Null Pune Meetup June 2023- Leveraging Amazon GuardDuty and Inspector for Securing workloads in AWS Cloud

Transcript

1. Securing workloads on AWS Cloud: Leveraging Amazon GuardDuty and Inspector

   By: Sankalp Sandeep Paranjpe AWS Cloud Captain

2. WHOAMI Sankalp Sandeep Paranjpe

3. The very basics Shared Responsibility Model Amazon GuardDuty Amazon Inspector

   Integration of Services for security Hands-on Agenda:

4. AWS Shared Responsibility Model

5. AWS Shared Responsibility Model

6. What is a security incident? Event Any observable occurrence in

   your IT infrastructure File created on a system The user logged in to the system System shut down Incident An Event that negatively affects IT systems and impacts the business System out of memory/disk Power/hardware failure Host/network unreachable Security Incident potentially jeopardizes the CIA Triad of an information system Malware installed on a system Unauthorized access to system Software vulnerability exploited

7. Amazon GuardDuty Amazon GuardDuty is a threat detection service that

   uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize the potential security incident. Use Cases: Improves Security Operations visibility. Assists in investigations and automated remediations. Detect and mitigate threats in container environments. Malware Identification.

8. Amazon GuardDuty

9. Amazon GuardDuty - Data Sources Amazon VPC Flow Logs DNS

   Logs Cloudtrail Events EKS Control Plane logs VPC Flow Logs capture information about IP traffic flowing in and out of your VPC. These provide visibility into network traffic at the network interface level within your VPC. DNS logs are based on the queries made from Amazon EC2 instances to any domains. AWS CloudTrail is a service that captures and logs API calls made to the AWS Management Console or AWS SDK EKS control-plane logs are the logs generated by the Kubernetes control-plane components running in your EKS cluster.
10. None

11. Network Activity Data Access Patterns API Calls Account Usage Uses

    Machine Learning Model, to determine if the new activity is considered normal or abnormal Generates findings for EC2, IAM, and S3. How GuardDuty learns about the AWS environment?

12. 1) Account-level threat detection Features of Amazon GuardDuty Amazon GuardDuty

    gives you accurate threat detection of compromised accounts Account compromise, such as AWS resource access from an unusual geo-location at an atypical time of day. For programmatic AWS accounts, GuardDuty checks for unusual application programming interface (API) calls, such as attempts to obscure account activity by disabling CloudTrail logging or taking snapshots of a database from a malicious IP address.

13. 2) Easy usage Features of Amazon GuardDuty With one action

    in the AWS Management Console or a single API call, you can activate Amazon GuardDuty on a single account. Once turned on, GuardDuty immediately starts analyzing continuous streams of account and network activity in near real-time and at scale. It is a managed service

14. 3) No additional software is required Features of Amazon GuardDuty

    Amazon GuardDuty continuously monitors and analyzes your AWS account and workload event data found in AWS CloudTrail, VPC Flow Logs, EKS audit and system logs, and DNS Logs. There is no additional security software or infrastructure to deploy and maintain. Threat intelligence is pre-integrated into the service and is continuously updated and maintained.

15. Findings in Amazon GuardDuty AWS Identity and Access Management (IAM)

    Amazon Elastic Compute Cloud (Amazon EC2) Amazon Simple Storage Service (Amazon S3)

16. Botnet /C&C Server AAmazon EC2 Instance Backdoor: EC2/C&CActivity High Severity

    Your EC2 instances interacting with botnet command and control server Bots are agents launching DDOS Attacks This means your instance is compromised.

17. Remote Host AAmazon EC2 Instance Behavior:EC2/TrafficVolumeUnusual Medium Severity EC2 instance

    generating unusually large amount of traffic to a remote host Basically, it deviates from established baseline No prior history of sending this much traffic to a remote host

18. Bitcoin Server AAmazon EC2 Instance CryptoCurrency:EC2/BitcoinTool High Severity Your EC2

    instance is interacting with an IP associated with crypto activity Hackers use compromised resources for bitcoin mining Requires investigation. If it is a valid use case, you can set up a suppression rule for it

19. Malicious IP AAmazon S3 Bucket Discovery:S3/MaliciousIPCaller High Severity S3 API

    is used to discover resources were invoked from a known malicious IP. The attacker is gathering information about your environment

20. Kali Linux AAmazon S3 Bucket PenTest:S3/KaliLinux Medium Severity. S3 API

    was invoked from Kali Linux using your AWS credentials. It might be possible that your credentials are compromised.

