The History of tsundere GuardDuty who can do or do not detect and me who keep attacking 攻撃し続けた僕と検知したりしなかったりする ツンデレの君(GuardDuty)の歴史 #jawsug #jawspankration2021 #jawspankration Usuda Keisuke / うすだけいすけ 1

2 Who am I? / ⾃⼰紹介 Usuda Keisuke / ⾅⽥佳祐 ・Classmethod, Inc. AWS BU Consulting Div. Senior Solution Architect Security Team Leader AWS Authorized Instructor ・Security-JAWS Member ・My favorite AWS Service: Amazon GuardDuty

3 Story It was a sudden encounter. 出会いは突然だった

4 In re:Invent 2017

5 Introduction / 概要 What a wonderful feature! I fell in love with her at first sight. 素敵なセキュリティ機能 僕は彼⼥を⾒てひと⽬で恋 に落ちた

6 However, She (GuardDuty) is Tsundere! しかし彼⼥はツンデレだった

7 About Tsundere? / ツンデレとは Tsundere is a Japanese term for a character development process that depicts a character with a personality who is initially cold, stern, stoic, harsh, temperamental, hotheaded (and sometimes even hostile) before gradually showing a warmer, friendlier side over time. The word is derived from the terms tsun tsun (ツンツン) ('to turn away in disgust or anger') and dere dere (デレデレ) ('to become affectionate'). (by Wikipedia)

8 About Tsundere? / ツンデレとは Originally found in Japanese bishōjo games, the word is now part of the otaku moe phenomenon, reaching into other media such as maid cafés, anime, manga, novels, and mass media. The term was made popular in the visual novel Kimi ga Nozomu Eien(Rumbling Hearts). (by Wikipedia)

9 At the time of release / リリース当時 When I first met her, she was very aggressive. (Tsun Tsun) A lot of Alerts! (´・ω・｀) 最初はとにかく攻撃的(ツンツン) アラート沢⼭出してくる(´・ω・｀)

10 Jealous / モテモテな彼⼥ On the other hand, she was severely attacked by various countries. She was being pampered. その頃の彼⼥は⾊んな国からの攻撃を 検知していました

11 Update in May, 2018 / 2018年5⽉のアップデート Automatic archiving was possible. She became “Dere Dere” (affectionate). ⾃動アーカイブが出来るようになった アラートがなくなり、デレた

12 In re:Invent 2018 I attended the event secretly without telling her. But she immediately detected that I was in Las Vegas by “UnauthorizedAccess”. 僕は彼⼥に内緒でre:Inventに⾏った しかし彼⼥は僕がラスベガスにいること をUnauthorizedAccessで検知した

13 She was also Yandere! 彼⼥はヤンデレでもあったのです

14 Evidence / エビデンス

15 Meanwhile… / ⼀⽅その頃

16 Update in May, 2019 / 2019年5⽉のアップデート She was then able to detect privilege escalation. It was slightly unstable, but it was a good feature. IAMの権限昇格を検知できるように 僕の攻撃に対して少し不器⽤だけどちゃ んと検知してくれた

17 Detect Privilege Escalation / 権限昇格の検知 When an attack fails, she was detected “Persistence” instead of “Privilege Escalation ”↓ ↓ ↓ ↑ ↑ ↑ When an attack succeeds, she correctly detected “Privilege Escalation ”.

18 Update in Feb, 2020 / 2020年2⽉のアップデート She began to detect more advanced attacks. She was then able to detect DNS rebinding. DNS Rebindingを検知できるように ⾮常に⾼度なテクニックを検知しました

19 UnauthorizedAccess:EC2/MetaDataDNSRebind

20 Update in Apr, 2020 / 2020年4⽉のアップデート AWS Chatbot was GA. Notification to Slack became very neat and clean. AWS Chatbotが正式リリース GuardDutyの通知がリッチに

21 In Jun, 2020 / 2020年6⽉ I wrote a script for her. It was a script to easily generate privilege escalation. 私は簡単にGuardDutyをテストするため 権限昇格を発⽣させるスクリプトを書き ました

22 I feel close to her.

23 Happiness never lasts.

24 Archived Finding Types. 18 Types

25 Can I complete her route? She hasn't completely been “Dere Dere” (affectionate) to me yet. Can I complete her route and will be happy ending? まだまだデレデレまでは遠い 彼⼥のルートを攻略してハッピーエンド になる⽇は来るのか︖

26 To Be Continued.