Deep Dive: Detective Controls

Module Objectives
• Understand what logs are available
• Logging best practices
• Learn ways to extract value from multiple data sources
• Discover new services to enhance security awareness

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
 Different log categories
AWS Infrastructure logs Host based logs AWS service logs

 AWS CloudTrail  Messages  Amazon Simple Storage

 Amazon Virtual Private Cloud  Security Service (Amazon S3)
(Amazon VPC) Flow Logs  Elastic Load Balancing
 NGINX/Apache/IIS
 Windows Event Logs  Amazon CloudFront

 Windows Performance Counters  AWS Lambda

 AWS Elastic Beanstalk
 …
 …

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
 Different log categories
AWS Infrastructure logs Host based logs AWS service logs

 AWS CloudTrail  Messages  Amazon S3

 Amazon VPC Flow Logs  Security  Elastic Load Balancing
 NGINX/Apache/IIS  Amazon CloudFront
 Windows Event Logs  AWS Lambda
 Windows Performance Counters  AWS Elastic Beanstalk

Security related events

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Native AWS Logging
Category Service Data Method
Compute ELB Access logs Written to Amazon S3
Storage/Content Amazon S3 Object access Written to Amazon S3
Storage/Content CloudFront Access logs, cookies Written to Amazon S3
Storage/Content Amazon Glacier Retrieval jobs only SNS
Management AWS OpsWorks Chef logs Console (download)
Management AWS Data Pipeline Errors only Written to Amazon S3
Management AWS CloudHSM Appliance login, trust links Syslog
App Services Amazon SES Bounces, complaints SNS
App Services Amazon SNS Messages sent SNS
App Services Amazon EMR Infer changes from Hadoop logs Written to Amazon S3
Networking Amazon VPC Flow Logs AWS Console/CloudWatch Logs

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Ubiquitous logging and monitoring
Amazon CloudWatch Logs lets you grab everything and monitor activity

 Managed service to collect and keep your logs

 CloudWatch Logs Agent for Linux and Windows instances
 Integration with Metrics and Alarms
 Export data to Amazon S3 for analytics
 Stream to Amazon ElasticSearch Service or AWS Lambda

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
AWS CloudTrail
Records AWS API calls for your account

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
AWS CloudTrail
What is it?
• A service that enables governance, compliance, and
operational and risk auditing of your AWS account
• With CloudTrail, you can capture and log events related
to API calls and account activity events across your AWS
infrastructure and resources
US$ 1,00 / 1 milhão de eventos.
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
What can you do?
• Simplify your compliance audits by automatically
recording and storing activity logs for your AWS account
• Increase visibility into your user and resource activity
• Discover and troubleshoot security and operational issues
by capturing a comprehensive history of changes that
occurred in your AWS account
Common Use Cases
• Compliance Aid: AWS CloudTrail makes it easier to certify compliance with internal policies and regulatory
standards by providing a history of API calls in your AWS account
• Security Analysis: You can perform security analysis and detect user behavior patterns by ingesting AWS
CloudTrail API call history into your log management and analytics solutions such as CloudWatch Logs,
CloudWatch Events, Amazon Athena, ElasticSearch, or other 3rd party solution
• Data Exfiltration: You can detect data exfiltration by collecting activity data on Amazon S3 objects through
object-level API events recorded in CloudTrail. After the activity data is collected, you can use other AWS
services, such as Amazon CloudWatch Events and AWS Lambda, to trigger response procedures
• Operational Issue Troubleshooting: You can troubleshoot operational issues by leveraging the AWS API call
history produced by AWS CloudTrail. For example, you can quickly identify the most recent changes made to
resources in your environment, including creation, modification, and deletion of AWS resources (e.g., Amazon
EC2 instances, Amazon VPC security groups, and Amazon EBS volumes)

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
How CloudTrail Works

• CloudTrail records API calls in your account

and delivers a log file to your Amazon S3
bucket.
• Typically, delivers an event within 15 minutes
of the API call.
• Log files are delivered approximately every 5
minutes.
• Multiple partners offer integrated solutions to
analyze log files.

