done it: Gaining visibility and accountability in the cloud

Similar documents
Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

Additional Security Services on AWS

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Securing Microservices Containerized Security in AWS

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

Title: Planning AWS Platform Security Assessment?

AWS Agility + Splunk Visibility = Cloud Success. Splunk App for AWS Demo. Laura Ripans, AWS Alliance Manager

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

Mid-Atlantic CIO Forum

Hackproof Your Cloud Responding to 2016 Threats

Cloud Security Strategy - Adapt to Changes with Security Automation -

Getting Started with AWS Security

INTRODUCING CISCO SECURITY FOR AWS

Serverless Computing. Redefining the Cloud. Roger S. Barga, Ph.D. General Manager Amazon Web Services

ALIENVAULT USM FOR AWS SOLUTION GUIDE

What s New at AWS? looking at just a few new things for Enterprise. Philipp Behre, Enterprise Solutions Architect, Amazon Web Services

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

Incident Response and Forensics in your Pyjamas

Minfy MS Workloads Use Case

Splunk & Amazon Web Services

Training on Amazon AWS Cloud Computing. Course Content

Lambda Architecture for Batch and Stream Processing. October 2018

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

McAfee Cloud Workload Security Product Guide

Security & Compliance in the AWS Cloud. Amazon Web Services

AWS 101. Patrick Pierson, IonChannel

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Splunk & AWS. Gain real-time insights from your data at scale. Ray Zhu Product Manager, AWS Elias Haddad Product Manager, Splunk

Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

Minfy MS Workloads Use Case

Streamline AWS Security Incidents

AWS Security. Stephen E. Schmidt, Directeur de la Sécurité

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

CogniFit Technical Security Details

Automating Elasticity. March 2018

Introduction to Cloud Computing

Building a Self-Defending Border. Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS

What s New at AWS? A selection of some new stuff. Constantin Gonzalez, Principal Solutions Architect, Amazon Web Services

AWS Landing Zone. AWS User Guide. November 2018

Reference Guide Revision B. McAfee Cloud Workload Security 5.0.0

Compare Security Analytics Solutions

Cloud security 2.0: Joko nyt pilveen voi luottaa?

What to expect from the session Technical recap VMware Cloud on AWS {Sample} Integration use case Services introduction & solution designs Solution su

Understanding Perimeter Security

Netflix OSS Spinnaker on the AWS Cloud

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

Overcoming the Challenges of Automating Security in a DevOps Environment

Amazon Search Services. Christoph Schmitter

Managing Microsoft 365 Identity and Access

Enroll Now to Take online Course Contact: Demo video By Chandra sir

Architecting for Greater Security in AWS

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

ForeScout Amazon Web Services (AWS) Plugin

Rethink Your Workstation Strategy with Amazon AppStream 2.0

Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm

AWS Well Architected Framework

SignalFx Platform: Security and Compliance MARZENA FULLER. Chief Security Officer

McAfee Skyhigh Security Cloud for Amazon Web Services

Deep Dive on AWS CodeStar

OptiSol FinTech Platforms

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3

ASD CERTIFICATION REPORT

Course Outline. Module 1: Microsoft Azure for AWS Experts Course Overview

Amazon Web Services 101 April 17 th, 2014 Joel Williams Solutions Architect. Amazon.com, Inc. and its affiliates. All rights reserved.

Access Governance in a Cloudy Environment. Nabeel Nizar VP Worldwide Solutions

Kubernetes Integration Guide

Network Security & Access Control in AWS

HashiCorp Vault on the AWS Cloud

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0

Deploy Symantec Cloud Workload Protection for Storage

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

Grischa Baelden AWS Public Sector Account Manager, DACH. Brendan Bouffler. Worldwide Research and Technical Computing Lead

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Infrastructure Blind Spots Continue to Fuel Personal Data Breaches. Sanjay Raja Lumeta Corporation Lumeta Corporation

Building a More Secure Cloud Architecture

Symantec Ransomware Protection

INTRODUCING CISCO SECURITY FOR AWS

SECURITY-AS-A-SERVICE BUILT FOR AWS

Cloudera s Enterprise Data Hub on the Amazon Web Services Cloud: Quick Start Reference Deployment October 2014

Build, Don t Buy Enable Analytics, Machine Learning, and Forensics with Security Data Lake on AWS

Qualys Cloud Platform

Securing Your Cloud Introduction Presentation

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

Puppet on the AWS Cloud

CYBER SECURITY WHITEPAPER

Store, Protect, Optimize Your Healthcare Data in AWS

Introducing Amazon Elastic File System (EFS)

Security Aspekts on Services for Serverless Architectures. Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

