Join us for this hands-on workshop where you learn about a number of AWS services involved with threat detection and remediation as we walk through some real-world threat scenarios. Learn about the threat detection capabilities of Amazon GuardDuty, Amazon Macie, AWS Config, and the available remediation options. For each hands-on scenario, we review methods to remediate the threat using the following services: AWS CloudFormation, Amazon S3, AWS CloudTrail, Amazon VPC flow logs, Amazon CloudWatch Events, Amazon SNS, Amazon Macie, DNS logs, AWS Lambda, AWS Config, Amazon Inspector and, of course, Amazon GuardDuty.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Find all the Threats: AWS Threat Detection and
Remediation
Greg McConnel
Senior Solutions Architect, Security Specialist
AWS
Jesse Fuchs
Senior Solutions Architect, Security Specialist
AWS
S E C 3 3 1
Now with Security Hub!
Mike Wasielewski
Senior Solutions Architect, Security Specialist
AWS
Ram Ramani
Senior Solutions Architect, Security Specialist
AWS

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• Intro
• Module 1: Environment setup (20 min)
• Module 2: Attack kick off (and presentation) (40 min)
• Module 3: Detect, investigate & respond (45 min)
• Module 4: Review, questions & cleanup (15 min)

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Source: 2018 Data Breach Investigation Report, Verizon, 11th edition 2018
Data Breach Patterns
Verizon 2018 Data Breach Investigations Report

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Workshop
scenario

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module 1 Agenda
• Run the AWS CloudFormation template (~5 min)
• Manual setup steps (~15 min)

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module 1 setup

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start module 1
https://tinyurl.com/y84cc3pj
(https://github.com/aws-samples/aws-security-workshops/tree/master/threat-detection-wksp)
Directions:
Browse to https://tinyurl.com/y84cc3pj
• Read through the workshop scenario
• Click on Environment Build and Configuration at the end
• Complete module (~15 min) and then stop
Use: US West (Oregon)
us-west-2

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module 2 Agenda
• Run the AWS CloudFormation template (~5 min)
• Threat detection and response (~30 min)
• Workshop walkthrough (~5 min)

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start module 2
https://tinyurl.com/y84cc3pj
(https://github.com/aws-samples/aws-security-workshops/tree/master/threat-detection-wksp)
Directions:
• Browse to https://tinyurl.com/y84cc3pj
• Click on Attack Simulation at the end
• Complete this module (~5 min) then stop
• We will then do a presentation
Use: US West (Oregon)
us-west-2

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat Detection & Response
Intro

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why is threat detection so hard?
Skills shortageSignal to noiseLarge datasets

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Get humans away from the data
AWS CISO Stephen Schmidt, at re:Invent 2017: “It's people who make mistakes, it's people who have good intentions
but get phished, it's people who use the same credentials in multiple locations and don't use a hardware token for a
multi-factor authentication… Get the humans away from the data.”

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detecting breaches
Source: 2018 Data Breach Investigation Report, Verizon, 11th edition 2018

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
AWS Config rules
Amazon
CloudWatch Logs
AWS Security Hub
Amazon GuardDuty
VPC Flow Logs
Amazon Macie
AWS Shield
AWS WAF
AWS Systems Manager
Amazon Inspector
VPC
AWS KMS
AWS CloudHSM
IAM
AWS Organizations
Amazon Cognito
AWS Directory Service
AWS Single Sign-On
AWS Certificate Manager
Amazon Inspector
AWS Config rules
AWS Lambda
AWS
Systems Manager
Amazon
CloudWatch Events
Pro Services AERO
Protect RespondDetect RecoverIdentify
AWS Disaster Recovery
and Backup Solutions
AWS Systems Manager
AWS Config
AWS Security Solutions https://www.nist.gov/cyberframework

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat Detection Services

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat Detection: Log Data Inputs
AWS
CloudTrail
VPC Flow Logs DNS Logs
Track user
activity and API
usage
IP traffic to/from
network interfaces in
a VPC
Monitor apps using
log data, store &
access log files
Log of DNS queries
in a VPC when using
the VPC DNS
resolver
CloudWatch
Logs

