SlideShare a Scribd company logo
1 of 32
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jeff Puchalski
AWS Security
A Case Study on Insider Threat
Detection
(Or, they’re inside the walls!)
May 2018
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from this session
• Introduction
• Discussion of the services used
• The insider threat
• The crunchy outer shell defense!
• Auto remediation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Cognito
AWS Directory Service
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application
Firewall (WAF)
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
Certificate Manager
Server Side Encryption
AWS Config Rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS security solutions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon
GuardDuty
Intelligent threat detection
and continuous monitoring to
protect your AWS accounts
and workloads
What can you do?
• Continuous monitoring to rapidly detect
threats (needle) to your environments in
the sea of log data (haystack)
• Processes AWS CloudTrail logs and Amazon
VPC flow logs
• Analyzes billions of events across your AWS
accounts for signs of risk
• Identifies unexpected and suspicious
activity, such as privilege escalation,
exposed creds, and communication with
malicious IPs
• Can send findings to CloudWatch Events
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Macie
Machine learning-powered
security service to discover,
classify, and protect
sensitive data
What can you do?
• Helps you better understand where
sensitive information is stored
• Discovers and classifies data in S3 buckets
• Shows how your data is being accessed,
including user authentications and access
patterns
• Use machine learning (ML) to detect and
alarm on potential threats
• Find user behavior outliners that indicate
possible compromise
• Can send findings to CloudWatch Events
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
Track user activity and API
usage
What can you do?
• Simplify compliance audits and incident
response by automatically recording and
storing activity logs for your AWS account
• Logs API calls made to AWS services
• 7-day event history on by default
• Create log “trails” stored to S3
• Optional KMS encryption
• Optional log file integrity validation
• Optional data-level event logging for S3
and Lambda
• Can send events to CloudWatch Events
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon
CloudWatch
Monitoring service for AWS
cloud resources and the
applications you run on AWS
What can you do?
• Monitor resource utilization, operational
performance, and overall demand patterns
• Gather metrics such as CPU utilization, disk
reads / writes, and network traffic
• Configure alarms based on metrics and
connect with AutoScaling, SNS, Lambda, etc.
• Add custom metrics or derive metrics from
logs using metric filters
• Create interactive dashboards with charts
• Billing alerts to ID unusual account activity
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Flow Logs
Capture network flow
information about the IP traffic
going to and from interfaces in
your VPC
What can you do?
• Simplify your compliance audits by
automatically recording and storing
activity logs for your AWS account
• Increase visibility into your user and
resource activity
• Discover and troubleshoot security and
operational issues by capturing a
comprehensive history of changes that
occurred in your AWS account
• Flow log data is stored using Amazon
CloudWatch Logs
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF
Web application firewall to help
detect and block malicious web
requests targeted at your web
applications
What can you do?
• Deploy new rules within minutes, letting
you respond quickly to changing traffic
patterns
• Use the full-featured API to automate the
creation, deployment, and maintenance of
web security rules
• Put web security at multiple points in the
development chain by defining
application-specific rules that increase web
security as you develop your application
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Humans and data don’t mix
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
So who is inside the walls, exactly?
- Enterprise employees, consultants, contractors, and
you!
- Humans are potential breach vectors for your systems
- For today, pretend that the following types of insider threat
are handled by your team:
- Bad actors
- Actors operating outside their role or responsibilities
- Actors operating correctly but on the wrong resource
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Who is responsible?
- Ownership and classification of an event is a question your
