Upload
teri-radichel
View
133
Download
0
Embed Size (px)
Citation preview
1SANS Technology Institute - Candidate for Master of Science Degree 1
Automated Intrusion Detection and Response on Amazon Web
ServicesTeri Radichel
September 2016GIAC GSEC, GCIH and GCIA
SANS Technology Institute - Candidate for Master of Science Degree 2
Can AWS Improve Security Operations?
• Whitepaper: Overview of AWS Security Processes – Are Yours Better?
• Shared Responsibility Model• Separation of duties• Built in inventory and scalable
logging• DevSecOps: Write code to
configure infrastructure and respond to events
SANS Technology Institute - Candidate for Master of Science Degree 3
What Is AWS?
• Platform for infrastructure management
• Start, stop and configure resources via console or code
• Automated scaling
SANS Technology Institute - Candidate for Master of Science Degree 4
Start Instance From Console
EC2 instances (virtual machines) can be managed via the web console
SANS Technology Institute - Candidate for Master of Science Degree 5
Start Instance Via Code
Better: Write code to manage instancesStart an instance:$ aws ec2 run-instances --image-id ami-xxxxxx
View details about an instance:$ aws ec2 describe-instances --instance-id ixxxxxxxx
Terminate an instance:$ aws ec2 terminate-instances --instance-id ixxxxxxxx
SANS Technology Institute - Candidate for Master of Science Degree 6
CloudFormation Templates
• Configuration files for AWS resources
• Store configuration in source control
• Decouple configuration and deployment
• Handles dependency management• Deploy via AWS tools such as AWS
CLI:
$ aws cloudformation create-stack –template-url [path]
SANS Technology Institute - Candidate for Master of Science Degree 7
AWS Networking
• VPC (Virtual Private Cloud)• Subnets and Security Groups• Internet Gateway• Virtual Private Gateway• Direct Connect, VPN• VPC Flow Logs
SANS Technology Institute - Candidate for Master of Science Degree 8
Sample Code
• Follow instructions in README.md https://github.com/tradichel/AWSSecurityAutomationFramework
• Execute run.sh and specify mode:– CREATE will create cloud resources– PINGTEST generates unwanted traffic
and triggers a response– DELETE will delete resources created
by either CREATE or PINGTEST
SANS Technology Institute - Candidate for Master of Science Degree 9
Resources Deployed
SANS Technology Institute - Candidate for Master of Science Degree 10
PINGTEST Mode
One instance is configured to ping other"UserData":
{ "Fn::If" : [ "PingMe", { "Fn::Base64": { "Fn::Join": [ "", [ "#!/bin/bash -e\n", "echo ping ", {"Fn::GetAtt" : [ "Ec2Instance1" , "PrivateIp" ]}, " > /tmp/ping.sh\n", "cd /tmp\n", "chmod 777 ping.sh\n", "nohup ./ping.sh &\n" ] ] } }, {"Ref" : "AWS::NoValue"} ] }
SANS Technology Institute - Candidate for Master of Science Degree 11
Click a Log Group to see Log Streams
VPC Flow Logs
SANS Technology Institute - Candidate for Master of Science Degree 12
CloudWatch Log Stream
• Click on ENI to see related logs
SANS Technology Institute - Candidate for Master of Science Degree 13
Code Evaluates Logged Events
Function monitors VPC flow logs for REJECTs and logs statistics
SANS Technology Institute - Candidate for Master of Science Degree 14
REJECT Triggers Response
Snapshot Instance
Terminate Instance
SANS Technology Institute - Candidate for Master of Science Degree 15
AWS Security Benefits
• Comprehensive inventory• Built in, scalable logging• Infrastructure as code• Tools that facilitate automated
intrusion detection and response• Augmented security for some ~ if
you follow AWS security best practices.