The document discusses threat detection and mitigation techniques at AWS. It describes how AWS services like GuardDuty, CloudTrail, and VPC Flow Logs can be used to detect threats. It also discusses how tools like AWS Lambda, Systems Manager, and Step Functions can help with automating response and remediation. The document provides examples of high-level workflows that leverage these services to quickly detect and respond to security incidents.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection and mitigation at AWS
Nathan Case
Solutions Architect, Security Specialist Focused on Incident Response and
Threat Detection
S E C 3 0 1

2. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS Identity & Access
Management (IAM)
AWS Organizations
Amazon Cognito
AWS Directory Service
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Amazon EC2
Systems Manager
AWS Shield
AWS WAF
Amazon Inspector
Amazon VPC
AWS KMS
AWS CloudHSM
Amazon Macie
ACM
Server-Side Encryption
AWS Config rules
AWS Lambda
AWS Enterprise Support
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS security solutions

3. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Why is traditional threat detection so hard?
CostSignal to noiseLarge datasets

4. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Humans and data don’t mix

5. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
Track user activity
and API usage
Threat Detection: Log Data Inputs
VPC Flow Logs
IP traffic to/from
network interfaces
in your VPC
CloudWatch Logs
Monitor apps using
log data, store &
access log files
DNS Logs
Log of DNS queries
in a VPC when using
the VPC DNS
resolver

6. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS CloudTrail

7. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Detect with VPC Flow Logs
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start & end time
Accept or
Reject

8. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Amazon CloudWatch Logs Subscriptions
• Real-time feed of log events
• Delivered to an AWS Lambda
function or an Amazon Kinesis Data
Stream
• Supports custom processing,
analysis, loading into other systems
• Cross-account data sharing for
centralized log processing

9. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat Detection
Amazon GuardDuty
Intelligent threat detection and
continuous monitoring to protect
your AWS accounts and workloads
AWS Security Hub
AWS Security Hub gives you a
comprehensive view of your
high-priority security alerts and
compliance status across AWS
accounts.

10. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Amazon GuardDuty Overview

11. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS Security Hub Overview

12. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.

13. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS Security Hub Benefits
Managed regional AWS service in minutes that aggregates findings
across AWS accounts
Manage security and compliance findings in a single location,
increasing efficiency of locating relevant data
Create custom insights to track issues unique to your environment

14. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
What Can You Detect Using AWS Services?
Infrastructure
VPC Resources
Connectivity
On-instance
...
Service
IAM
S3 buckets
Billing
...
Application
Patching
Coding hole
...
Other?

15. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Infrastructure and Application Domains
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Security groups
Route table
NACLs
Internet gateway
Instance
Amazon
S3
Amazon
RDS
IAM
AWS
CloudHSM
AWS
Organization
s
AWSKMS
AWS
Directory
Service

16. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Services Domain
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Security groups
Route table
NACLs
Internet gateway
Instance
Amazon
S3
Amazon
RDS
IAM
AWS
CloudHSM
AWS
Organization
s
AWSKMS
AWS
Directory
Service

17. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
All Domains
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Security groups
Route table
NACLs
Internet gateway
Instance
Amazon
S3
Amazon
RDS
IAM
AWS
CloudHSM
AWS
Organization
s
AWSKMS
AWS
Directory
Service

18. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Detecting Known Threats
Threat intelligence
• Feeds:
o AWS Security
o Commercial - CrowdStrike, Proofpoint
o Open source
o Customer provided - "format":
"[TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE]",
• Known malware infected hosts
• Anonymizing proxies
• Sites hosting malware and hacker tools
• Cryptocurrency mining pools and wallets

19. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Detecting Unknown Threats
Anomaly detection
• Algorithms to detect unusual behavior
o Inspecting signal patterns for signatures
o Profiling normal activity and looking at deviations
o Machine learning classifiers

20. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat Detection: Triggers
Amazon CloudWatch
Events
Delivers a near-real time stream of
system events that describe
changes in AWS resources
AWS Config rules
Continuously tracks your resource
configuration changes and if they
violate any of the conditions in your
rules

21. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS Config Rules
A continuous recording and assessment service
Changing resources
AWS Config
AWS Config rules
History
snapshot
Notifications
API access
Normalized
• How are my resources configured over time?
• Is a change that just occurred to a resource, compliant?

22. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Amazon CloudWatch Events
{
"source": [
"aws.guardduty"
]
}
CloudWatch
Event
GuardDuty
findings
Lambda
function

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat Remediation: Automation
AWS Systems Manager
Automate patching and proactively
mitigate threats at the instance level
AWS Lambda
Capture info about the IP
traffic going to and from
network interfaces in your VPC

24. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
High-Level Playbook
Adversary or intern Your
environment
Lambda
responder
CloudWatch
Events
AWS Step
Functions

25. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Amazon
CloudWatch
AWS
CloudTrail
AWS Config
Lambda
function
AWS APIs
AWS WAF
AWS Shield
Detection
Alerting
Remediation
Countermeasures
Forensics
Team
collaboration
(Slack etc.)
Amazon GuardDuty
VPC Flow Logs
AWS Step Functions
Responding to Findings: Remediation
Amazon EC2
Systems
Manager
Amazon EC2

26. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

27. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS Landing Zone structure - basic
Amazon S3 Bucket
(manifest file)
AWS CodePipeline
AWS
Service Catalog
Account
Baseline
Core OU
AWS SSOAWS
Organizations
AWS Organizations Account
Shared Services Account Log Archive Account
Account
Baseline
Security Account
Network
Baseline
Account
Baseline
Aggregate
CloudTrail and
Config Logs
Account
Baseline
Security
Cross-Account
Roles
Security
Notifications
Organizations Account
• Account Provisioning
• Account Access (SSO)
Shared Services Account
• Active Directory
• Log Analytics
Log Archive
• Security Logs
Security Account
• Audit / Break-glassAmazon
GuardDuty Master
Parameter
Store

28. The AWS Landing Zone Pipeline
Source Validate/Build/Test
Deploy Core Account
Structure
Deploy Core
Resources
Deploy Service Catalog
Portfolio/Products
Deploy Baseline
Resources
Launch AVM for Core
accounts
AWS
Organizations
AWS Account
Baseline StackSets
Logging Security
credentials
AWS Service
Catalog
StackSet AWS Service
Catalog
Core
Amazon S3 bucket
Vended
Accounts
AWS
CloudFormation
templates
Manifest fileAWS Landing Zone
Zip File
AWS CodeBuild

29. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

31. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

32. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions

33. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS

34. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
GUARDDUTY FINDINGS

35. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS

36. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
COMMUNITCATIONS
MANUAL ACTION

37. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
COMMUNITCATIONS
MANUAL ACTION
Via Amazon API Gateway*

38. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
elastic network
interface
Security Group
EBS
Volume
IAM Profile

39. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS

40. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
elastic network
interface
Security Group
EBS
Volume
IAM Profile
EBS
Snapshot

41. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
elastic network
interface
Security Group
EBS
Volume
IAM Profile
Amazon S3
bucket
AWS
CloudTrail
EBS
Snapshot

42. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
elastic network
interface
Security Group
EBS
Volume
IAM Profile
EBS
Snapshot
AWS
CloudTrail
Amazon S3
bucket
Forensics Account

43. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS

44. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$
Instance:~ ec2-user$ top
Instance:~ ec2-user$ pcap
Instance:~ ec2-user$ lime
Instance:~ ec2-user$ dd
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
EBS
Volume IAM Profile

45. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
EC2 instance contents
Instance:~ ec2-user$
Instance:~ ec2-user$ top
Instance:~ ec2-user$ pcap
Instance:~ ec2-user$ lime
Instance:~ ec2-user$ dd
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
EBS
Volume
Forensics
EBS IAM Profile

46. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
Forensics
EBS
EBS
Snapshot
Amazon S3
bucket
Forensics Account

47. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
Forensics
EBS
EBS
Snapshot
Amazon S3
bucket
Forensics Account

48. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
documents
Amazon
CloudWatch
rule
AWS
Lambda
Amazon
GuardDuty
Lambda
function
AWS Step
Functions
BACKDOOR:EC2/XORDDOS
Forensics
EBS
EBS
Snapshot
Amazon S3
bucket
Forensics Account
EASIER DONE THAN SAID.

49. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

50. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS Lambda: Run Code in Response to Events
Function Services
Changes
in data
state
Requests to
endpoints
Changes
in resource
state
Node
Python
Java
C#
Event source

51. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
• Asynchronously
execute commands
• No need to
SSH/RDP
• Commands and
output logged
Remediating Threats on Amazon EC2 Instances
Amazon EC2 Systems Manager - Run
Command
EC2 Instances
Lambda
function
AWS Systems Manager
Amazon
EC2

52. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Threat Detection and Remediation Partner Solutions
Consulting, data analysis, threat detection, and managed security operations

53. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Open-Source Resources
Mozilla MozDef
https://github.com/mozilla/MozDef
Security Blog
https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-
access-key/
Security Monkey
https://github.com/Netflix/security_monkey
Git-Secrets
https://github.com/awslabs/git-secrets
AWS CIS Foundation Framework
https://github.com/awslabs/aws-security-benchmark
AWS IR
https://github.com/ThreatResponse/aws_ir

54. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

55. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.