21. High Severity An attacker tries to disrupt operations and manipulate,

    interrupt, or destroy data in your account. Activities like deleting security groups etc. Anomaly detection and Machine Learning (ML) model AWS Environment Impact:IAMUser/AnomalousBehavior

22. Automated Security Assessments. Maintains Vulnerability Database. Only for EC2 Instances

    and container infrastructure. Reduce mean time to resolve (MTTR) vulnerabilities with automation. Vulnerability management with a fully managed and highly scalable service. Amazon Inspector

23. Amazon Inspector

24. Features of Amazon Inspector 1) Integration with other services like

    AWS Security Hub, and AWS Event Bridge to automate the security workflow. Inspector findings can be automatically sent to AWS Security Hub, which acts as a centralized hub for security-related findings and insights across your AWS environment. Security Hub provides a comprehensive view of your overall security posture. For example, you can configure Security Hub to trigger an automated response when critical or high-risk findings are detected. This automation can include actions like sending notifications, generating tickets, or triggering remediation processes.

25. Features of Amazon Inspector 2) Automated Vulnerability Assessment The software

    package vulnerabilities include finding identified from AWS workloads that are exposed to Common Vulnerabilities and Exposures, CVEs. Network reachability findings reveal that there are accessible network paths to your Amazon EC2 instances within your environment. These findings bring attention to network configurations that may be excessively permissive, such as poorly managed security groups, Access Control Lists, or internet gateways, which could potentially allow for unauthorized access or malicious activity.

26. Features of Amazon Inspector 3) Vulnerability Scores Critical: Findings with

    a risk score of 9.0-10.0 signifies critical risks. High: Findings with a risk score of 7.0-8.9 signifies high-risk discoveries. Medium: Findings with a risk score of 4.0-6.9 signifies moderate-risk observations. Low: Findings with a risk score of 0.1-3.9 signifies low-risk identifications. Informational: Findings with a risk score of 0.0 signifies informational findings. AWS Inspector assigns a risk score, ranging from 0.0 to 10.0, indicating the potential impact and risk it poses to your environment. These findings are categorized into different severity of vulnerabilities.

27. Features of Amazon Inspector 4) Vulnerability Database Research Using this

    feature, we can search if AWS Inspector covers particular CVEs in the scans or not. It will give you data from the National Vulnerability database data, CVSS Score, and EPSS score. A suppression rule serves as a predefined set of filter criteria that effectively excludes findings meeting those criteria from appearing in your active findings lists. Suppression rules are particularly useful for eliminating low-value findings or findings that are irrelevant to your specific environment. 5) Suppression Rules

28. Features of Amazon Inspector 4) Vulnerability Scores Critical: Findings with

    a risk score of 9.0-10.0 signifies critical risks. High: Findings with a risk score of 7.0-8.9 signifies high-risk discoveries. Medium: Findings with a risk score of 4.0-6.9 signifies moderate-risk observations. Low: Findings with a risk score of 0.1-3.9 signifies low-risk identifications. Informational: Findings with a risk score of 0.0 signifies informational findings. AWS Inspector assigns a risk score, ranging from 0.0 to 10.0, indicating the potential impact and risk it poses to your environment. These findings are categorized into different severity of vulnerabilities.

29. Other Security Services - Infrastructure Protection Free Service – Protects

    from Layer 3,4 Attacks Protects from SYN/UDP Floods – DDoS attacks Optional DDOS mitigation service 24/7 access to AWS DDoS response team Protects from web app attacks Monitors HTTP, and HTTPS requests and block malicious requests. Protect from SQL Injection and Cross-site scripting Pre-configured rule groups for OWASP top 10, CVE, IP reputation List, Anonymous list etc. AWS Shield Standard AWS Shield Advanced AWS Web Application Firewall – WAF

30. High Level Overview

31. None

32. Incident Response on AWS

33. Credits AWS Official Website AWS Whitepapers AWS Official Documentations AWS

    Presentations

34. Let's Connect: https://www.linkedin.com/in/sankalp-s-paranjpe/ https://twitter.com/SankalpParanjpe Thank you!