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
What does an event look like?
{
"eventVersion": "1.01",
"userIdentity": {
"type": "IAMUser",

• Who "principalId": "AIDAJDPLRKLG7UEXAMPLE",

"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Alice",

• When "sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2014-03-18T14:29:23Z"
}
• What },
}

"eventTime": "2014-03-18T14:30:07Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "StartLogging",
• Where "awsRegion": "us-west-2",
"sourceIPAddress": "72.21.198.64",
"userAgent": "AWSConsole, aws-sdk-java/1.4.5 Linux/x.xx.fleetxen Java_HotSpot(TM)_64-
Bit_Server_VM/xx",
"requestParameters": {
• Which },
"name": "Default“

...

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Configuration
• You can create two types of “trails”:
• A trail that applies to all regions
• A trail that applies to one region

• When you create a trail that applies to all regions, CloudTrail creates
the same trail in each region, records the log files in each region, and
delivers the log files to the single Amzon S3 bucket.

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
AWS CloudTrail – Boa prática

Contas devem mandar os logs para uma

conta centalizada.

Contas centralizadas podem fazer Analytics.

Conta Central pode:

‣ Filtrar e reformatar.
‣ Controlar acesso a um Trail.
‣ Redistribuir o Trail.
Encrypting CloudTrail Log Files

Step 2: Grant decrypt Encrypted CloudTrail

Step 1: Create
access to log readers log files
or use an
existing KMS
Key and apply
policy

Step 3: Specify
AWS KMS key to
CloudTrail

Step 4: S3 GetObject API call

Step 5: Decrypted CloudTrail log files

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
CloudTrail Storage Format in Amazon S3

• Default descriptive folder structure makes it easier to store log files from
multiple accounts and regions in the same Amazon S3 bucket.
• Detailed log file name helps identify the contents of the log file
• Unique identifier in the file name prevents overwriting log files.

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
CloudTrail Logs Lifecycle Management

I need CloudTrail
logs for entire
month of Jan 2015
Amazon

Lifecycle Policies

Amazon

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
CloudTrail Logs Lifecycle Management

• Configured via Amazon S3

• Available actions:
• Archive to Amazon Glacier
• Delete
• Archive and Delete

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
CloudTrail Integrity Validation
• To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it,
you can use CloudTrail log file integrity validation.
• Uses SHA-256 for hashing and SHA-256 with RSA for digital signing.
• You can use the AWS CLI to validate the files in the location where CloudTrail delivered them.

• Once enabled, CloudTrail will start delivering digest files on an hourly basis, to the same Amazon
S3 bucket where you receive your CloudTrail log files, but with a different prefix:
• CloudTrail log files are delivered to:
/optional_prefix/AWSLogs/AccountID/CloudTrail/*
• CloudTrail digest files are delivered to:
/optional_prefix/AWSLogs/AccountID/CloudTrail-Digest/*

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Amazon VPC Flow Logs
Log network traffic in a VPC

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Amazon VPC Flow Logs
 Stores log in AWS CloudWatch Logs
 Can be enabled on
• Amazon VPC, a subnet, or a network interface
• Amazon VPC & Subnet enables logging for all interfaces in the VPC/subnet
• Each network interface has a unique log stream
 Flow logs do not capture real-time log streams for your network interfaces
 Filter desired result based on need
• All, Reject, Accept
• Troubleshooting or security related with alerting needs?
• Think before enabling All on Amazon VPC, will you use it?

