SecurityBoat SB Meetup Pune - November 2022

Transcript

1. AWS - Security - Incident Response By- Sankalp Sandeep Paranjpe

2. Whoami Sankalp Sandeep Paranjpe A third year undergraduate student pursuing

   B.Tech. in CSE with specialization in Networks and Security Application and Cloud Security Enthusiast, a bug bounty hunter EC Council Certified CEH-Practical (Passed) EC Council Certified SOC Analyst (In Progress)

3. Contents ◈ Cloud Computing ◈ AWS and its services ◈

   The Shared Responsibility Model in AWS ◈ AWS Security, identity, and Compliance Services ◈ AWS Incident Response ◈ Use Cases ◈ AWS Security – Best Practices

4. Disadvantages of On-Premises Data Center •Higher Costs •Requires Extra IT

   Support •Limited Scalability •24x7 Monitoring •Less Accessibility •Risk of Data loss •No Disaster Recovery •No regular Data Backup

5. Cloud Computing

6. Benefits of Cloud Computing ◈ On Demand Service ◈ Pay-as-you

   go ◈ Data Security ◈ Availability ◈ Accessibility ◈ High Speed – Quick Deployment ◈ Efficiency and Cost Reduction ◈ Scalability ◈ Disaster recovery

7. Cloud Service Providers

8. Cloud Service Models - Comparison

9. Examples of Cloud Computing Types ◈ Infrastructure as a Service

   AWS – EC2 ◈ Platform as a Service AWS – Elastic Beanstalk Google App Engine ◈ Software as a Service AWS – Rekognition

10. Amazon Web Services

11. Why AWS?

12. AWS Global Infrastructure A region is a cluster of data

    centers. Each region can have many Availability Zones. Separated from each other. Connected with high bandwidth, ultra-low latency networking. 29 Regions. 93 Availability Zones. 410+ Points of Presence.

13. Hands-On AWS Services

14. None

15. Elastic Cloud Compute - IaaS Elastic Capacity Elastic resource config/re-config.

    Elastic num of instances. Storing your data on Elastic Block Store Reliable Multiple locations Elastic IP Secure Firewall Config Virtual Private Cloud Performance Scaling the services using Auto Scaling group

16. The Shared Responsibility Model In AWS

17. None

18. Infrastructure Protection ◈ AWS Shield Standard Free Service – Protects

    from Layer 3,4 Attacks Protects from SYN/UDP Floods – DDoS attacks ◈ AWS Shield Advanced Optional DDOS mitigation service 24/7 access to AWS DDoS response team ◈ AWS Web Application Firewall – WAF Protects from web app attacks Monitors HTTP, and HTTPS requests and block malicious requests. Protect from SQL Injection and Cross-site scripting Pre-configured rule groups for OWASP top 10, CVE, IP reputation List, Anonymous list etc.

19. AWS GuardDuty

20. GuardDuty learns about AWS environment ◈ Network Activity ◈ Data

    Access Patterns ◈ API Calls ◈ Account Usage ◈ Uses Machine Learning Model, to determine if the new activity is considered normal or abnormal ◈ Generates findings for EC2, IAM, and S3.

21. How it works? • CloudTrail Event Logs – Unusual API

    calls. • VPC Flow logs – unusual internal traffic, unusual IP Address. • DNS Logs – Compromised EC2 Instances.

22. GuardDuty Findings ◈ Backdoor: EC2/C&Cactivity ◈ EC2 instance is communicating

    with the botnet command and control server ◈ Implies that the instance is compromised ◈ Cryptocurrency: EC2/BitcoinTool ◈ EC2 instance interacting with an IP Address associated with cryptocurrency activity ◈ Bitcoin Mining ◈ If the use-case is valid setup suppression rule. ◈ Discover: S3/MaliciousIPCaller S3 API to read or copy objects was invoked from a known Malicious IP address ◈ PenTest: S3/KaliLinux S3 API was invoked from kali Linux from your AWS Credentials.

23. What can GuardDuty detect?

24. AWS GuardDuty Hands-On

25. AWS Inspector ◈ Automated Security Assessments. ◈ Maintains Vulnerability Database.

    ◈ Only for EC2 Instances and container infrastructure. ◈ Reduce mean time to resolve (MTTR) vulnerabilities with automation. ◈ Vulnerability management with a fully managed and highly scalable service.

26. AWS Inspector

27. AWS CloudTrail

28. AWS Security Hub

29. Incident Response ◈ Incident response refers to an organization’s processes

    and technologies for detecting and responding to – cyber threats, security breaches cyberattacks. ◈ Goal of Incident Response: To prevent cyberattacks
30. None
31. None

32. Incident Response Phases 1. Preparation 2. Detection and Analysis 3.

    Containment 4. Eradication 5. Recovery 6. Post-Event Activity

33. Flow of Events

34. Correlating security findings of Security Hub and Event Bridge

35. Use Case- Exposed keys i) Determine the access associated with

    those keys ii) Invalidating the credentials iii) Invalidating any temporary credentials issued with the exposed keys iv) Restore the access with new credentials v) Review your AWS account

36. Use Case- Compromised EC2 Instance There are certain recommended steps

    in such a scenario: i) Lock the instance down, capture metadata and detach it from any auto-scaling group. ii) Take the EBS Snapshot and add a tag as quarantine for investigation. iii) Memory Dump iv) Perform Forensic Analysis v) Terminate the instance

37. AWS Elastic Disaster Recovery

38. AWS Security- Best Practices ◈ Secure your credentials ◈ Secure

    your Applications ◈ Backup a lot and test your recovery resources before you need them ◈ Understand the AWS Shared Responsibility Model ◈ Do not use root account credentials for day-to-day interactions with AWS! ◈ Activate multi-factor authentication (MFA) on the AWS account root user and any users with interactive access to AWS Identity and Access Management (IAM) ◈ Audit IAM users and their policies frequently ◈ Monitor your account and its resources

39. Thank you Connect with me: https://www.linkedin.com/in/sankalp-s-paranjpe/ https://twitter.com/SankalpParanjpe