Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

A Case Study on Insider Threat Detection

by Jeff Puchalski, Application Security Engineer, AWS

Insider threat detection! How do we use AWS products to find an insider threat. We will cover Macie, GuardDuty and lambda to review a production account actions and remediate findings as they arise . We will also cover the utilization of CloudWatch to unify our finds into a single pane of glass.

  • Identifiez-vous pour voir les commentaires

A Case Study on Insider Threat Detection

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jeff Puchalski AWS Security A Case Study on Insider Threat Detection (Or, they’re inside the walls!) May 2018
  2. 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to expect from this session • Introduction • Discussion of the services used • The insider threat • The crunchy outer shell defense! • Auto remediation
  3. 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (WAF) Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie Certificate Manager Server Side Encryption AWS Config Rules AWS Lambda Identity Detective control Infrastructure security Incident response Data protection AWS security solutions
  4. 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads What can you do? • Continuous monitoring to rapidly detect threats (needle) to your environments in the sea of log data (haystack) • Processes AWS CloudTrail logs and Amazon VPC flow logs • Analyzes billions of events across your AWS accounts for signs of risk • Identifies unexpected and suspicious activity, such as privilege escalation, exposed creds, and communication with malicious IPs • Can send findings to CloudWatch Events
  5. 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Macie Machine learning-powered security service to discover, classify, and protect sensitive data What can you do? • Helps you better understand where sensitive information is stored • Discovers and classifies data in S3 buckets • Shows how your data is being accessed, including user authentications and access patterns • Use machine learning (ML) to detect and alarm on potential threats • Find user behavior outliners that indicate possible compromise • Can send findings to CloudWatch Events
  6. 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail Track user activity and API usage What can you do? • Simplify compliance audits and incident response by automatically recording and storing activity logs for your AWS account • Logs API calls made to AWS services • 7-day event history on by default • Create log “trails” stored to S3 • Optional KMS encryption • Optional log file integrity validation • Optional data-level event logging for S3 and Lambda • Can send events to CloudWatch Events
  7. 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudWatch Monitoring service for AWS cloud resources and the applications you run on AWS What can you do? • Monitor resource utilization, operational performance, and overall demand patterns • Gather metrics such as CPU utilization, disk reads / writes, and network traffic • Configure alarms based on metrics and connect with AutoScaling, SNS, Lambda, etc. • Add custom metrics or derive metrics from logs using metric filters • Create interactive dashboards with charts • Billing alerts to ID unusual account activity
  8. 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Flow Logs Capture network flow information about the IP traffic going to and from interfaces in your VPC What can you do? • Simplify your compliance audits by automatically recording and storing activity logs for your AWS account • Increase visibility into your user and resource activity • Discover and troubleshoot security and operational issues by capturing a comprehensive history of changes that occurred in your AWS account • Flow log data is stored using Amazon CloudWatch Logs
  9. 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF Web application firewall to help detect and block malicious web requests targeted at your web applications What can you do? • Deploy new rules within minutes, letting you respond quickly to changing traffic patterns • Use the full-featured API to automate the creation, deployment, and maintenance of web security rules • Put web security at multiple points in the development chain by defining application-specific rules that increase web security as you develop your application
  10. 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Humans and data don’t mix
  11. 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. So who is inside the walls, exactly? - Enterprise employees, consultants, contractors, and you! - Humans are potential breach vectors for your systems - For today, pretend that the following types of insider threat are handled by your team: - Bad actors - Actors operating outside their role or responsibilities - Actors operating correctly but on the wrong resource
  12. 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Who is responsible? - Ownership and classification of an event is a question your org/team needs to discuss and agree upon - Different in each enterprise, vertical, etc. - You must have one group that is a catch-all - Responsible for events that don’t fall into anyone’s bucket
  13. 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion The simple environment to the left has specific needs and allows for direct detection of threats if: • The system has little human interaction • Normal patterns, and timed procedures • Limited well defined scope and functions AWS Cloud Virtual Private Cloud Availability Zone BAvailability Zone A Web Server App Server Web Server App Server RDS DB instance instance standby (multi-AZ)
  14. 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion This is more realistic: • System has lots of human interaction • No patterns or timed procedures • No scope
  15. 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building a crunchy outer shell • Does not defend complex systems from an insider threat • Does not adequately defend simple systems either • Avoid assumptions about the target or intentions of an insider threat • Not always malicious intent • Humans make mistakes
  16. 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion • Unify Logs/Trail • Implement similar checks in all accounts • Watch for changes, not just actions • Unify events/findings into CloudWatch Dashboards • Setup SNS Topics to route notifications • Trigger CloudWatch Events based on actions in the environment
  17. 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Remediate a compromised EC2 instance • Remediate compromised IAM credentials (i.e., access key + secret) Responding to Findings: Remediation Automated Remediation Flow GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Event Lambda Function AWS Lambda
  18. 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Events Rules Rule for single GuardDuty finding type with Lambda function and SNS topic targets
  19. 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Events Rules Rule for all GuardDuty findings with a single Lambda function target
  20. 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Findings: Threat Purpose Details • Backdoor: resource compromised and capable of contacting source home • Behavior: activity that differs from established baseline • Crypto Currency::detected software associated with Crypto currencies • Pentest::activity detected similar to that generated by known pen testing tools • Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc. • Stealth::attack trying to hide actions / tracks • Trojan::program detected carrying out suspicious activity • Unauthorized Access::suspicious activity / pattern by unauthorized user Describes threats by their primary purpose
  21. 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remediation Actions • Account Remediation • Remediate AWS credentials • PenTest • Recon (Black Listed IP) • Stealth • UnauthorizedAccess • Investigate then remediate • Behavior • UnauthorizedAccess • Architecture Change • Recon • Instance Remediation • Remediate Compromised Instances • Backdoor • CryptoCurrency • Recon (out going) • Trojan • UnauthorizedAccess • Investigate then remediate • Behavior
  22. 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  23. 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  24. 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  25. 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function
  26. 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
  27. 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume 3389 => 0.0.0.0/0 (open to world) 80, 443 => DataSG
  28. 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter Lambda function EBS Volume 80, 443 => DataSG
  29. 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
  30. 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume EBS Forensics
  31. 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume
  32. 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule AWS Lambda Amazon GuardDuty Lambda function EBS Volume Amazon EBS snapshot

×