The economics of incidents, and creative ways to thwart future threats - SEP312 - AWS re:Inforce 2019

© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
The economics of incidents, and creative
ways to thwart future threats
S E P 3 1 2
Nathan Case
Twitter: NathanC54227646
Linkedin: nathancase
AWS Security Specialist
Frans Rosén
Twitter: fransrosen
Linkedin: fransrosen
Security Advisor

Agenda
Introductions
Some basics: Looking backward to look forward
Threats and change
Awareness
The future

Nomore fear, uncertainty, and doubt (FUD)
• This is a “tear off the bandage” talk
• This talk focuses on the impacts of incidents
• This talk focuses on the issues; blame doesn’t help
• Tech is not the answer (humans always spill coffee)
• Public shaming should have stopped in junior high school

Why? (Reason for this talk)

AWS
Security OF
the cloud
AWS is responsible for protecting
the infrastructure that runs all of the
services offered in the AWS Cloud
Security IN
the cloud
Customer responsibility is determined
by the AWS Cloud services that a
customer selects
Customer
Shared responsibility model

Region & number of AZs Announced Regions
Bahrain, Hong Kong SAR, Sweden
3
3
3
3
3
6
2
3
3
3
3
2
233
3
3
42
1
The largest global footprint consistently built with a multi-Availability Zone (AZ) and multi-data center design
AWS AZAWS Region
A Region is a physical location in the
world where we have multiple AZs
AZs consist of one or more discrete
data centers, each with redundant
power, networking, and connectivity,
and housed in separate facilities
Transit
AZ
Data center Data center
Data center
Security OF the cloud
Transit
AZ
AZ
AZ
Scale globally with resilience in every region

Guiding principle
Bad practice is bad practice in
the cloud, the data center, or
whatever comes next

Segmentation
If everything is critical, then nothing is
If you have everything in one basket,
everything shares a classification
If you put all your risks in one
segment, I will target that segment
(If everything is bold…)
Security IN the cloud

Thecloud issafer
Tooling/instrumentation
Secure by default
Eliminating human
interaction/automation

Parts
Social mediaTransport
Everything from a grilling app
to a banking platform
• Worst-case scenario of asset
management
• Data leakage where you least expect it
• When out-of-scope is actually very
much in-scope

Data
Secrets
PII
Collateral data
...
Money
Funds transfer
Compute for mining
Physical good
...
Political
Persona
Cooperate identity
Activist
...
Personal
Social
Phishing
Theft
...
Understanding your critical assets
from the attacker point of view
Working backward from your customer (the hacker)

Thenumberofvulnerabilities
The increased number of
vulnerabilities does not mean that
it’s getting worse
Lack of identified vulnerabilities is
a bigger issue

Threat modeling
If you don't know your assets, you
don't know what to protect and
how to protect your assets, and
you end up building a wall around
everything
Production
TestingDevelopment

Service
IAM
Amazon S3 buckets
Billing
...
Infrastructure
VPC resources
Connectivity
On instance
...
Application
Patching
Coding hole
...
Incident response domains
Understand your attack surface

Availability Zone C
Availability Zone B
VPC CIDR:
10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Security groups
Route table
NACLs
Internet Gateway
Instance compromise
Amazon
S3
Amazon
RDS
IAM
AWS
CloudHSM
AWS
Organization
s
AWSKMS
AWS
Directory
Service
Infrastructure domain
Application domain
Different domains
Service domain

Threats of today have changed, and they're all in it for the
money…Well, sort of
• Hacktivism vs. economically incentivized
• The simplicity of anonymization

Threats of today have changed, and they're all in it for the
money…Well, sort of
• Hacktivism vs. economically incentivized
• The simplicity of anonymization
I honestly wish bug bounties were a “thing”
back in the days I would have been rich and
avoided so much drama :)
18 Dec 2015

Historical outlook of what worked and didn't
Encounter Percentages for Windows systems over: 2013–2017

MicrosoftWindows malwareencounter ratetrend by category
Encounter Percentages for Windows systems over: 2013–2017

Malware, cryptomining,
ransomware
Reviewing the data, we see that a lot of
malware encountered by Windows
machines will be things that require
human help to solve

Internal threats
Generally, open security
boundaries
Development practice
Oddly, the office of no
(The intern or the coffee-soaked,
sleepy admin)

Example: Convenience for QA

Username: qa_test_xxx@xxx
Password: azerty13
2FA-code

Username: qa_test_xxx@xxx
Password: azerty13
2FA-code:

Theexternal threats
• Cybercriminals are becoming more agile in their development process
• Shorter vulnerability lifespan—from detection to weaponization
• Criminals will take only a day or hours to implement attacks against the latest
vulnerabilities
• 4-minute breach after credentials to GitHub
• Cloud-based cybercriminals

Theexternal threats
• Cybercriminals are becoming more agile in their development process
• Shorter vulnerability lifespan—from detection to weaponization
• Criminals will take only a day or hours to implement attacks against the latest vulnerabilities
• 4-minute breach after credentials to GitHub

The external threats
• Cybercriminals are becoming more agile in
their development process
• They are business people, just nefariously
so
• This means
• Shorter vulnerability lifespan—from detection to
weaponization
• Criminals will take only a day or hours to implement
attacks against the latest vulnerabilities
• Four-minute breach after credentials to GitHub

So where is the impact?
The average cost for each lost or stolen record containing sensitive and
confidential information also increased by 4.8 percent year over year to $148
This number is repeated by a number of websites, reports, etc.