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
 Amazon VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per Amazon VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
Source port Protocol
Interface Source IP Packets
Accept
or reject
AWS
account

Destination IP Destination port Bytes Start time End time

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Processing logs

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Processing Logs
CloudWatch Logs
- Near real-time, aggregate, monitor, store, and search

Amazon Elasticsearch Service Integration (or ELK stack)

- Analytics and Kibana interface

AWS Lambda & Amazon Kinesis Integration

- Custom processing with your code

Export to Amazon S3
- AWS SDK & AWS CLI batch export of logs for analytics
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Elasticsearch with Kibana
• Amazon
Elasticsearch Service

• Amazon
CloudWatch Logs
subscriptions

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Alerting

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Receive Notifications of
specific API activity

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Amazon CloudWatch Events
Trigger on event
 Amazon EC2 instance state change notification
 AWS API call (very specific)
 AWS console sign-in
 Auto Scaling
Or Schedule
 Cron is in the cloud!
 No more Unreliable Town Clock
 Min 1 min
Single event can have multiple targets

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
Amazon GuardDuty
Threat Intelligence

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
GuardDuty – Aprendizagem de máquina em prol da segurança

O Amazon GuardDuty é um serviço gerenciado de

detecção de ameaças que monitora continuamente
o comportamento mal-intencionado ou não
autorizado para ajudá-lo a proteger suas contas e
cargas de trabalho da AWS usando ML.
 GuardDuty- Como funciona

Habilite o
Análise automática e contínua Detecte ameaças de forma Avalie e automatize ações
GuardDuty
inteligente
• Avaliação automática, contínua • Avalie alertas na console.
• Habilite com poucos
e escalável dos • Uso de ML para detecção de
cliques.
comportamentos de contas e anomalias. • Integre com ferramentas de
de rede para proteção de seu incidentes e Workflows.
• Monitore a segurança sem a
ambiente AWS. • Feeds de inteligência e regras
necessidade de instalar
de ameaças integradas. • Automatize resposta a
equipamentos ou softwares
incidentes com Lambda.
adicionais.
GuardDuty - Componentes do Serviço
Tipos de
Ameaças
Detectadas

Trial Fontes de
Dados

Feeds
Contas Listas de
AWS IPs
maliciosos

Alertas
GuardDuty - Componentes do Serviço
Tipos de
Ameaças
Detectadas

Trial Fontes de
Dados

Feeds
Contas Listas de
AWS IPs
maliciosos

Alertas
 GuardDuty - Tipos de Ameaças Detectadas
Conexão com sites em Proxy
Blacklist Anônimo Chamada de ISP não
Volume de tráfego não usual
usual
IPs maliciosos

Exfiltração de Chamada
Força Bruta RAT Credenciais
credenciais de APIs Comprometidas
RDP Instalado por DNS maliciosas

Reconhecimento
Exfiltração DNS Mineração
Portas não usuais Início não usual de Bitcoin
instâncias
https://docs.aws.amazon.com/pt_br/guardduty/latest/ug/guardduty_finding-types.html#actual-types
 GuardDuty - Diversas Categorias
Reconhecimento
Instâncias:
• Port Probe
• Scan de portas (intra-VPC)
• Ataques de Força Bruta (IP)
• Drop Point (IP)
• Comunicação Tor
Contas:
• Chamada de API de rede TOR
(falha)
Baseado em Assinaturas
Instância Comprometida
• Atividade de C&C
• Consulta a domínio malicioso
• EC2 em Lista de Ameaças
• Drop Point IP
• Comunicação com IPs maliciosos
• Mineração de Bitcoin
• DDoS de saída
• Atividade de Spambot
• Força bruta SSH de saída
• Unusual Network Port
• Tráfego não usual, Volume /
Direção
• Requisição DNS não usual
• Algorítmos de geração de domínios
Detecção de anomalias com base em comportamento (ML)
Conta Comprometida
• Chamada de API (IP malicioso)
• Chamada de API de rede TOR
(Aceita)
• CloudTrail desabilitado
• Mudança de política de senha
• Lançamento de instância não
usual
• Atividade não usual em uma
região
• Acesso suspeito na console
• Chamada de ISP não usual
• Chamadas de APIs não usuais
(criar, atualizar, deletar)
• Alto volume de chamadas
• Usuário IAM não usual
GuardDuty - Componentes do Serviço
Tipos de
Ameaças
Detectadas