org/team needs to discuss and agree upon
- Different in each enterprise, vertical, etc.
- You must have one group that is a catch-all
- Responsible for events that don’t fall into anyone’s bucket
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Target of the discussion
The simple environment to the left has
specific needs and allows for direct
detection of threats if:
• The system has little human
interaction
• Normal patterns, and timed
procedures
• Limited well defined scope and
functions
AWS Cloud
Virtual Private Cloud
Availability Zone BAvailability Zone A
Web Server
App Server
Web Server
App Server
RDS DB instance instance standby (multi-AZ)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Target of the discussion
This is more realistic:
• System has lots of human interaction
• No patterns or timed procedures
• No scope
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building a crunchy outer shell
• Does not defend complex systems from an
insider threat
• Does not adequately defend simple systems
either
• Avoid assumptions about the target or
intentions of an insider threat
• Not always malicious intent
• Humans make mistakes
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Target of the discussion
• Unify Logs/Trail
• Implement similar checks in all accounts
• Watch for changes, not just actions
• Unify events/findings into CloudWatch
Dashboards
• Setup SNS Topics to route notifications
• Trigger CloudWatch Events based on
actions in the environment
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Remediate a compromised EC2 instance
• Remediate compromised IAM credentials (i.e., access key + secret)
Responding to Findings: Remediation
Automated Remediation Flow
GuardDuty CloudWatch Events Lambda
Amazon
GuardDuty
Amazon
CloudWatch
CloudWatch
Event
Lambda Function
AWS Lambda
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch Events Rules
Rule for single GuardDuty finding type with Lambda function and SNS topic targets
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch Events Rules
Rule for all GuardDuty findings with a single Lambda function target
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GuardDuty Findings: Threat Purpose Details
• Backdoor: resource compromised and capable of contacting source home
• Behavior: activity that differs from established baseline
• Crypto Currency::detected software associated with Crypto currencies
• Pentest::activity detected similar to that generated by known pen testing tools
• Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc.
• Stealth::attack trying to hide actions / tracks
• Trojan::program detected carrying out suspicious activity
• Unauthorized Access::suspicious activity / pattern by unauthorized user
Describes threats by their primary purpose
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Remediation Actions
• Account Remediation
• Remediate AWS credentials
• PenTest
• Recon (Black Listed IP)
• Stealth
• UnauthorizedAccess
• Investigate then remediate
• Behavior
• UnauthorizedAccess
• Architecture Change
• Recon
• Instance Remediation
• Remediate Compromised
Instances
• Backdoor
• CryptoCurrency
• Recon (out going)
• Trojan
• UnauthorizedAccess
• Investigate then remediate
• Behavior
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
Lambda
function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
Lambda
function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
Lambda
function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
elastic network
adapter
Lambda
function
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
elastic network
adapter
Lambda
function
EBS Volume
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
elastic network
adapter
Lambda
function
EBS Volume
3389 => 0.0.0.0/0
(open to world)
80, 443 => DataSG
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ _
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
Lambda
function
EBS Volume
80, 443 => DataSG
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$
top
Instance:~ ec2-user$
pcap
Instance:~ ec2-user$
lime
AWS
Lambda
Amazon
GuardDuty
elastic network
adapter
elastic network
adapter
Lambda
function
EBS Volume
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$
top
Instance:~ ec2-user$
pcap
Instance:~ ec2-user$
lime
AWS
Lambda
Amazon
GuardDuty
Lambda
function
EBS Volume EBS Forensics
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$ top
Instance:~ ec2-user$ pcap
Instance:~ ec2-user$ lime
AWS
Lambda
Amazon
GuardDuty
Lambda
function
EBS Volume
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
AWS
Lambda
Amazon
GuardDuty
Lambda
function
EBS Volume
Amazon EBS
snapshot

