CloudTailをAzure Sentinelで分析するということ

It means analyzing CloudTail with Azure Sentinel. A little bit
of the depths of log analysis in the cloud. By Hirokazu Yoshida / At S-JAWS#21 / 2021.05.19

CloudTailΛAzure SentinelͰ ෼ੳ͢Δͱ͍͏͜ͱ Ϋϥ΢υʹ͓͚Δϩά෼ੳͷਂ෵Λ΄Μͷগ͠ ٢ాͻΖ͔ͣ / S-JAWS#21 / 2021.05.19

Who am I !? Hirokazu Yoshida @ CloudNative Inc. Job
: Security Engineer Community : Security-JAWS Favorite AWS Service :

Attention !! • ຊηογϣϯ͸ɺݸਓͷݟղʹجͮ͘΋ͷͰ͢ • ॴଐ͢ΔاۀɺஂମͷҙݟΛ୅ද͢Δ΋ͷͰ͸͋Γ·ͤΜ • Azure Sentinelࣗମͷࡉ͔͍આ໌͸͠·ͤΜ •
΍΍ܹࢗతͳදݱ΍ԋग़͕͋Γ·͕͢ɺ͓ؾָʹฉ͍͍ͯͩ͘͞

ॳΊʹݴ͓͖ͬͯ·͢ͱ

ϩάΛ෼ੳ͢Δ͚ͩͳΒ ޷͖ͳπʔϧΛ࢖͏ͱ͍͍Ͱ͢

ͳͥͳΒ͹

෼ੳ͢Δ໨తʹΑͬͯ ѻ͏ਓ΍ର৅ϩάɺඞཁͳػೳ͕ ҟͳΔ͔Β

ͦΜͳதͰ Θ͟Θ͟Azure SentinelΛ ҾͬுΓग़͢࿩Λ͠·͢

Today's Souvenir • ୭͕ԿͷͨΊʹϩά෼ੳͯ͠ɺԿΛಘΒΕΕ͹Α͔ͬͨͷʁ   ʹཱͪฦΔΩοΧέ • ͻΐͬͱͨ͠ΒनΘΕ͍ͯΔݻఆ؍೦ͷଧഁͷख͕͔Γ • ͓ֆ͔͖͕ಘҙͳਓʹͪΐͬͱͨ͠ؾ͖ͮ

AWSͷϩάͬͯ ͲΜͳͷ͕͚͋ͬͨͬʁ

What are AWS logs? • CloudTrail • Con fi gมߋཤྺϩά
• ELBܥΞΫηεϩά • CloudFrontඪ४ϩά • AWS WAFτϥϑΟοΫϩά • S3αʔόʔΞΫηεϩά • CloudWatch Logsʹྲྀͨ͠΋ͷ • RDS DBϩά, VPC Flow Logs, ECS(k8s)   Fargate, Lambda, FileGateway etc… • Security Hub Findings • GuardDuty, Inspector, Macie,   Firewall Manager, Systems Manager,   IAM Access Analyzer

Today's Scope • CloudTrail • Con fi gมߋཤྺϩά • ELBܥΞΫηεϩά
• CloudFrontඪ४ϩά • AWS WAFτϥϑΟοΫϩά • S3αʔόʔΞΫηεϩά • CloudWatch Logsʹྲྀͨ͠΋ͷ • RDS DBϩά, VPC Flow Logs, ECS(k8s)   Fargate, Lambda, FileGateway etc… • Security Hub Findings • GuardDuty, Inspector, Macie,   Firewall Manager, Systems Manager,   IAM Access Analyzer

͜Ε͚ͩʁ

΍ͬͺɺϩά͸Ұݩ؅ཧ ҰͭͷγεςϜͰ෼ੳͰ͖ͳ͍ͱͶʂ

Ͱ͸ɺ   AWSͷϩά͕໢ཏ͞Ε͍ͯΕ͹ ͍͍ΜͰ͚ͨͬ͠ʁ

What is the scope of your business?

