Continuous Cloud Security Monitoring

…will begin shortly

Take a moment to connect

linkedin.com/mwylie

twitter.com/TheMikeWylie
My Dream
# To have my own viral overly used cybersecurity acronym
# Continuous Cloud Security Monitoring (CCSM)
# One that people could drink to when used too much at RSA
# Something like AI, Cloud, Machine Learning, or Next Gen anything
# I thought CCSM was it
# Coca-Cola Signature Mixers (CCSM) stole my dream
About Me
Michael Wylie, MBA, CISSP
# Director, Cybersecurity Services @ RMTS
# Former DoD contractor & business owner
# Marine Corps Volunteer Cyber Auxiliary
# Cybersecurity professor
# Qualified TPN Assessor

Certifications
CISSP CCNA R&S CCNA CyberOps GPEN

GMON TPN CEH CEI

VCP-DCV Pentest+ Security+ Project+ linkedin.com/mwylie

CHPA Splunk User CNVP Sumo Logic
Security Analytics
twitter.com/TheMikeWylie
CSM vs NSM
CSM vs. NSM
# Network Security Monitoring (NSM)
$ Collection and analysis of network data to detect and respond to intrusions
$ Data sources:
> Full packet capture
> NetFlow / sFlow
> Alert data
> Firewall logs
$ Focus on data in motion
$ Tools:
> Security Onion
> Bro
 “Prevention is ideal, detection is a must”
- Dr. Eric Cole

CSM vs. NSM

# Continuous Security Monitoring (CSM)
$ Ongoing automated detection and response
to cyber threats
$ Continually reassess security posture
$ Keeping up with changing threat and
vulnerability landscape
$ Increased visibility
$ Goal of timely incident detection
$ Focus on data at rest
Introduction to Cloud Security
Newsworthy Cloud Breaches
# 2019 – Capital One (~100m records)
# 2019 – Lion Air (millions of records)
# 2019 – Facebook app providers (540m records)
# 2017 – Booz Allen Hamilton (admin credentials & battlefield imagery)
# 2017 – U.S. Voter Records (198m records)
# 2017 – Dow Jones (2.2m records)
# 2017 – Verizon (6m records)
# 2017 – Time Warner Cable (4m records)
# 2017 – National Credit Federation (47k records)
According to Sources: capitalone.com, bitdefender.com, darkreading.com, scmagazine.com
AWS Shared Responsibility Model

Source: amazon.com
Azure Shared Responsibility Model

Source: Microsoft.com
GCP Shared
Responsibility Model

Source: Google.com
CloudTrail – API Calls Log Analytics – System Logs Multiple Tools – API Logging
Config - Configuration State Azure Security Center – Stackdriver - System Log
CloudWatch – System Logs Configuration State Cloud Security Scanner -
Trusted Advisor – High-Level API Console – Direct Activity Vulnerability Assessment
Security Events
Inspector – Vulnerability
Assessment
GuardDuty – Threat Detection
CloudFormation – Gold Images
Macie – Data Breach Detection
WAF/Shield – Web App Firewall
Security Hub – Compliance Checks
Control Tower – Detect Policy
Violations
Dwell Time
(time from breach to detection)

Source: FireEye's Mandiant M-Trends 2019 report

Alert Fatigue is Real
From Alert Fatigue to Detection & Response
Agenda
Cloud CSM (CCSM) Agenda
NOTE: Concepts are cloud platform neutral (AWS used for illustration)
# Monitoring a Non-Defensible Cloud
# Inventory Control
# Vulnerability Management
# Least Privilege
# Secure Configuration
# Monitoring & Logging
# Detecting High Fidelity Events
Monitoring a Non-Defensible Cloud
Monitoring a Non-Defensible Cloud
“If you know the enemy and know
yourself, you need not fear the result of
a hundred battles…

…If you know yourself but not the

enemy, for every victory gained you will
also suffer a defeat…

…If you know neither the enemy nor

yourself, you will succumb in every
battle.”
―Sun
― SunTzu,
Tzu,The
TheArt
Artof
of War
War
Know Normal. Find Evil.
“In an intrusion case, spotting the difference between normal and evil
is often the difference between success and failure.”
- SANS DFIR
Normal or Evil? Would you detect it?
# New instances are spun up at 3AM in Ireland region. Normal or Evil?