“Activity-based costing (ABC) is a costing method that identifies activities in an
organization and assigns the cost of each activity to all products and services
according to the actual consumption by each. This model assigns more indirect
costs (overhead) into direct costs compared to conventional costing.”
https://en.wikipedia.org/wiki/Activity-based_costing
Direct cost: The direct expense outlay to accomplish a given activity
Indirect cost: The amount of time, effort, and other organizational resources
allocated to data breach resolution, but not as a direct cash outlay
Opportunity cost: The cost resulting from lost business opportunities as a
consequence of negative rep

While we can view the cost per record stolen, the larger cost is the amount of time
that the enterprise needs to spend in order to deal with a breach
This can often lead to months of project work, stopping new products and
features, causing a long-term type of pain for enterprises
There are no stats for this cost as there is no way to collect the data, verify it, or
compare it between companies

How do we correct it?
If the true loss is not just monetary, but
is forward momentum of enterprise,
how do we fix it?
Back to the basics, with a new focus
• Architectural security
• Planning for failure
• Plan for data privacy
• Plan for the audit

Your security team is your last line of defense
Why start and stop there?

Isthisan example ofarchitectural security?
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Security groups
Route table
NACLs
Internet gateway
Instances
Amazon
S3
Amazon
RDS
IAM
AWS
CloudHSM
AWS
Organization
s
AWSKMS
AWS
Directory
Service

Isthisan example ofarchitectural security?

What isDevSecOps?
DevSecOps is the combination of cultural
philosophies, practices, and tools that exploits the
advances made in IT automation to achieve a state
of production immutability, frequent delivery of
business value, and automated enforcement of
security policy
DevSecOps is achieved by integrating and
automating the enforcement of preventive,
detective, and responsive security controls into the
pipeline
Security
OperationsDevelopment

DevSecOps
Business
Development Operations
Build it faster Keep it stable
Security
Make it secure

DevSecOps
Operations
Security
Development
The business

Problem description
CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in Amazon GuardDuty. This means that we have an account or machine that has been compromised.
John, our lead developer, added his AWS key and secret key to his most recent Git post. This was found by someone and then sold to a cryptomining company in
another country. We had bad threat detection, and the account was used for a couple of days before we found out.
-or-
John had his laptop stolen and didn’t encrypt his hard drive. Because he kept everything in his local Git Repo, his user was compromised.
Postmortem
Use good development practices. Adding static variables that contain access keys to a Git causes long-term issues for a cloud account.
- Use Git-secrets
- Attend a workshop at re:invent discussing the use of open-source development tools.
- Limit blast radius
- Enjoy one of the multi-account sessions at re:Invent.
The loss of corporate resources that were unencrypted.
- Encrypt hard drives going forward.
- Limit account activities of humans for threat detection.
- Limit account access of people in production and test environments.
Aws_labs repos
https://github.com/awslabs
RCA: CryptoCurrency:EC2/BitcoinTool.B!DNS

Accidental exposure of host access
credentials
Objective: Test response in
determining if customer data was
exposed and the actions taken to
rotate access keys
Imagine developer committed SSH
private key to GitHub
What was changed?
How?
When was the issue contained?
Security incident -> RCA -> SIRS
Possible game 1: "CryptoCurrency:EC2/BitcoinTool.B!DNS"

Simulatelike your
business depends on it
Build teams with developers,
security, and management (and HR
and legal)
Compete with the other parts of
your organization
Compete with a red team
Compete with other companies

Compete like your
business depends on it
• Requirements
• Rules of engagement
• Rules for scoring
• Do not use production or
production data
• Do not be afraid to lose; that is
how we learn
• Engage outside red teams to
teach your developers how to
think
• Be devious

Your security teams are your last line of defense
Don’t do this

Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
Security groups
Route table
If your security teams are your last line of defense, your
developers are your first
If you plan for an incident, when you have an
incident, you will not be surprised
This includes data leaks
GitHub posts
The next thing
Build security champions

Your security team employees are your last line of defense
How does Amazon do it?
Cultural focus on customer obsession that focuses on security (Job 0)
What does that mean?
• What is a Severity 2 trouble ticket?
• Why is the security leadership okay with being called accidentally?

Your security team employees are your last line of defense
Bug bounties/internal gamification
No more security team! Well, not so much
They enhance your testing, not replace it
Beware of exposing your known weak points
Breaches
You have to do your own testing and development process (you have to actually FIX the bug, or you will
pay for it again)

Bug bounties?
The good things
Aligning hackers from a young age into the legal way of helping
Put pressure on your regular security processes
Aligns nicely with DevSecOps and automation
The bad things
Worthless without proper processes
Regression testing?
Again, it’s not a replacement

People are more security-aware than ever before
• We see more vulnerabilities than we ever did before
• Teams are focusing on diversity and changing the way we think
• We have more security tools than ever
• Artificial intelligence and machine learning are changing the landscape
• Whaling still works
• People are bound to do the easy thing
• Businesses focus on the short-term money, not the long-term cost
• Humans are prideful
And I still cannot update human firmware
But

The issues are not with the products
• The future of security is not based in a cool new product
• Privacy, which is part of security, should drive the decisions that you make from
the start
• Adding a firewall is only adding security on one layer and will only provide
limited help
• While humans are the issue, we can also be the solution
• Security teams can be the grease to get things done quickly if they are added in
the beginning
• Use the teams you have, grow them, and train them to be the best that they
can be
But

Thank you!
Nathan Case
Twitter: NathanC54227646
LinkedIn: nathancase
Frans Rosén
Twitter: fransrosen
LinkedIn: fransrosen

The economics of incidents, and creative ways to thwart future threats - SEP312 - AWS re:Inforce 2019

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à The economics of incidents, and creative ways to thwart future threats - SEP312 - AWS re:Inforce 2019

Similaire à The economics of incidents, and creative ways to thwart future threats - SEP312 - AWS re:Inforce 2019 (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

The economics of incidents, and creative ways to thwart future threats - SEP312 - AWS re:Inforce 2019