by RedLock
In order to confidently scale your AWS deployments, continuous security must be built into your continuous integration and continuous delivery architecture. Participate in a series of interactive capture the flag challenges to get hands on experience with DevSecOps. We’ll teach you how to think like a Security Ninja, highlight common mistakes that can have catastrophic consequences, and provide tips to avoid them.
1. AWS Loft – RedLock Lab session
Abstract submitted
Become a Cloud Security Ninja
In order to confidently scale your AWS deployments, continuous security must be built into your
continuous integration and continuous delivery architecture. Participate in a series of interactive
capture the flag challenges to get hands on experience with DevSecOps. We’ll teach you how to
think like a security ninja, highlight common mistakes that can have catastrophic consequences,
and provide tips to avoid them. More specifically, learn how to:
- Establish security guardrails in the DevOps process
- Detect and remediate risky configurations
- Identify vulnerable hosts
- Detect and respond to malicious activities
- Rapidly investigate incidents
We provide the infrastructure necessary for the lab - simply show up with your laptop. Get ready
to have some fun and win some exciting prizes!
2. Lab workflow
Suggested agenda/flow
30 minutes “welcome/intro”
● Welcome
● Presentation of agenda and topics that’ll be covered during the lab session.
● Explain flow and rules for the capture the flag challenge.
● Distribute Capture the Flag answer cards to everyone
● Ask everyone to fill out name and contact details to participate in the challenge.
● Ask everyone to separate the answer card into 4 individual cards (one for each capture
the flag challenge)
● Ensure everyone is connected to WIFI.
● Ensure everyone can log into the RedLock admin and AWS admin consoles.
● RedLock Console overview / walkthrough / demo (Dashboard, Secure/Report,
Investigate and Alerts)
Start Capture the flag challenges:
● Present the challenge on the central monitor
● Start the timer (10 minutes)
● Collect capture the flag answers from the participants
● Lecture: Explain the importance of the use case covered in the challenge, and demo
how to find the answers for the capture the flag challenge.
● Continue to next challenge.
3. Capture the flag challenge #1 (20 minutes)
Topic: Config & compliance checks and reporting
Challenge: Your security and compliance team reviewed the last compliance report, and wants
to leverage the RedLock console to find answers for the following:
Question #1:
Question: How many S3 buckets has been accessible anonymously to the internet within the
last month?
Answer: Alerts -> Last Month -> find the number of “S3 buckets are accessible to public” alerts
Question #2
How many documents are accessible from the internet within the “XX” S3 bucket?
Answer:
Option #1: Alerts -> “S3 buckets are accessible to public” -> Click the “AWS console link”
associated with the “XX” S3 bucket alert to connect to the AWS admin console -> count the
number of documents in the bucket.
Option #2: Open AWS admin console, find the “XX” S3 bucket, and count the number of files in
the bucket.
Question #3:
Question: The compliance report indicates RDS snapshots are accessible to the public for the
“XX” resource in your environment? What’s the AWS CLI command that can be executed to
remediate this security risk?
Answer A: aws rds --region us-west-1 modify-db-snapshot-attribute --db-snapshot-identifier
new-snapshot-public --attribute-name restore --values-to-remove "all"
Answer B: aws rds --region us-east-1 modify-db-snapshot-attribute --db-snapshot-identifier new-
snapshot-public --attribute-name restore --values-to-remove "all"
Answer C: aws rds --region eu-west-1 modify-db-snapshot-attribute --db-snapshot-identifier
new-snapshot-public --attribute-name restore --values-to-remove "all"
Answer: Alerts -> Last 3 months -> RDS Snapshots are accessible to public -> resolve button
Question #4:
Find the RDS snapshot accessible to the internet and provide the unique identifier (ARN)
associated with the instance?
Answer A: arn:aws:rds:eu-west-1:274307705868:snapshot:test-ss
Answer B: arn:aws:rds:eu-east-1:274307705868:snapshot:test-ss
Answer C: arn:aws:rds:eu-west-1:43207705868:snapshot:test-ss
Answer B: arn:aws:rds:eu-east-1:432007705868:snapshot:test-ss
4. Answer: Alerts -> “RDS snapshots are accessible to public” -> Find and click the “XX” resource
in the RedLock admin console.
