1SANS Technology Institute - Candidate for Master of Science Degree 1

Automated Intrusion Detection and Response on Amazon Web

ServicesTeri Radichel

September 2016GIAC GSEC, GCIH and GCIA

SANS Technology Institute - Candidate for Master of Science Degree 2

Can AWS Improve Security Operations?

• Whitepaper: Overview of AWS Security Processes – Are Yours Better?

• Shared Responsibility Model• Separation of duties• Built in inventory and scalable

logging• DevSecOps: Write code to

configure infrastructure and respond to events

SANS Technology Institute - Candidate for Master of Science Degree 3

What Is AWS?

• Platform for infrastructure management

• Start, stop and configure resources via console or code

• Automated scaling

SANS Technology Institute - Candidate for Master of Science Degree 4

Start Instance From Console

EC2 instances (virtual machines) can be managed via the web console

SANS Technology Institute - Candidate for Master of Science Degree 5

Start Instance Via Code

Better: Write code to manage instancesStart an instance:$ aws ec2 run-instances --image-id ami-xxxxxx

View details about an instance:$ aws ec2 describe-instances --instance-id ixxxxxxxx

Terminate an instance:$ aws ec2 terminate-instances --instance-id ixxxxxxxx

SANS Technology Institute - Candidate for Master of Science Degree 6

CloudFormation Templates

• Configuration files for AWS resources

• Store configuration in source control

• Decouple configuration and deployment

• Handles dependency management• Deploy via AWS tools such as AWS

CLI:

$ aws cloudformation create-stack –template-url [path]

SANS Technology Institute - Candidate for Master of Science Degree 7

AWS Networking

• VPC (Virtual Private Cloud)• Subnets and Security Groups• Internet Gateway• Virtual Private Gateway• Direct Connect, VPN• VPC Flow Logs

SANS Technology Institute - Candidate for Master of Science Degree 8

Sample Code

• Follow instructions in README.md https://github.com/tradichel/AWSSecurityAutomationFramework

• Execute run.sh and specify mode:– CREATE will create cloud resources– PINGTEST generates unwanted traffic

and triggers a response– DELETE will delete resources created

by either CREATE or PINGTEST

SANS Technology Institute - Candidate for Master of Science Degree 9

Resources Deployed

SANS Technology Institute - Candidate for Master of Science Degree 10

PINGTEST Mode

One instance is configured to ping other"UserData":

{ "Fn::If" : [ "PingMe", { "Fn::Base64": { "Fn::Join": [ "", [ "#!/bin/bash -e\n", "echo ping ", {"Fn::GetAtt" : [ "Ec2Instance1" , "PrivateIp" ]}, " > /tmp/ping.sh\n", "cd /tmp\n", "chmod 777 ping.sh\n", "nohup ./ping.sh &\n" ] ] } }, {"Ref" : "AWS::NoValue"} ] }

SANS Technology Institute - Candidate for Master of Science Degree 11

Click a Log Group to see Log Streams

VPC Flow Logs

SANS Technology Institute - Candidate for Master of Science Degree 12

CloudWatch Log Stream

• Click on ENI to see related logs

SANS Technology Institute - Candidate for Master of Science Degree 13

Code Evaluates Logged Events

Function monitors VPC flow logs for REJECTs and logs statistics

SANS Technology Institute - Candidate for Master of Science Degree 14

REJECT Triggers Response

Snapshot Instance

Terminate Instance

SANS Technology Institute - Candidate for Master of Science Degree 15

AWS Security Benefits

• Comprehensive inventory• Built in, scalable logging• Infrastructure as code• Tools that facilitate automated

intrusion detection and response• Augmented security for some ~ if

you follow AWS security best practices.