Should I have only looked at the AWS logs? •
Operations Cloud Hopper • MSPΛඪతͱͨ͠߈ܸΩϟϯϖʔϯ • ҰछͷαϓϥΠνΣʔϯ߈ܸ • ϚΠωοτάϧʔϓ͕ӡӦ͢ΔҰ෦ήʔϜλΠτϧͷαʔόʔো֐ͷ͓ ஌Βͤͱ͓࿳ͼ • Ϗδωενϟοτ্Ͱڞ༗͍ͯ͠Δ   ΞΫηε৘ใΛ౪ΈݟΒΕͨՄೳੑ

ਖ਼نͷΞΫηε৘ใ/ܦ࿏Λ௨ͯ͡ ߈ܸ͕࢓ֻ͚ΒΕΔ࣌୅

AWSͷϩά͚ͩݟ͍ͯΕ͹ ྑ͔ͬͨΜͰ͚ͨͬ͠ʁ

ͦ΋ͦ΋୭͕ԿͷͨΊʹ ϩά෼ੳΛ͢Δͷ͔ʁ

Motivation for log analysis • ؂ࢹʢ҆ఆՔಇ؍఺ʣ • αʔϏεՔಇঢ়گ؂ࢹ • ো֐ௐࠪ
• αʔϏεར༻ʢϏδωε؍఺ʣ • αʔϏεར༻܏޲ͷ೺Ѳ • ௥੻ௐࠪʢηΩϡϦςΟ؍఺ʣ • αʔϏεෆਖ਼ར༻ͷ௥੻ • ֎෦͔Βͷ߈ܸͷ೺Ѳͱ௥੻ • ϩάΠϯঢ়گͷ௥੻ • ؅ཧऀૢ࡞ͷ೺Ѳͱ௥੻

• αʔϏεར༻ʢϏδωε؍఺ʣ • αʔϏεར༻܏޲ͷ೺Ѳ • ௥੻ௐࠪʢηΩϡϦςΟ؍఺ʣ • αʔϏεෆਖ਼ར༻ͷ௥੻ • ֎෦͔Βͷ߈ܸͷ೺Ѳͱ௥੻ • ϩάΠϯঢ়گͷ௥੻ • ؅ཧऀૢ࡞ͷ೺Ѳͱ௥੻ αʔϏενʔϜɺϏδωεΦʔφʔ αʔϏενʔϜɺӡ༻อकνʔϜ αʔϏενʔϜɺηΩϡϦςΟνʔϜ ηΩϡϦςΟνʔϜ αʔϏενʔϜ

• αʔϏεར༻ʢϏδωε؍఺ʣ • αʔϏεར༻܏޲ͷ೺Ѳ • ௥੻ௐࠪʢηΩϡϦςΟ؍఺ʣ • αʔϏεෆਖ਼ར༻ͷ௥੻ • ֎෦͔Βͷ߈ܸͷ೺Ѳͱ௥੻ • ϩάΠϯঢ়گͷ௥੻ • ؅ཧऀૢ࡞ͷ೺Ѳͱ௥੻ ͚ͩ͜͜είʔϓ͕"84಺ʹऩ·Βͳ͍ ଟ͕͘"84಺ʹऩ·Δ

What is the scope of your business? (Repost)

΍ͬͺɺϩά͸Ұݩ؅ཧ ҰͭͷγεςϜͰ෼ੳͰ͖ͳ͍ͱͶʂ ʢ࠶ܝʣ

ʮҰͭͷγεςϜʯͰ Ͱ͖Δʹӽͨ͜͠ͱ͸ͳ͍͕ റΒΕΔඞཁ͸ͳ͍

ͳͥͳΒ͹

෼ੳ͢Δ໨తʹΑͬͯ ѻ͏ਓ΍ର৅ϩάɺඞཁͳػೳ͕ ҟͳΔ͔Β ʢ࠶ܝʣ

ࣗ਎ͷϏδωε؀ڥͱ༻్ʹଇͨ͠ ϩά෼ੳج൫͕ඞཁ

Attention ! • ͜͜·Ͱͷ࿩͸ແடংͳπʔϧͷཚཱΛਪ঑͢Δ࿦Ͱ͸͋Γ·ͤΜ • ϩά෼ੳʹ͸໨తͱܭըʹجͮ͘෼ੳج൫ͷҡ࣋ͱ૊৫ମ੍͕͋ͬͯ ॳΊͯ੒Γཱͭ΋ͷͰ͢ • ϩά΍෼ੳج൫΁ͷΞΫηείϯτϩʔϧ΍ݪຊ؅ཧͳͲʹ΋஫ҙΛ ෷͏ඞཁ͕͋Γ·͢
• NIST SP800-92ʮίϯϐϡʔληΩϡϦςΟϩά؅ཧΨΠυʯࢀর   https://www.ipa.go.jp/ fi les/000025363.pdf

