AWS Community Day Aurangabad 2023

Transcript

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Aurangabad (Chh. Sambhajinagar) 2023 Venue Sponsor

2. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. AWS Security Incident Response By: Sankalp Sandeep Paranjpe Aurangabad (Chh. Sambhajinagar) 2023

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. AGENDA Aurangabad (Chh. Sambhajinagar) 2023 Introduction to Cybersecurity Security controls, procedures and practices Shared Responsibility Model Amazon GuardDuty and Inspector Incident Response

4. WHOAMI © 2018, Amazon Web Services, Inc. or its Affiliates.

   All rights reserved. AWS Cloud Captain Final year B.Tech student at MIT ADTU Pune Cloud Security, Application Security 2X AWS Certified EC Council CEH-Practical Certified Sankalp Sandeep Paranjpe

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Common terminologies which we will be using in this session - Vulnerability A vulnerability is a weakness in hardware or a software that can be exploited. Threat a threat is anything that could exploit a vulnerability Risk Risk is the probability of a negative event occurring Sensative info Usernames, passwords, secret keys, secrets, config files, 7 Service Entities Events, Incidents and Logs IT Infrastucture Services provided by Cloud Service provider. Attacker, Victim, Organization, Service Provider Have one main point for your presentation and one supporting point for each slide Servers, Storage and Networking Capabilities

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Aurangabad (Chh. Sambhajinagar) 2023 Cybersecurity is the practice of deploying people, processes, and technologies to protect organizations, their critical systems, and sensitive information from cyber attacks. These cyber-attacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. We have two teams in Cybersecurity: Red Team and Blue Team. Red Team: identifies, attacks, and exploits potential weaknesses within the organization’s cyber defense. Blue Team: is on the defensive side, ie. They defend the cyber attack. Cybersecurity

7. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Aurangabad (Chh. Sambhajinagar) 2023 © 2022, Amazon Web Services, Inc. or its affiliates. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. HOW IS SECURITY IMPLEMENTED IN THE COMPANIES? Implementing Security Policy, Procedures, and Awareness. Implementing Security Controls. Implementing a Successful backup strategy.

8. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Implementing Security Controls Access Controls Honeypots Encryption - Symmetric and Asymetric IDS/IPS: Intrusion detection System/ Intrusion Prevention system IPsec: is an Internet Engineering Task Force (IETF) standard suite of protocols between two communication points across the IP network that provide data authentication, integrity, and confidentiality. Secure Shell Packet Filters

9. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Implementing Security Policy, Procedures, and Awareness. Security policy address issues such as – Logging and Monitoring of Network traffic (enabling logs for Firewalls etc.) (AWS Firewall manager) Securing sensitive information (IAM policies or bucket policies) Proper usage of policies for employees working and using company infrastructure.

10. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Security Procedures Incident Response Team should have SOPs for responding to different types of Attacks. SOPs include procedures and techniques that should be followed while responding to an incident. If a cyber-attack occurs, specific procedures need to be followed. Security Awareness Creating awareness and training programs. Global Certifications

11. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. If the backup has to be successful, then it should be with: Real-time offsite Backup Unlimited Space Availability of Data Security Scheduled backup Implementing Backup Strategy

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. AWS Shared Responsibility Model

13. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

14. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. AWS Shield Standard Free Service – Protects from Layer 3 Attacks Protects from SYN Floods – DDoS attacks AWS Shield Advanced Optional DDOS mitigation service 24/7 access to the AWS DDoS response team AWS Web Application Firewall – WAF Protects from web app attacks Monitors HTTP, and HTTPS requests and blocks malicious requests. Protect from SQL Injection and Cross-site scripting Pre-configured rule groups for OWASP top 10, CVE, IP reputation List, Anonymous list, etc. Infrastructure Protection

15. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. What is a security incident? Event Any observable occurrence in your IT infrastructure File created on a system The user logged in to the system System shut down Incident An Event that negatively affects IT systems and impacts the business System out of memory/disk Power/hardware failure Host/network unreachable Security Incident potentially jeopardizes the CIA Triad of an information system Malware installed on a system Unauthorized access to system Software vulnerability exploited

16. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon GuardDuty Amazon GuardDuty is a threat detection service that uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize the potential security incident. Use Cases: Improves Security Operations visibility. Assists in investigations and automated remediations. Detect and mitigate threats in container environments. Malware Identification.

17. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

18. Amazon GuardDuty - Data Sources Amazon VPC Flow Logs DNS

    Logs Cloudtrail Events EKS Control Plane logs VPC Flow Logs capture information about IP traffic flowing in and out of your VPC. These provide visibility into network traffic at the network interface level within your VPC. DNS logs are based on the queries made from Amazon EC2 instances to any domains. AWS CloudTrail is a service that captures and logs API calls made to the AWS Management Console or AWS SDK EKS control-plane logs are the logs generated by the Kubernetes control- plane components running in your EKS cluster.

19. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

20. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Findings in Amazon GuardDuty AWS Identity and Access Management (IAM) Amazon Elastic Compute Cloud (Amazon EC2) Amazon Simple Storage Service (Amazon S3)

21. Network Activity Data Access Patterns API Calls Account Usage Uses

    Machine Learning Model, to determine if the new activity is considered normal or abnormal Generates findings for EC2, IAM, and S3. How GuardDuty learns about the AWS environment?

22. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Features of Amazon GuardDuty 1) Account-level threat detection Amazon GuardDuty gives you accurate threat detection of compromised accounts Account compromise, such as AWS resource access from an unusual geo-location at an atypical time of day. For programmatic AWS accounts, GuardDuty checks for unusual application programming interface (API) calls, such as attempts to obscure account activity by disabling CloudTrail logging or taking snapshots of a database from a malicious IP address.

23. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Features of Amazon GuardDuty 2) Easy usage With one action in the AWS Management Console or a single API call, you can activate Amazon GuardDuty on a single account. Once turned on, GuardDuty immediately starts analyzing continuous streams of account and network activity in near real-time and at scale. It is a managed service

24. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Features of Amazon GuardDuty Amazon GuardDuty continuously monitors and analyzes your AWS account and workload event data found in AWS CloudTrail, VPC Flow Logs, EKS audit and system logs, and DNS Logs. There is no additional security software or infrastructure to deploy and maintain. Threat intelligence is pre-integrated into the service and is continuously updated and maintained. 3) No additional software is required

25. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Botnet /C&C Server AAmazon EC2 Instance Backdoor: EC2/C&CActivity EC2 instance interacting with botnet command and control server This means your instance is compromised Bots are malicious agents used for stealing or launching DDOS Attacks Default severity: High

26. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Remote Host AAmazon EC2 Instance Behavior:EC2/TrafficVolumeUnusual EC2 instance generating unusually large amounts of network traffic to a remote host Deviates from established baseline No prior history of sending this much traffic to remote host Default severity: MEDIUM

27. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Bitcoin Server AAmazon EC2 Instance CryptoCurrency:EC2/BitcoinTool EC2 instance is interacting with an IP address associated with cryptocurrency activity Hackers use compromised resources for bitcoin mining Requires investigation. If valid use case, set up a suppression rule Default severity: HIGH

28. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Malicious IP AAmazon S3 Bucket Discovery:S3/MaliciousIPCaller S3 API is used to discover resources was invoked from a known malicious IP address. Attacker is gathering information about your environment Default severity: HIGH

29. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Kali Linux AAmazon S3 Bucket PenTest:S3/KaliLinux S3 API was invoked from Kali Linux using your AWS credentials. It might be possible that your credentials are compromised Investigate Default severity: MEDIUM

30. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. An attacker tries to disrupt operations and manipulate, interrupt, or destroy data in your account. Activities like deleting security groups etc. Anomaly detection machine learning (ML) model Factors Considered: User, Location, Specific API Default severity: HIGH AWS Environment Impact:IAMUser/AnomalousBehavior

31. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

32. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Aurangabad (Chh. Sambhajinagar) 2023 Automated Security Assessments. Maintains Vulnerability Database. Only for EC2 Instances and container infrastructure. Reduce mean time to resolve (MTTR) vulnerabilities with automation. Vulnerability management with a fully managed and highly scalable service. Amazon Inspector

33. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

34. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Features of Amazon Inspector 1) Integration with other services like AWS Security Hub, and AWS Event Bridge to automate the security workflow. Inspector findings can be automatically sent to AWS Security Hub, which acts as a centralized hub for security-related findings and insights across your AWS environment. Security Hub provides a comprehensive view of your overall security posture. For example, you can configure Security Hub to trigger an automated response when critical or high-risk findings are detected. This automation can include actions like sending notifications, generating tickets, or triggering remediation processes.

35. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Features of Amazon Inspector 2) Automated Vulnerability Assessment The software package vulnerabilities include finding identified from AWS workloads that are exposed to Common Vulnerabilities and Exposures, CVEs. Network reachability findings reveal that there are accessible network paths to your Amazon EC2 instances within your environment. These findings bring attention to network configurations that may be excessively permissive, such as poorly managed security groups, Access Control Lists, or internet gateways, which could potentially allow for unauthorized access or malicious activity.

36. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Features of Amazon Inspector 3) Vulnerability Scores AWS Inspector assigns a risk score, ranging from 0.0 to 10.0, indicating the potential impact and risk it poses to your environment. These findings are categorized into different severity of vulnerabilities. Critical: Findings with a risk score of 9.0-10.0 signifies critical risks. High: Findings with a risk score of 7.0-8.9 signifies high-risk discoveries. Medium: Findings with a risk score of 4.0-6.9 signifies moderate-risk observations. Low: Findings with a risk score of 0.1-3.9 signifies low-risk identifications. Informational: Findings with a risk score of 0.0 signifies informational findings.

37. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Features of Amazon Inspector 4) Vulnerability Database Research Using this feature, we can search if AWS Inspector covers particular CVEs in the scans or not. It will give you data from the National Vulnerability database data, CVSS Score, and EPSS score. A suppression rule serves as a predefined set of filter criteria that effectively excludes findings meeting those criteria from appearing in your active findings lists. Suppression rules are particularly useful for eliminating low-value findings or findings that are irrelevant to your specific environment. 5) Suppression Rules

38. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Incident Response Aurangabad (Chh. Sambhajinagar) 2023

39. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Aurangabad (Chh. Sambhajinagar) 2023 Incident response refers to an organization’s processes and technologies for detecting and responding to – cyber threats, security breaches cyberattacks. The goal of Incident Response: To prevent cyberattacks

40. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Aurangabad (Chh. Sambhajinagar) 2023

41. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Define the vision, mission, and scope of incident response. Obtaining Management Approval and funding Assess the organizational structure, and security policies and develop an Incident response plan. Developing procedures and building IR Team. Prioritize assets and infrastructure Preparation

42. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Incident Recording Incident Triage Incident analysis Incident Classification Incident Prioritization Detection and Analysis

43. Containment Disabling the compromised service or system Changing passwords or

    disabling Accounts Gathering of evidence Forensic Analysis of Evidence

44. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Eradication of the root cause of the incident. Implement protection tools and techniques such as Firewalls etc. System Recovery after the eradication of incidents. Eradication and recovery

45. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

46. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. AWS Security Best Practices Checklist By: Bour Abdelhadi, Security Engineer, Amazon

47. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

48. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

49. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. High Level Overview

50. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Image caption 1 Image caption 2 Image caption 3 Image caption 4 Image caption 5 Image caption 6 Aurangabad (Chh. Sambhajinagar) 2023 Let's Connect: https://www.linkedin.com/in/sankalp-s-paranjpe/ https://twitter.com/SankalpParanjpe Thank you!