# 50 new instances don’t have names/tags. Normal or Evil?

# PSExec is run on a server. Normal or Evil?

Normal or Evil? Would you detect it?
# Developers are only authorized to use Oregon and N. Virginia regions
are used within AWS. New instances are spun up at 3AM in Ireland
region. Normal or Evil?

# All prod services must be setup with Terraform including change

management ticket# and owner in the tag. 50 new instances don’t
have names or tags. Normal or Evil?

# AppLocker alerts to a new non-whitelisted PSExec binary run on a

server. Normal or Evil?
“know yourself”

How would you build

a defensible fortress?

Source: q-files.com
Defensible Agra Red Fort
# High thick walls with archers
# Draw bridges
# Water moat with crocodiles
# Dry moat with tigers
# Layered corridors for trapping intruders Source: travel.in

# Sloped upwards towards the inner circle

# Narrow hallways with rolling boulders
# Hot/boiling oil poured into hallways
# Controlled ingress/egress points
 Where would you keep your valuables?
Option A Option B

Image Source: https://securityintelligence.com/wp-content/uploads/2014/12/bodiamcastle_122657-630x330.jpg

Image Source: some sketchy site that my AV told me not to go to.
A Defensible Cloud
# Segmentation
$ Accounts
$ Networks
# Least privilege
# Change control Source: AWS - Multi-account architecture for restricting PCI DSS scope

# Inventory of systems/services
# Continuous security monitoring
# Detective & preventative controls
CIS Basic Best Practices
Center for Internet Security (CIS)
# Developed by SANS Institute
# Response to increased breaches and incidents
# Top 20 controls to make defense easier
# Benchmarks for secure configuration
# More than 100 contributors:
$ US-CERT
$ US DoD
$ MITRE
$ SANS
Inventory Control
The Cloud
# Before the “Cloud”:
$ Process: Purchase Order > Dell Quote > Purchase > Shipping > etc.
$ Accounting, server, network, and developers involved
# In the “Cloud”:
$ Process: Developers can start build public facing servers in seconds
> EC2 Startup < 60 seconds & Lightsail < 30 seconds
> DevOps involved
# VM Sprawl or account takeover
# Insider threats
 Verizon
2019 DBIR
breaches by role
Inventory Control
Terraform
# Helps with building, changing, & versioning infrastructure
safely/efficiently
# Works with Alibaba Cloud, AWS, GCP, Microsoft Azure, OpenStac
# Plan/execute deployments Create-S3-Bucket.tf
# Minimize human error resource "aws_s3_bucket" "bucket" {
bucket = "mike-test-bucket"
# Build/teardown quickly acl = "private"
# Overwrite unauthorized changes tags = {
Name = “Mike’s Test Bucket"
Created_By = “Mike"
}
}
Solution: PBNJ
Wikipedia.org

# Runs Nmap scans and stores results in a database

# Stores IP, OS, Hostname, and other data in MySQL
# Can be run on a $3.50 AWS Lightsail instance
# Usage:
$ scanpbnj [options] [target]
> $ sudo scanpbnj scanme.nmap.org
$ outputpbnj [options]
> $ sudo outputpbnj --query latestinfo
Billing Alarms
# Billing alarms
$ Switch region to US East (N. Virginia)
$ Billing > Preferences > Receive Billing Alerts
$ Alarms > Billing >
Billing Alarms
Vulnerability Assessment
Inspector Azure Security Center Cloud Security Scanner
Dealing with Results
# Finding vulnerabilities is easy
# Remediation is can be challenging
# Educate developers to avoid vulnerabilities
# Break vulnerability findings into manageable weekly ‘To Do’ tasks
# Understand ramifications and agree on an action plan
# Get outside help if needed
# Vulnerability scans are not penetration tests
# Automated tools don’t work well with custom anything
Least Privilege
IAM Basics
# Delete your root access keys
# Activate MFA on your root account
# Create individual IAM users
# Uses groups to assign permissions
# Apply an IAM password policy
# Alert on root account use
Least Privilege
# Granular IAM Policies (least privileged)

vs.