What matters in Cyber Security

CND Exam Blueprint v2.0

AWS Solutions Architect Associate (SAA-C01) Sample Exam Questions

A New Way to Look at AWS Security

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Securing Serverless Architectures

Simple Security for Startups. Mark Bate, AWS Solutions Architect

Slide Heading. Pragmatic Cloud Security A Guided Tour. Brian Genz. October 12, 2016

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

CLOUD WORKLOAD SECURITY

Transcription:

Who done it: Gaining visibility and accountability in the cloud By Ryan Nolette Squirrel Edition

$whoami 10+ year veteran of IT, Security Operations, Threat Hunting, Incident Response, Threat Research, and Forensics GitHub https://github.com/sonofagl1tch Career highlight Time's person of the year 2006 What am I giving away? A full detonation lab built automatically by cloudformation https://github.com/sonofagl1tch/awsdetonationlab

Agenda Overview Who did what and when? Common Techniques Common Visibility Tools and Their AWS Equivalent Increasing visibility until you have accountability Common Logging Authentication Endpoint Network Vulnerabilities Configuration End to end example Detonation Lab Logging Pipelines and Services Finding What Matters

Who did what and when These are the 3 pillars of each stage of scoping the event Will be modified for each iteration The analysts should be able to start at any of the stages and complete the cycle

Common Techniques What s Their Goal? OS hardening Config management Identity Management Process monitoring

Common Visibility Tools and Their AWS Equivalent Traditional Tool IDS/IPS DLP EDR Netflow DNS Access and authentication auditing Active Directory Identity Management Single Sign On Vulnerability scanner Configuration Management Logging AWS equivalent guardduty Macie Cloudwatch + osquery, GRR Cloudwatch + VPCFlow Cloudwatch + Route53 CloudTrail Directory Service IAM AWS SSO Inspector AWS config Cloudwatch + Firehose + Lambda

Increasing visibility until you have accountability The process of asking who did what and when and increasing logging and controls until you can answer those questions for every scenario you can think of. OS hardening Logging Authentication Endpoint Network Vulnerabilities/ Configuration CIS guidelines audit and hardening scripts. Additional logging and hardening scripts created by experience over time. Common logging like auth logs and process creation etc /var/log/secure IAM logs IAM roles IAM policies EDR HIDS Cloudwatch GuardDuty IDS Netstat Tcpdump Vpc flow logs Dns route 53 logs Generic vuln scanner Inspector NVD/CVE usage Aws config OS hardening Applications config

End to end example Always Squirrel away your logs DevOps Installs new tool that is backdoored with a CryptoMiner Static defense controls do not stop miner installation SecOps remains vigilant SecOps Defends

Detonation Lab Topology

Pipelines

CloudFormation CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts.

S3 Amazon S3 is object storage built to store and retrieve any amount of data from anywhere

VPC Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.

VPC Flow - Kinesis Stream Amazon Kinesis Data Streams (KDS) is a massively scalable and durable real-time data streaming service. KDS can continuously capture gigabytes of data per second from hundreds of thousands of sources such as website clickstreams, database event streams, financial transactions, social media feeds, IT logs, and location-tracking events.

Lambda AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.

Firehose Amazon Kinesis Data Firehose is the easiest way to reliably load streaming data into data stores and analytics tools.

IAM AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

CloudTrail AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

Macie Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS.

Inspector Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

CloudWatch Event Rules and Logs Amazon CloudWatch is a monitoring and management service built for developers, system operators, site reliability engineers (SRE), and IT managers.

GuardDuty Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.

Wazuh Wazuh is a free, open-source hostbased intrusion detection system (HIDS).

Mappings

Simple Dashboards

Finding what matters External Traffic Destinations China Traffic volume by destination IP Massive spike in traffic to china Most common destination

Finding what matters Most common destination Logs with Destination Ec2 Instance involved Hostname of findings All Guardduty Findings for instance

Finding what matters Most common destination File responsible for outbound connection VT Results fb7791757901a24800f67f0f950b281d 4f7c79d247490ce12b159b1cef9832e6039513b9 1e2f03917015b52c71432ffd382e0ee970d551eebf9457b2498b1434ce8ab466

How did they get in?

Recap Traditional Tool AWS equivalent IDS/IPS guardduty DLP Macie EDR Cloudwatch + osquery, GRR Netflow Cloudwatch + VPCFlow DNS Cloudwatch + Route53 Access and authentication a CloudTrail uditing Active Directory Directory Service Identity Management IAM Single Sign On AWS SSO Vulnerability scanner Inspector Configuration Management AWS config Logging Cloudwatch + Firehose + La mbda

Personal Attacker Life cycle

Flag it, Tag it, and Bag it.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback