Automated Intrusion Detection and Response on AWS
Download as PPTX, PDF2 likes641 views
This document discusses using AWS services to automate intrusion detection and response. It provides examples of using AWS services like EC2, CloudFormation, and VPC to deploy resources and configure them with security features. Code examples are given to start EC2 instances, deploy templates to AWS, and monitor VPC flow logs to detect threats and take actions like snapshotting or terminating instances in response. The document argues that AWS services can improve security operations when best practices are followed, as AWS provides capabilities like built-in logging, inventory, and tools that facilitate automated detection and response.
![SANS Technology Institute - Candidate for Master of Science Degree 6
CloudFormation Templates
• Configuration files for AWS resources
• Store configuration in source control
• Decouple configuration and deployment
• Handles dependency management
• Deploy via AWS tools such as AWS CLI:
$ aws cloudformation create-stack –template-url [path]](https://image.slidesharecdn.com/sans-aws-intrusion-161001223022/85/Automated-Intrusion-Detection-and-Response-on-AWS-6-320.jpg)
![SANS Technology Institute - Candidate for Master of Science Degree 10
PINGTEST Mode
One instance is configured to ping other
"UserData":
{ "Fn::If" :
[
"PingMe",
{ "Fn::Base64":
{ "Fn::Join": [ "", [
"#!/bin/bash -en",
"echo ping ",
{"Fn::GetAtt" : [ "Ec2Instance1" , "PrivateIp" ]},
" > /tmp/ping.shn",
"cd /tmpn",
"chmod 777 ping.shn",
"nohup ./ping.sh &n"
] ] } },
{"Ref" : "AWS::NoValue"}
]
}](https://image.slidesharecdn.com/sans-aws-intrusion-161001223022/85/Automated-Intrusion-Detection-and-Response-on-AWS-10-320.jpg)
Automated Intrusion Detection and Response on AWS
- 1. 1SANS Technology Institute - Candidate for Master of Science Degree 1 Automated Intrusion Detection and Response on Amazon Web Services Teri Radichel September 2016 GIAC GSEC, GCIH and GCIA
- 2. SANS Technology Institute - Candidate for Master of Science Degree 2 Can AWS Improve Security Operations? • Whitepaper: Overview of AWS Security Processes – Are Yours Better? • Shared Responsibility Model • Separation of duties • Built in inventory and scalable logging • DevSecOps: Write code to configure infrastructure and respond to events
- 3. SANS Technology Institute - Candidate for Master of Science Degree 3 What Is AWS? • Platform for infrastructure management • Start, stop and configure resources via console or code • Automated scaling
- 4. SANS Technology Institute - Candidate for Master of Science Degree 4 Start Instance From Console EC2 instances (virtual machines) can be managed via the web console
- 5. SANS Technology Institute - Candidate for Master of Science Degree 5 Start Instance Via Code Better: Write code to manage instances Start an instance: $ aws ec2 run-instances --image-id ami-xxxxxx View details about an instance: $ aws ec2 describe-instances --instance-id ixxxxxxxx Terminate an instance: $ aws ec2 terminate-instances --instance-id ixxxxxxxx
- 6. SANS Technology Institute - Candidate for Master of Science Degree 6 CloudFormation Templates • Configuration files for AWS resources • Store configuration in source control • Decouple configuration and deployment • Handles dependency management • Deploy via AWS tools such as AWS CLI: $ aws cloudformation create-stack –template-url [path]
- 7. SANS Technology Institute - Candidate for Master of Science Degree 7 AWS Networking • VPC (Virtual Private Cloud) • Subnets and Security Groups • Internet Gateway • Virtual Private Gateway • Direct Connect, VPN • VPC Flow Logs
- 8. SANS Technology Institute - Candidate for Master of Science Degree 8 Sample Code • Follow instructions in README.md https://github.com/tradichel/AWSSecurityAutomationFramework • Execute run.sh and specify mode: – CREATE will create cloud resources – PINGTEST generates unwanted traffic and triggers a response – DELETE will delete resources created by either CREATE or PINGTEST
- 9. SANS Technology Institute - Candidate for Master of Science Degree 9 Resources Deployed
- 10. SANS Technology Institute - Candidate for Master of Science Degree 10 PINGTEST Mode One instance is configured to ping other "UserData": { "Fn::If" : [ "PingMe", { "Fn::Base64": { "Fn::Join": [ "", [ "#!/bin/bash -en", "echo ping ", {"Fn::GetAtt" : [ "Ec2Instance1" , "PrivateIp" ]}, " > /tmp/ping.shn", "cd /tmpn", "chmod 777 ping.shn", "nohup ./ping.sh &n" ] ] } }, {"Ref" : "AWS::NoValue"} ] }
- 11. SANS Technology Institute - Candidate for Master of Science Degree 11 Click a Log Group to see Log Streams VPC Flow Logs
- 12. SANS Technology Institute - Candidate for Master of Science Degree 12 CloudWatch Log Stream • Click on ENI to see related logs
- 13. SANS Technology Institute - Candidate for Master of Science Degree 13 Code Evaluates Logged Events Function monitors VPC flow logs for REJECTs and logs statistics
- 14. SANS Technology Institute - Candidate for Master of Science Degree 14 REJECT Triggers Response Snapshot Instance Terminate Instance
- 15. SANS Technology Institute - Candidate for Master of Science Degree 15 AWS Security Benefits • Comprehensive inventory • Built in, scalable logging • Infrastructure as code • Tools that facilitate automated intrusion detection and response • Augmented security for some ~ if you follow AWS security best practices.