AmazonS3FullAccess Custom S3 Policy

Credential Report
# IAM > Credential Report > Download Report
# Find stale accounts
# Find unauthorized users
# Audit service accounts
# Audit MFA
Cloud Accounts
# Goal is principal of least privilege
# Often a battle between business need and least privilege
# AWS provides over 2,500 permissions
# Granular controls means complexity
# Complexity means prevalent human error
One Glove Doesn’t Fit All
# Developers don’t need access to the entire cloud platform
# Developers don’t need access to log buckets
# All developers don’t need the same access
# AWS Access Advisor shows if/when an IAM has accessed a service
# Netflix expanded on Access Advisor with Aardvark & Repokid
$ Deploy default role based permissions
$ Review access to services and sub-services over time (e.g. 6 mo.)
$ Revoke unneeded services
Secure Configuration
CIS Benchmarks
# Not all CIS cloud benchmarks are verifiable programmatically
# Third-party tools to help with 85% of the leg work:
$ Cloudcheckr
$ CloudHealth
$ Cloudaware
$ AWS Config
CIS Benchmarks
Monitoring & Logging
AWS Logs You Can’t Live Without
What Delay Storage
CloudTrail API calls 15 minutes S3
CloudWatch Specific API calls Real-time CloudWatch Events
Events (optional -> SES)
VPC Network flow 15 minutes CloudWatch Logs
S3 Bucket access Hourly S3
ELB Web requests 5 minutes S3
CloudFront Cache requests Up to 24 hours S3
Source: Jonathon Poling
CloudTrail
# CloudTrail enabled by default for 90 day retention
# External report of breaches is still > 100 days (2018)
# Each region’s logs are kept in that region’s buckets
$ A.K.A. un-centralized logging
CloudWatch Tips
# Data can be overwhelming
# Default alerts are every 15 min
# Detailed Monitoring is every 1 min
# S3 is already storing all API calls
# Don’t create unnecessary noise/alerts
# Alert on high fidelity items only
$ E.g. Alert on 0.0.0.0/0 Security Group change
$ E.g. CloudWatch for CloudTrail being disabled
S3 Logs
# Enable access logging
# By default, CloudTrail logging bucket can be deleted by anyone
with AmazonS3FullAccess policy
# Enable MFA to delete
# ~1 hour delay on logs
VPC Flow Logs
# Similar to sFlow/NetFlow
# Needs to be enabled on all VPCs
# Great for threat hunting and spotting evil
# Create baseline of traffic and look for anomalous traffic
$ SSH/RDP brute force
$ Access from non-US IPs
$ DNS/NTP going to non-authorized destinations
AWS Flow Logs
Problem
May 6-12 2019
RDP Connection
Attempts
Detecting High Fidelity Events
Detection
# Each organization will need to tune their detection differently
# Alerts need to be actionable
# Goal is < 10 alerts/day/analyst
# Sample high fidelity events
$ Alert on activity on regions you’re not using
$ Create and alert on access to HoneyBuckets
$ Alert on attempts to disable CloudTrail
$ Alert on attempts to delete logging buckets
$ Alert on access from foreign non whitelisted IPs
$ Alert on machine generated names (use freq.py)
HoneyPot
# The first public honeypot was Fred Cohen's Deception ToolKit in 1998
$ "intended to make it appear to attackers as if the system running DTK [had] a
large number of widely known vulnerabilities“
# Decreased number of false positives
# Requires less data collection
# Great way to create actionable high fiddley alerts
# Canned Example: Open Canary
# DIY Example: HoneyBucket
HoneyBucket
# Create a bucket (e.g. richey-may-db-backup)
# Allow public access & enable detailed logging
# Lambda function or use SNS to alert on actions
Source: Adel K @0x4D31
HoneyToken
# Fictitious database entries
$ Names
$ Credit Card Numbers
$ PII
# Setup DLP to alert on use
# Setup ModSecurity on Apache to alert on HoneyToken Breach
HoneyCreds
# Create AWS IAM Credential without any permissions
# Setup CloudTrail & CloudWatch to alert on use
# Place credentials in locations attackers typically enumerate
$ E.g. ~/.aws/credentials
$ In a file called credentials on a developer’s desktop
$ In an environment variable
# Automate playbooks (optional)
Thank You
linkedin.com/mwylie

twitter.com/TheMikeWylie

www.TheMikeWylie.com