Trial Fontes de
Dados

Feeds
Contas Listas de
AWS IPs
maliciosos

Alertas
 GuardDuty - Fontes de Dados
VPC Flow Logs
VPC flow logs
• VPC FLow Logs não precisa estar
habilitado para identiicação de
ameaças e geração de alertas.
• É uma boa prática habilitar o VPC
Flow Logs proporcionando
investigações de anomalias e forense
em caso de incidente .
DNS Logs
DNS Logs
• Análise de queries DNS realizadas por
instâncias EC2 para domínios maliciosos.
• Não é preciso utilizar o Route53 para
detecção de ameaças e geração de
alertas.
CloudTrail Events
CloudTrail Events
• O histórico do CloudTrail de chamadas
da API da AWS usado para acessar o
Console de gerenciamento, SDKs, CLI,
etc.,
• Identificação da atividade do usuário e
da conta, incluindo o endereço IP de
origem usado para fazer as chamadas.
GuardDuty- Componentes do Serviço
Tipos de
Ameaças
Detectadas

Trial Fontes de
Dados

Feeds
Contas Listas de
AWS IPs
maliciosos

Alertas
GuardDuty - Lista de IPs maliciosos / IOCs
GuardDuty utiliza 3 feeds de inteligência nativos:
• AWS
• CrowdSrike
• Proofpoint
• OpenSource
• Customer provided – “format”:
“[TXT | STIX | OTX_CSV | ALIEN_VAULT | PROOF_POINT | FIRE_EYE]”,

É possível expandir com lista de IPs customizadas:

Lista de IPs
confiáveis + IPs de ameaças conhecidas
ou listas de parceiros
GuardDuty- Componentes do Serviço
Tipos de
Ameaças
Detectadas

Trial Fontes de
Dados

Feeds
Contas Listas de
AWS IPs
maliciosos

Alertas
GuardDuty – Alertas de Ameaças
AWS Console API / JSON
Veja rapidamente Exportar dados para
informações sobre análise posterior,
ameaças, incluindo: incluindo:

- Gravidade - Ingerir no SIEM

- Região - Enriquecimento de
- Contagem dados
- Frequência - Resposta programática
- Tipo de ameaça - Informação adicional
- Recurso afetado - ARN
- Informações da fonte - Período de tempo
- Visível CloudWatch - Informações sobre
recursos
Console
GuardDuty – Classificação de Alertas
BAIXO
Atividade suspeita ou
maliciosa bloqueada antes
de comprometimento
Apenas para informação
• Não há ações imediatas
necessárias, mas anote as
informações como algo que
pode ser avaliado no futuro.
MÉDIO
Atividade suspeita que se
desvia do comportamento
normalmente observado
Investigar mais
• Verificar novo software que
alterou o comportamento.
• Verificar alterações nas
configurações.
• Detectar software não
autorizado e avaliar as
permissões IAM.
ALTO
Recurso comprometido e
ativamente usado para fins
não autorizados
Tomar ação imediata
• Isole a instância.
• Rotacione chaves.
• Efetue um processo de Análise
Forense detalhado e busque a
causa raiz do problema.
• Provisione novo recurso seguro
e confiável.
GuardDuty – Detalhamento de alertas
ThreatPurpose : ResourceTypeAffected / ThreatFamilyName . ThreatFamilyVariant ! Artifact

CryptoCurrency : EC2 / BitcoinTool . B ! DNS

Siginificado: “Uma instância EC2 está se comunicando com um

endereço IP de Bitcoin conhecido que faz parte de
um domínio Bitcoin conhecido”
GuardDuty- Componentes do Serviço
Tipos de
Ameaças
Detectadas

Trial Fontes de
Dados

Feeds
Contas Listas de
AWS IPs
maliciosos

Alertas
GuardDuty – Múltiplas contas
Time de Segurança

CloudTrail Events

Conta A Conta B Conta C

GuardDuty – Relacionamento de Contas

• Script permite automatizar

a ativação de várias contas.