More Related Content

What's hot

Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes EverywhereAmazon Web Services
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftAmazon Web Services
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...Amazon Web Services
 
Modernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesModernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesAmazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Amazon Web Services
 
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...Brian Andrzejewski
 
Secure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecuritySecure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecurityAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitAmazon Web Services
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Amazon Web Services
 
Automating Incident Response and Forensics
Automating Incident Response and ForensicsAutomating Incident Response and Forensics
Automating Incident Response and ForensicsAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitAmazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 

What's hot (20)

Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes Everywhere
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
 
AWS Security By Design
AWS Security By DesignAWS Security By Design
AWS Security By Design
 
Modernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesModernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
 
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
 
Secure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation SecuritySecure and Automate AWS Deployments with Next Generation Security
Secure and Automate AWS Deployments with Next Generation Security
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
 
GDPR and Automation Overview
GDPR and Automation OverviewGDPR and Automation Overview
GDPR and Automation Overview
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
 
Automating Incident Response and Forensics
Automating Incident Response and ForensicsAutomating Incident Response and Forensics
Automating Incident Response and Forensics
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Atlanta AWS Summit
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 

Similar to A Case Study on Insider Threat Detection

How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Amazon Web Services
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesAmazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Amazon Web Services
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAmazon Web Services
 
SID301 Threat Detection and Mitigation
 SID301 Threat Detection and Mitigation SID301 Threat Detection and Mitigation
SID301 Threat Detection and MitigationAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Amazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitAmazon Web Services
 
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...MongoDB
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Amazon Web Services
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Amazon Web Services
 
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Amazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAmazon Web Services
 
The Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudThe Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudAmazon Web Services
 

Similar to A Case Study on Insider Threat Detection (20)

How to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdfHow to Implement a Well-Architected Security Solution.pdf
How to Implement a Well-Architected Security Solution.pdf
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation Techniques
 
Mitigating techniques
Mitigating techniquesMitigating techniques
Mitigating techniques
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & Remediation
 
SID301 Threat Detection and Mitigation
 SID301 Threat Detection and Mitigation SID301 Threat Detection and Mitigation
SID301 Threat Detection and Mitigation
 
Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS Threat Detection and Mitigation at Scale on AWS
Threat Detection and Mitigation at Scale on AWS
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
 
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
 
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
 
The Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudThe Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the Cloud
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

