Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS User Group Pune October 2023 Meetup

Sankalp Sandeep Paranjpe
December 11, 2023
25

AWS User Group Pune October 2023 Meetup

Sankalp Sandeep Paranjpe

December 11, 2023
Tweet

More Decks by Sankalp Sandeep Paranjpe

Transcript

  1. WHOAMI ⚬ AWS Cloud Clubs Pune Captain ⚬ Final Year

    B.Tech Student at MIT ADT University, Pune ⚬ Cloud and Cybersecurity Enthusiast ⚬ 2x AWS Certified Sankalp Sandeep Paranjpe
  2. AGENDA ⚬ Security basics ⚬ Shared Responsibility Model in AWS

    ⚬ Amazon GuardDuty and Inspector ⚬ Incident Response ⚬ Best Practices
  3. ⚬Cybersecurity is the practice of deploying people, processes, and technologies

    to protect organizations, their critical systems, and sensitive information from cyber- attacks. ⚬These cyber-attacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. ⚬Two teams in Cybersecurity: the Red Team and the Blue Team. Cybersecurity
  4. Common terminologies Vulnerability A vulnerability is a weakness in hardware

    or a software that can be exploited. Threat A threat is anything that could exploit a vulnerability Risk Risk is the probability of a negative event occurring Sensative info Usernames, passwords, secret keys, secrets, config files, Service Entities IT Infrastucture Services provided by Cloud Service provider. Attacker, Victim, Organization, Service Provider Servers, Storage and Networking Capabilities Event, Incident, Security Incident Potential events which breaks CIA Triad
  5. DNS logs VPC flow logs Amazon S3 data plane events

    Amazon EKS control plane logs Threat detection types Threat intelligence Anomaly detection (ML) Finding type examples Bitcoin mining Unusual user behavior Unusual traffic patterns Findings AWS Security Hub volume Examples •Launch instance •Change network permissions • • • • Alert Remediate AWS Partner solutions Send to SIEM GuardDuty Data sources Amazon Detective Amazon CloudWatch events AWS CloudTrail events C & C activity Example: Unusual ports and LO W HIG H MEDIU M
  6. Features of Amazon GuardDuty • GuardDuty EKS Protection • GuardDuty

    Malware Protection • GuardDuty RDS Protection • GuardDuty S3 Protection • GuardDuty Lambda Protection
  7. Features of Amazon GuardDuty • Account Level Threat Detection •

    Easy Usage • Continuous Monitoring • Multi-account and Multi-region support • No additional software is required • Integrates with other AWS Services • Incident Response
  8. Botnet /C&C Server AAmazon EC2 Instance Backdoor: EC2/C&CActivity • High

    Severity • Your EC2 instances interacting with botnet command and control server • Bots are agents launching DDOS Attacks • This means your instance is compromised.
  9. Remote Host AAmazon EC2 Instance Behavior:EC2/TrafficVolumeUnusual • Medium Severity •

    EC2 instance generating unusually large amount of traffic to a remote host • No prior history of sending this much traffic to this remote host
  10. Bitcoin Server AAmazon EC2 Instance CryptoCurrency:EC2/BitcoinTool • High Severity •

    Your EC2 instance is interacting with an IP associated with crypto activity. • Hackers use compromised resources for bitcoin mining requires investigation. • If it is a valid use case, you can set up a suppression rule for it.
  11. • High Severity • An attacker tries to disrupt operations

    and manipulate, interrupt, or destroy data in the victim's account. • Example: Deleting security groups etc. AWS Environment Impact:IAMUser/AnomalousBehavior
  12. Features of Amazon Inspector • Integrates with other AWS Services

    to automate security workflow • Automated vulnerability assessment • Real-time Feedback • Customizations • Vulnerability Database Research • Suppression Rules
  13. Manager Compute AWS Personal Health Dashboard AWS Config Manager Macie

    Amazon Inspector Storage Database Containers Plus many more partners . . . Findings from AWS service categories Networking & Management Security, identity content delivery& governance & compliance Amazon GuardDuty Partner findings Detective Findings Audit prep Amazon AWS Audit findings with AWS services and AWS Partner solutions AWS Systems AWS Firewall Amazon IAM Amazon Investigations AWS Security Hub Manage r EventBridge Take action and remediate Security flows with Security Hub
  14. • Incident response refers to an organization’s processes and technologies

    for detecting and responding to – ■ cyber threats, ■ security breaches ■ cyberattacks. • The goal of Incident Response: To prevent cyberattacks Incident Response
  15. Preparation Threat Detection and Analysis Investigation and correlation of the

    findings Respond and remediate Amazon Inspector–CVE scans and OS-level configurations Amazon Macie–data classification AWS Security Hub – resource and account- level configurations Amazon GuardDuty– automated intelligent threat detection Amazon Detective – security investigations AWS Security Hub – alert aggregation AWS Security Hub – Automated response and remediation runbooks
  16. Storage Compute Containers Security, identity & complianc e AWS Cloud

    AWS services Amazon GuardDuty Amazon Detective AWS Security Hub Amazon EventBridge Amazon SNS Remediation AWS Lambda Notifications Live email notifications Responding to an Incident
  17. • Least privilege principle • Backup a lot and test

    your recovery resources before you need them • Understand the AWS Shared Responsibility Model • Do not use root account credentials for day-to-day interactions with AWS! • Activate multi-factor authentication (MFA) on the AWS account root user and any users with interactive access to AWS Identity and Access Management (IAM) • Audit IAM users and their policies frequently • Monitor your account and its resources • Enable logging and Monitoring Best Practices
  18. Credits • AWS Official Website • AWS Whitepapers • AWS

    Official Documentations • AWS Presentations • AWS Blogs