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat Detection: Machine Learning
Amazon GuardDuty
Intelligent threat detection
and continuous monitoring
to protect your AWS
accounts and workloads
Amazon Macie
Machine learning-powered
security service to discover,
classify & protect sensitive
data

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat Detection: Introducing Overbridge
• Comprehensive view of your security state within AWS.
• Aggregates security findings and alerts generated by other AWS security services.
• Analyze security trends and identify the highest priority security issues
Amazon
Inspector
Amazon
GuardDuty
Amazon
Macie
Overbridge
Security
findings
providers
Findings
Insights

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat Detection: Evocations/Triggers
Amazon CloudWatch
Events
AWS Config
Continuously tracks your resource
configuration changes and if they
violate any of the conditions in
your rules
Delivers a near real-time stream of
system events that describe
changes in AWS resources

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch Events
CloudWatch
Event
GuardDuty
findings
Lambda
function

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Respond

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat Response
AWS Systems
Manager
AWS
Lambda
Amazon
Inspector
Run code for virtually
any kind of
application or
backend service –
zero administration
Gain operational
insights and take
action on AWS
resources
Automate security
assessments of EC2
instances

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
High-Level Playbook
Adversary
or intern
Your
environment
Lambda
function
CloudWatch
Events

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detailed Playbook
Amazon
CloudWatch
Events
AWS
CloudTrail
AWS Config
Lambda
function
AWS
APIs
Detect
Investigate
Respond
Team
collaboration
(Slack etc.)
Amazon
GuardDuty
VPC Flow Logs
Amazon
Inspector

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Review Questions
• How do GuardDuty and Macie differ when it comes to CloudTrail
analysis?
• What services are important for automation of response?
• What performance impact does GuardDuty have on your account if
you have more then 100 VPCs?
• Which of the services discussed have direct access to your EC2
instances?

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Workshop walkthrough

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Attack Target

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Attack

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module 2
setup

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start module 3
https://tinyurl.com/y84cc3pj
(https://github.com/aws-samples/aws-security-workshops/tree/master/threat-detection-wksp)
Directions:
• Browse to https://tinyurl.com/y84cc3pj
• Click on Detection & Remediation at the end
• Run through this module (~45 min)
• Last 15 minutes will be devoted to module 4
Use: US West (Oregon)
us-west-2

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module 4 Agenda
• Review (5 min)
• Questions (10 min)
• Cleanup

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scenario discussion

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Attack

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What
really
happened?

40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Questions

41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Workshop question – GuardDuty
Why did the API calls from the “malicious host” generate GuardDuty
findings?

42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Workshop questions – EC2 & GuardDuty
• The lab mentions you can ignore the high severity SSH brute force
attack finding? Why?
• How does that differ from the low severity SSH brute force finding we
investigated? What does this say about the types of threats
GuardDuty prioritizes?
• What key remediation step was missed regarding the SSH brute force
attack?
• How would you remediate it?

43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Workshop question – Security Hub
We use Security Hub to investigate the threat. Is Overbridge a detect
or response service (or both – or other)?
Source: NIST Cybersecurity Framework, 2018 - https://www.nist.gov/cyberframework

44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Workshop question – Amazon S3 & Macie
• Macie had an alert for “S3 bucket IAM policy grants global read
rights.” We investigated that bucket in the workshop. Were the
objects in the bucket actually publicly accessible?
• What remediation step did we miss for the data S3 bucket?

45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Workshop question – Amazon S3 & Encryption
• What type of server side encryption was used to encrypt the
objects in the data bucket?
• Would Macie be able to classify the objects in the data bucket if
they were encrypted using AWS KMS server side encryption?
• If the bucket had a policy that allowed global reads, would the
encrypted objects be assessible?

46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cleanup

47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• https://aws.amazon.com/security/
• https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
• https://www.nist.gov/cyberframework
• https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf
• https://www.forbes.com/forbesinsights/bmc_security/index.html
Links for items we discussed

48. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Greg McConnel
gmcconne@amazon.com

49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.