More Related Content Similar to A Case Study on Insider Threat Detection (20) More from Amazon Web Services (20) A Case Study on Insider Threat Detection1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jeff Puchalski
AWS Security
A Case Study on Insider Threat
Detection
(Or, they’re inside the walls!)
May 2018
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from this session
• Introduction
• Discussion of the services used
• The insider threat
• The crunchy outer shell defense!
• Auto remediation
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Cognito
AWS Directory Service
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application
Firewall (WAF)
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
Certificate Manager
Server Side Encryption
AWS Config Rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS security solutions
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon
GuardDuty
Intelligent threat detection
and continuous monitoring to
protect your AWS accounts
and workloads
What can you do?
• Continuous monitoring to rapidly detect
threats (needle) to your environments in
the sea of log data (haystack)
• Processes AWS CloudTrail logs and Amazon
VPC flow logs
• Analyzes billions of events across your AWS
accounts for signs of risk
• Identifies unexpected and suspicious
activity, such as privilege escalation,
exposed creds, and communication with
malicious IPs
• Can send findings to CloudWatch Events
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Macie
Machine learning-powered
security service to discover,
classify, and protect
sensitive data
What can you do?
• Helps you better understand where
sensitive information is stored
• Discovers and classifies data in S3 buckets
• Shows how your data is being accessed,
including user authentications and access
patterns
• Use machine learning (ML) to detect and
alarm on potential threats
• Find user behavior outliners that indicate
possible compromise
• Can send findings to CloudWatch Events
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
Track user activity and API
usage
What can you do?
• Simplify compliance audits and incident
response by automatically recording and
storing activity logs for your AWS account
• Logs API calls made to AWS services
• 7-day event history on by default
• Create log “trails” stored to S3
• Optional KMS encryption
• Optional log file integrity validation
• Optional data-level event logging for S3
and Lambda
• Can send events to CloudWatch Events
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon
CloudWatch
Monitoring service for AWS
cloud resources and the
applications you run on AWS
What can you do?
• Monitor resource utilization, operational
performance, and overall demand patterns
• Gather metrics such as CPU utilization, disk
reads / writes, and network traffic
• Configure alarms based on metrics and
connect with AutoScaling, SNS, Lambda, etc.
• Add custom metrics or derive metrics from
logs using metric filters
• Create interactive dashboards with charts
• Billing alerts to ID unusual account activity
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Flow Logs
Capture network flow
information about the IP traffic
going to and from interfaces in
your VPC
What can you do?
• Simplify your compliance audits by
automatically recording and storing
activity logs for your AWS account
• Increase visibility into your user and
resource activity
• Discover and troubleshoot security and
operational issues by capturing a
comprehensive history of changes that
occurred in your AWS account
• Flow log data is stored using Amazon
CloudWatch Logs
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF
Web application firewall to help
detect and block malicious web
requests targeted at your web
applications
What can you do?
• Deploy new rules within minutes, letting
you respond quickly to changing traffic
patterns
• Use the full-featured API to automate the
creation, deployment, and maintenance of
web security rules
• Put web security at multiple points in the
development chain by defining
application-specific rules that increase web
security as you develop your application
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Humans and data don’t mix
11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
So who is inside the walls, exactly?
- Enterprise employees, consultants, contractors, and
you!
- Humans are potential breach vectors for your systems
- For today, pretend that the following types of insider threat
are handled by your team:
- Bad actors
- Actors operating outside their role or responsibilities
- Actors operating correctly but on the wrong resource
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Who is responsible?
- Ownership and classification of an event is a question your
org/team needs to discuss and agree upon
- Different in each enterprise, vertical, etc.
- You must have one group that is a catch-all
- Responsible for events that don’t fall into anyone’s bucket
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Target of the discussion
The simple environment to the left has
specific needs and allows for direct
detection of threats if:
• The system has little human
interaction
• Normal patterns, and timed
procedures
• Limited well defined scope and
functions
AWS Cloud
Virtual Private Cloud
Availability Zone BAvailability Zone A
Web Server
App Server
Web Server
App Server
RDS DB instance instance standby (multi-AZ)
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Target of the discussion
This is more realistic:
• System has lots of human interaction
• No patterns or timed procedures
• No scope
15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building a crunchy outer shell
• Does not defend complex systems from an
insider threat
• Does not adequately defend simple systems
either
• Avoid assumptions about the target or
intentions of an insider threat
• Not always malicious intent
• Humans make mistakes
16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Target of the discussion
• Unify Logs/Trail
• Implement similar checks in all accounts
• Watch for changes, not just actions
• Unify events/findings into CloudWatch
Dashboards
• Setup SNS Topics to route notifications
• Trigger CloudWatch Events based on
actions in the environment
17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Remediate a compromised EC2 instance
• Remediate compromised IAM credentials (i.e., access key + secret)
Responding to Findings: Remediation
Automated Remediation Flow
GuardDuty CloudWatch Events Lambda
Amazon
GuardDuty
Amazon
CloudWatch
CloudWatch
Event
Lambda Function
AWS Lambda
18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch Events Rules
Rule for single GuardDuty finding type with Lambda function and SNS topic targets
19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch Events Rules
Rule for all GuardDuty findings with a single Lambda function target
20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GuardDuty Findings: Threat Purpose Details
• Backdoor: resource compromised and capable of contacting source home
• Behavior: activity that differs from established baseline
• Crypto Currency::detected software associated with Crypto currencies
• Pentest::activity detected similar to that generated by known pen testing tools
• Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc.
• Stealth::attack trying to hide actions / tracks
• Trojan::program detected carrying out suspicious activity
• Unauthorized Access::suspicious activity / pattern by unauthorized user
Describes threats by their primary purpose
21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Remediation Actions
• Account Remediation
• Remediate AWS credentials
• PenTest
• Recon (Black Listed IP)
• Stealth
• UnauthorizedAccess
• Investigate then remediate
• Behavior
• UnauthorizedAccess
• Architecture Change
• Recon
• Instance Remediation
• Remediate Compromised
Instances
• Backdoor
• CryptoCurrency
• Recon (out going)
• Trojan
• UnauthorizedAccess
• Investigate then remediate
• Behavior
22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
Lambda
function
23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
Lambda
function
24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
Lambda
function
25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
elastic network
adapter
Lambda
function
26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
elastic network
adapter
Lambda
function
EBS Volume
27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
elastic network
adapter
Lambda
function
EBS Volume
3389 => 0.0.0.0/0
(open to world)
80, 443 => DataSG
28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
Lambda
function
EBS Volume
80, 443 => DataSG
29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$
top
Instance:~ ec2-user$
pcap
Instance:~ ec2-user$
lime
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
elastic network
adapter
Lambda
function
EBS Volume
30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$
top
Instance:~ ec2-user$
pcap
Instance:~ ec2-user$
lime
AWS
Lambda
Amazon
GuardDuty
Lambda
function
EBS Volume EBS Forensics
31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ top
Instance:~ ec2-user$ pcap
Instance:~ ec2-user$ lime
AWS
Lambda
Amazon
GuardDuty
Lambda
function
EBS Volume
32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
AWS
Lambda
Amazon
GuardDuty
Lambda
function
EBS Volume
Amazon EBS
snapshot