A Case Study on Insider Threat Detection

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jeff Puchalski AWS Security A Case Study on Insider Threat Detection (Or, they’re inside the walls!) May 2018
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to expect from this session • Introduction • Discussion of the services used • The insider threat • The crunchy outer shell defense! • Auto remediation
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (WAF) Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie Certificate Manager Server Side Encryption AWS Config Rules AWS Lambda Identity Detective control Infrastructure security Incident response Data protection AWS security solutions
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads What can you do? • Continuous monitoring to rapidly detect threats (needle) to your environments in the sea of log data (haystack) • Processes AWS CloudTrail logs and Amazon VPC flow logs • Analyzes billions of events across your AWS accounts for signs of risk • Identifies unexpected and suspicious activity, such as privilege escalation, exposed creds, and communication with malicious IPs • Can send findings to CloudWatch Events
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Macie Machine learning-powered security service to discover, classify, and protect sensitive data What can you do? • Helps you better understand where sensitive information is stored • Discovers and classifies data in S3 buckets • Shows how your data is being accessed, including user authentications and access patterns • Use machine learning (ML) to detect and alarm on potential threats • Find user behavior outliners that indicate possible compromise • Can send findings to CloudWatch Events
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail Track user activity and API usage What can you do? • Simplify compliance audits and incident response by automatically recording and storing activity logs for your AWS account • Logs API calls made to AWS services • 7-day event history on by default • Create log “trails” stored to S3 • Optional KMS encryption • Optional log file integrity validation • Optional data-level event logging for S3 and Lambda • Can send events to CloudWatch Events
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudWatch Monitoring service for AWS cloud resources and the applications you run on AWS What can you do? • Monitor resource utilization, operational performance, and overall demand patterns • Gather metrics such as CPU utilization, disk reads / writes, and network traffic • Configure alarms based on metrics and connect with AutoScaling, SNS, Lambda, etc. • Add custom metrics or derive metrics from logs using metric filters • Create interactive dashboards with charts • Billing alerts to ID unusual account activity
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Flow Logs Capture network flow information about the IP traffic going to and from interfaces in your VPC What can you do? • Simplify your compliance audits by automatically recording and storing activity logs for your AWS account • Increase visibility into your user and resource activity • Discover and troubleshoot security and operational issues by capturing a comprehensive history of changes that occurred in your AWS account • Flow log data is stored using Amazon CloudWatch Logs
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF Web application firewall to help detect and block malicious web requests targeted at your web applications What can you do? • Deploy new rules within minutes, letting you respond quickly to changing traffic patterns • Use the full-featured API to automate the creation, deployment, and maintenance of web security rules • Put web security at multiple points in the development chain by defining application-specific rules that increase web security as you develop your application
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Humans and data don’t mix
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. So who is inside the walls, exactly? - Enterprise employees, consultants, contractors, and you! - Humans are potential breach vectors for your systems - For today, pretend that the following types of insider threat are handled by your team: - Bad actors - Actors operating outside their role or responsibilities - Actors operating correctly but on the wrong resource
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Who is responsible? - Ownership and classification of an event is a question your org/team needs to discuss and agree upon - Different in each enterprise, vertical, etc. - You must have one group that is a catch-all - Responsible for events that don’t fall into anyone’s bucket
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion The simple environment to the left has specific needs and allows for direct detection of threats if: • The system has little human interaction • Normal patterns, and timed procedures • Limited well defined scope and functions AWS Cloud Virtual Private Cloud Availability Zone BAvailability Zone A Web Server App Server Web Server App Server RDS DB instance instance standby (multi-AZ)
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion This is more realistic: • System has lots of human interaction • No patterns or timed procedures • No scope
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building a crunchy outer shell • Does not defend complex systems from an insider threat • Does not adequately defend simple systems either • Avoid assumptions about the target or intentions of an insider threat • Not always malicious intent • Humans make mistakes
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Target of the discussion • Unify Logs/Trail • Implement similar checks in all accounts • Watch for changes, not just actions • Unify events/findings into CloudWatch Dashboards • Setup SNS Topics to route notifications • Trigger CloudWatch Events based on actions in the environment
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Remediate a compromised EC2 instance • Remediate compromised IAM credentials (i.e., access key + secret) Responding to Findings: Remediation Automated Remediation Flow GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Event Lambda Function AWS Lambda
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Events Rules Rule for single GuardDuty finding type with Lambda function and SNS topic targets
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Events Rules Rule for all GuardDuty findings with a single Lambda function target
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. GuardDuty Findings: Threat Purpose Details • Backdoor: resource compromised and capable of contacting source home • Behavior: activity that differs from established baseline • Crypto Currency::detected software associated with Crypto currencies • Pentest::activity detected similar to that generated by known pen testing tools • Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc. • Stealth::attack trying to hide actions / tracks • Trojan::program detected carrying out suspicious activity • Unauthorized Access::suspicious activity / pattern by unauthorized user Describes threats by their primary purpose
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remediation Actions • Account Remediation • Remediate AWS credentials • PenTest • Recon (Black Listed IP) • Stealth • UnauthorizedAccess • Investigate then remediate • Behavior • UnauthorizedAccess • Architecture Change • Recon • Instance Remediation • Remediate Compromised Instances • Backdoor • CryptoCurrency • Recon (out going) • Trojan • UnauthorizedAccess • Investigate then remediate • Behavior
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty Lambda function
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume 3389 => 0.0.0.0/0 (open to world) 80, 443 => DataSG
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ _ AWS Lambda Amazon GuardDuty elastic network adapter Lambda function EBS Volume 80, 443 => DataSG
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty elastic network adapter elastic network adapter Lambda function EBS Volume
  • 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume EBS Forensics
  • 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Lambda function EBS Volume
  • 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda + Systems Manager + CloudWatch AWS Systems Manager documents Amazon CloudWatch rule AWS Lambda Amazon GuardDuty Lambda function EBS Volume Amazon EBS snapshot