• Disponível no AWS Git Repo

• Automatizações GuardDuty
adicionais podem ser
encontradas aqui e em
repositórios de parceiros.
GuardDuty – Console Centralizado
GuardDuty- Componentes do Serviço
Tipos de
Ameaças
Detectadas

Trial Fontes de
Dados

Feeds
Contas Listas de
AWS IPs
maliciosos

Alertas
GuardDuty – Trial 30 dias e estimativa de custo
Auditing your AWS environment

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
IAM Credential Reports

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
AWS Config
AWS Config

Changing Record Normalize Store Deliver

Resources

History
APIs

Stream

AWS Config
Snapshot (ex. 2014-11-05)

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
What Resources exist?
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change
• Know resource relationships dependencies
AWS Config

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
AWS Config

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
AWS Config and Config Rules
Changing Resources Record Normalize Rules
Store Deliver

History
APIs

Stream

AWS Config
Snapshot (ex. 2014-11-05)

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
AWS Config Managed Rules
1. All Amazon EC2 instances must be inside a VPC.
2. All attached Amazon EBS volumes must be encrypted, with Amazon KMS ID.
3. CloudTrail must be enabled, optionally with Amazon S3 bucket, Amazon SNS topic and
CloudWatch Logs.
4. All security groups in attached state should not have unrestricted access to port 22.
5. All EIPs allocated for use in the VPC are attached to instances.
6. All resources being monitored must be tagged with specified tag keys:values.
7. All security groups in attached state should not have unrestricted access to these specific ports.

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
AWS Trusted Advisor – Real time guidance

Security configuration checks of your AWS environment:

• Portas abertas.
• Portas irrestritas.
• CloudTrail habilitado.
• Permissões de S3 Bucket.
• Uso de MFA.
• Política de senha.
• DB com risco de acesso.
• Registros DNS.
• Configurações de LB.

© 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon confidential.
 Security Hub – Desafios de segurança endereçados

Visibilidade Priorização Múltiplos formatos Conformidade

1 2 3 4
Dezenas de Assegurar que sua
Necessidade de Grande volume de
ferramentas de infraestrutura da
um painel alertas que
segurança com AWS atenda aos
unificado de precisam ser
diferentes requisitos de
segurança priorizados
formatos conformidade

Validação de práticas do CIS!

 Security Hub – Desafios de segurança endereçados

Coletar
dados de
Segurança
Visão e
Gerenciamento
Processar e
centralizados Analisar

Visualizar
Time de
findings
Segurança

Validação de
Compliance
Security Hub – Desafios de segurança endereçados

Compliance
Checks

Entendendo seu estado de

segurança e conformidade na
AWS
Security Hub – Painel unificado de Segurança
 Security Hub – melhores práticas do CIS

43 checks automáticos.
Security Hub – Melhores práticas do CIS
 Security Hub – Insights
Security findings que são correlacionados e agrupados por priorização
• São mais de 100 pre-built insights da AWS e parceiros
• Habilidade para criar seus próprios insights
• Dashboard permitem visibilidade dos top security findings
• Detalhes adicionais disponíveis.

EC2 instances sem patches S3 buckets com credenciais S3 buckets com acesso
de Segurança armazeandas público
Security Hub – Insights
Security Hub – Rede de parceiros
Security Hub – Rede de parceiros
Security Hub – Mútiplas Contas
Use as melhores práticas como base
WA Security Pillar

https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
Use as melhores práticas como base
WA Tool

Defina uma carga de trabalho

Aprenda, meça e construa utilizando as Defina uma carga de trabalho baseada em uma de
suas aplicações existente
melhores práticas de arquitetura
Defina uma carga de trabalho
O AWS Well-Architected Tool ajuda a analisar o estado das cargas de trabalho e as compara às
mais recentes melhores práticas de arquitetura da AWS. A ferramenta é baseada no AWS Well-
Architected Framework.

https://aws.amazon.com/well-architected-tool/
Use as melhores práticas como base
CIS AWS Foundations

https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
Use as melhores práticas como base
CAF Security Perspective

https://d1.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf
Use as melhores práticas como base
NIST CSF

https://d1.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf
Thank You!

© 2018 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission
from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email us at: aws-course-
[email protected]. For all other questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.