ͦΜͳΘ͚Ͱ Azure Sentinelͷ঺հ

What is Azure Sentinel ? • CloudܕSIEM • ෼ੳɺՄࢹԽɺࣗಈԽͷػೳ •
๛෋ͳࣄલఆٛͷςϯϓϨʔτ • ςϯϓϨʔτͷࣗಈ௥Ճ • Kusto Query Language • Azure؀ڥͱͷߴ͍਌࿨ੑ • ๛෋ͳίωΫλ • APIͷ༻ҙ • ϩάྲྀೖྔͱอଘظؒͰ՝ۚ • ಛผͳϥΠηϯεෆཁ

Advantages of Azure Sentinel • ্ཱͪ͛ʹ͔͔Δ޻਺͕গͳ͍ • αϒεΫϦϓγϣϯΛ࡞ͬͯɺ਺ΫϦοΫͰΦϯϘʔυ • AWSͱͷ઀ଓ͸ɺIAMϙϦγʔͱIAMϩʔϧͷઃఆͷΈ
• AWSCloudTrailReadOnlyAccess • ઃఆޙɺ20෼͘Β͍Ͱσʔλ͕ྲྀΕͯ͘Δ IUUQTEPDTNJDSPTPGUDPNKBKQB[VSFTFOUJOFMDPOOFDUBXT IUUQTEPDTNJDSPTPGUDPNKBKQB[VSFTFOUJOFMRVJDLTUBSUPOCPBSE

Advantages of Azure Sentinel • ࣄલఆٛͷ෼ੳςϯϓϨʔτʢCSPMతͳ΍ͭฤʣ • Login to AWS
Management Console without MFA • Changes made to AWS CloudTrail logs • Changes to internet facing AWS RDS Database instances • Changes to AWS Elastic Load Balancer security groups • Changes to AWS Security Group ingress and egress settings • Changes to Amazon VPC settings

Advantages of Azure Sentinel • ࣄલఆٛͷ෼ੳςϯϓϨʔτʢෆ৹ͳڍಈͳ΍ͭฤʣ • Failed AWS Console
logons but success logon to AzureAD • Failed AzureAD logons but success logon to AWS Console • Monitor AWS Credential abuse or hijacking • ࣄલఆٛͷ෼ੳςϯϓϨʔτʢڴҖΠϯςϦδΣϯεͱ࿈ܞฤʣ • (Preview) TI map IP entity to AWSCloudTrail

Advantages of Azure Sentinel • MITER ATT&CKͷ֤ઓज़ʹجͮ͘ࣄલఆٛͷϋϯςΟϯάΫΤϦʔ

Query Example • Changes to Amazon VPC settings $IBOHFTUP"NB[PO71$TFUUJOHT MFU&WFOU/BNF-JTU
EZOBNJD <$SFBUF/FUXPSL"DM&OUSZ $SFBUF3PVUF $SFBUF3PVUF5BCMF $SFBUF*OUFSOFU(BUFXBZ $SFBUF/B U(BUFXBZ> "84$MPVE5SBJM cXIFSF&WFOU/BNFJOd &WFOU/BNF-JTU cTVNNBSJ[F4UBSU5JNF6UDNJO 5JNF(FOFSBUFE &OE5JNF6UDNBY 5JNF(FOFSBUFE CZ&WFOU/BNF &WFOU5ZQF/BNF 6TFS*EFOUJUZ"DDPVOU*E 6TFS*EFOUJUZ1SJODJQBMJE 6TFS"HFOU 6TFS*EFOUJUZ6TFS/BNF 4FTTJPO.GB"VUIFOUJDBUFE 4PVSDF*Q"EESFTT "843FHJPO &WFOU4PVSDF "EEJUJPOBM&WFOU%BUB 3FTQPOTF&MFNFOUT cFYUFOEUJNFTUBNQ4UBSU5JNF6UD "DDPVOU$VTUPN&OUJUZ6TFS*EFOUJUZ6TFS/BNF *1$VTUPN&OUJUZ 4PVSDF*Q"EESFTT

Query Example • Exploit and Pentest Framework   User Agent
MFUUJNFGSBNFE MFU6TFS"HFOU-JTU*OUFSOFU&YQMPSFSc.P[JMMBaaaa DPNQBUJCMF.4*&aa8JOEPXT/5aa47*OGP1BUIaaa a c.P[JMMBaaaa 8JOEPXT/5aa8JOYSWaaa a c.P[JMMBaaaa DPNQBUJCMF.FUBTQMPJU341&$aa c.P[JMMBa aaa DPNQBUJCMF.4*&aa8JOEPXT/5aa c.P[JMMBaaaa DPNQBUJCMF.4*&aa8JOEPXT/5aaaa c.P[JMMBaaaa DPNQBUJCMF.4*&aa8JOEPXT/5aa5SJEFOUaaaa c   தུ   DPNQBUJCMF.4*&aa8JOEPXT/5aa8085SJEFOU aa.""6aa c.P[JMMBaa<?aaT>c.P[JMMBaaaa DPNQBUJCMF 41*1&aac.P[JMMBaaaa 8JOEPXT/5aaSWaaaa (FDLP'JSFGPYaac4BNFUJNF$PNNVOJUZ "HFOUc9'038"3%&%'03c%PU%PU1XOWaac4*1%30*%c XPSEQSFTTIBTIHSBCCFScFYQMPJUcPLIUUQ MFU&YDMVEF**4PLIUUQ VOJPOJTGV[[ZUSVF 0 ff i DF"DUJWJUZ cதུ 8$**4-PH cதུ "84$MPVE5SBJM cXIFSF5JNF(FOFSBUFEBHP UJNFGSBNF cXIFSF6TFS"HFOUNBUDIFTSFHFY6TFS"HFOU-JTU cFYUFOE4PVSDF*14PVSDF*Q"EESFTT cQSPKFDU5JNF(FOFSBUFE 5ZQF 6TFS"HFOU 4PVSDF*1 cTVNNBSJ[FNJO 5JNF(FOFSBUFE NBY 5JNF(FOFSBUFE DPVOU CZ5ZQF 6TFS"HFOU 4PVSDF*1 cFYUFOEUJNFTUBNQNJO@5JNF(FOFSBUFE *1$VTUPN&OUJUZ4PVSDF*1

͙͢ʹ࢖͑ΔࣄલఆٛςϯϓϨʔτ ΫΤϦʔͷॻ͖ํ΋ࢀߟʹͳΔ

Advantages of Azure Sentinel • ࣄલఆٛͷՄࢹԽςϯϓϨʔτʢAWS Network Activitiesʣ

Advantages of Azure Sentinel • ࣄલఆٛͷՄࢹԽςϯϓϨʔτʢAWS User Activitiesʣ

Advantages of Azure Sentinel • ՄࢹԽͷ࣮ଶ͸ΫΤϦʔ / ՄࢹԽܗଶ΋બ୒ੑ

ࣄલఆٛςϯϓϨʔτΛࢀߟʹ ඞཁͳՄࢹԽςϯϓϨʔτΛ࡞੒

Advantages of Azure Sentinel • ࣗಈԽ͸Logic AppΛ༻͍ͯϩʔίʔυͰ࣮૷ IUUQTXXXGOJGOJOFUB[VSFTFOUJOFMMPHJDBQQ

Advantages of Azure Sentinel • Ԡ༻͢Ε͹͜ͷΑ͏ͳ͜ͱ΋ IUUQTXXXGOJGOJOFUB[VSFTFOUJOFMJOUFSBDUJWF

ϩά͸ੜ͖෺ ؀ڥಛ༗ͷݸੑʹԠͨ͡ ࣗಈԽͷ࡞ΓࠐΈ͕ඞཁ

Advantages of Azure Sentinel • Ξϥʔτͷ૬ؔ΋IPΞυϨε΍Ϣʔβʔ໊ͳͲଟ༷ͳΩʔʹ   ࣗಈඥ෇͚Մೳ

Advantages of Azure Sentinel • Ϣʔβʔ΍ΤϯςΟςΟ   ʹجͮ͘ߦಈ෼ੳ   (UEBA)

Advantages of Azure Sentinel • ๛෋ͳίωΫλͰ૬ؔ෼ੳ։࢝·Ͱͷ্ཱ͕ͪΓΛαϙʔτ

਺ΫϦοΫͰܨ͗͜Έʂ ͱ͍͏Θ͚ʹ͸ߦ͔ͳ͍͕ ܨ͗͜Ή૭ޱ͸ଟ਺༻ҙ͞Ε͍ͯΔ

ͱɺ·͋ ܨ͗͜Έͱ૬ؔ෼ੳͷ؍఺͔Β ༗ྗͳબ୒ࢶͱͳΔΘ͚Ͱ͢

΍ͬͯΈΔͱΘ͔Δ Ϋϥ΢υͰ(ͷ)ϩάΛѻ͏ͱ͍͏ ຊ࣭తͳ௧Έ

The intrinsic pain of trying. • ϩάͷΤΫεϙʔτʢ௕ظอ؅ʣ • ௕ظอ؅ઌ͔Βͷ࠶෼ੳ •
Ϋϥ΢υͷϩά͸ʮ݁Ռ੔߹ੑʯ

The intrinsic pain of trying. • ϩάͷΤΫεϙʔτʢ௕ظอ؅ʣ • Azure Sentinelࣗମͷϩάอଘظؒ͸࠷େ23ϲ݄(90೔Ҏ্՝ۚ)
• ௕ظอ؅ͷͨΊͷΤΫεϙʔτػೳ͸ɺҰ෦ϩάͷΈαϙʔτ • APIΛ༻͍ͯΤΫεϙʔτ͢Δػߏͷ࡞ΓࠐΈ͕ඞཁ • APIίʔϧϦϛοτɺಥ೗ݱΕΔ429Τϥʔ • ΫΤϦʔԠ౴্ݶʹҾ͔͔ͬΔͱσʔλ͕Ϳͭ੾ΓʹͳΔ

The intrinsic pain of trying. • ௕ظอ؅ઌ͔Βͷ࠶෼ੳ • Azure Sentinelʹॻ͖໭ͯ͠࠶෼ੳ
• 1ϲ݄෼ͷσʔλͷॻ͖໭͠Ͱ48࣌ؒOver • ཱͪ;͕͞ΔAPIίʔϧϦϛοτɺಥ೗ݱΕΔ429Τϥʔ • ௕ظอଘઌͰ௚઀෼ੳͰ͖ͳ͍ͱ͠ΜͲ͍ • Data Explorer͸ߴֹɻɻɻ

Ώʔͯɺ2೥Ҏ্લͷϩάΛ ૬ؔ෼ੳ͢ΔϢʔεέʔεͳΜͯ ͋Δͷ͔ʁ

The intrinsic pain of trying. • Ϋϥ΢υͷϩά͸ʮ݁Ռ੔߹ੑʯ • ϩά͸ૢ࡞͕ߦΘΕ͔ͯΒ͙͢ʹಡΈऔΓՄೳʹ͸ͳΒͳ͍ •
CloudTrail͸ɺ8-12෼ఔ౓ͷܦ͔ͬͯΒࢀরՄೳ • CloudTrail -> Azure Sentinel͸ɺ໿20෼લͷϩά͕౸ண • σʔλιʔεʹΑͬͯ·ͪ·ͪɻଈ࣌Ξϥʔτ͸ແཧے IUUQTUFDIDPNNVOJUZNJDSPTPGUDPNUB[VSFTFOUJOFMIBOEMJOH JOHFTUJPOEFMBZJOB[VSFTFOUJOFMTDIFEVMFEBMFSUSVMFTCBQ

୹ؾ͸ଛؾ Ϋϥ΢υͷϩάΛ૬ؔ෼ੳ͢Δࡍ͸ ͋Δఔ౓ͷ࣌ؒͷ෯Λ࣋ͨͤΔ͜ͱ

Conclusion • ϩά෼ੳͷπʔϧ͸ɺ࢖͏ਓͱ༻్ʹԠͯ͡దࡐదॴ • ༷ʑͳϏδωεϓϥοτϑΥʔϜΛލΔ૬ؔ෼ੳʹ͸ɺ   Azure Sentinel͸༗ྗͳબ୒ࢶ • Azure
Sentinel͸গͳ͍޻਺Ͱ্ཱ͕ͪΓɺεϞʔϧελʔτʹ࠷ద • Ϋϥ΢υͷಛੑΛߟྀͨ࣌ؒ͠ઃఆ΍औΓѻ͍ͷߟྀ͕ඞཁ

Resource • Operation Cloud HopperʢΫϥ΢υϗούʔ࡞ઓʣ • https://www.pwc.com/jp/ja/knowledge/thoughtleadership/ operation-cloud-hopper.html • ϚΠωοτࣾ౰ࣾαʔόʔ΁ͷෆਖ਼ΞΫηεʹؔ͢Δ࠷ऴใࠂॻ
• https://mynet.co.jp/news/2018/05/11/info_0511/

Thank you !

CloudTailをAzure Sentinelで 分析するということ

CloudTailをAzure Sentinelで 分析するということ

More Decks by fnifni

Other Decks in Technology

Featured

Transcript

CloudTailをAzure Sentinelで分析するということ

CloudTailをAzure Sentinelで分析するということ