Question #5:
Question: The security team has noticed that a number of AWS Security Groups allow internet
traffic, including the “default” Security Group. Security wants to understand the number of
workloads that has accepted TCP traffic through the “default” security group within the last 2
weeks.
Answer: Alerts -> Security Groups Allow Internet Traffic -> hover over the “default” SG ->
investigate button -> set time range to the last 2 weeks -> Count the number of workloads.
Collect answers
Collect all answer cards for challenge #1. RedLock will calculate the score for each attendee
Lecture for challenge #1: Explain the above use cases and why each of them are important.
Demonstrate how to find the answer for each of the above questions. Remember to
demonstrate how to leverage the AWS console link associated with RedLock alerts for easy
launch/access to AWS console.
5. Capture the flag challenge #2 (20 minutes)
Topic: Privileged activity monitoring & user behavior analytics
Your security team has detected some suspicious user activities for <user_x>, and needs
answers for the following questions:
Question #1:
Question: How many unusual user activities has been detected for <user_x> in October?
Answer: Alerts -> Unusual user activity -> set time range to October -> find <user_x> -> click
investigate -> select October -> count the number of suspicious activities.
Question #2:
Question: Why was the user activity for <user_x> identified as suspicious?
Answer A: The user logged in from an unusual machine and unusual browser
Answer B: The user logged in from an unusual location and performed unusual activities.
Answer: Answer B:
Question #3:
Analyze login behavior within your environment to identify and count the number of users whose
credentials may have been compromised due to “impossible time travel” (account compromise)
scenarios in October.
Answer: Alerts -> set time range to October -> Account Hi-jack attempts -> analyze the alerts,
and find plus count the number of alerts related to “impossible time travel”
6. Question #4:
Unusual privileges user activities have been detected within your environment. Leverage the
RedLock console to find the number of 'DeleteAccessKey', 'DeleteBucket' , 'DeleteCertificate'
actions performed by user “X” within your environment in October.
Answer: Investigate -> select October -> event where operation IN ( 'DeleteAccessKey',
'DeleteBucket' , 'DeleteCertificate' ) and user = 'X'
Collect answers
Collect all answer cards for challenge #2. RedLock will calculate the score for each attendee
Lecture for challenge #2: Explain the above use cases and why each of them are important.
Demonstrate how to find the answer for each of the above questions.
7. Capture the flag challenge #3 (20 minutes)
Topic: Network Intrusion Detection monitoring and alerting
Your DevOps team provisioned a number of new database servers, and accidentally exposed
them to the internet.
Question #1:
Question: How many DB and RDS servers has received inbound traffic from the internet within
the last 72 hours?
Answer: Investigate -> last 3 days -> run the below query and count the result set
network where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and dest.resource in (
resource where role IN ( 'AWS RDS' , 'Database' ))
Question #2:
Question: Which security group has led to that the “X” DB workload has received traffic directly
from the internet within the last 72 hours?
Answer A: Security Group A
Answer B: Security Group B
Answer C: Security Group C
Answer: Investigate -> last 3 days -> run the below query -> click the “X” DB workload ->
analyze the security groups, and determine which security allowed internet traffic:
network where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and dest.resource in (
resource where role IN ( 'AWS RDS' , 'Database' ))
Question #3:
Question: How many DB workloads has exchanged more than 10,000 bytes within the last 72
hours?
Investigate -> last 3 days -> run the below query
network where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and dest.resource in (
resource where role IN ( 'AWS RDS' , 'Database' )) and bytes > 10000
8. Question #4:
Question: How many egress attempts from an EC2 instance (instance X) were made to external
server on port 25 potentially indicating that the EC2 instance was compromised and used as a
spam bot?
Answer: Investigate -> last 2 weeks -> run the following query -> click the outbound connection
link from suspicious IPs to your email server -> Click “View Details’ on the right -> count the
number of outbound attempts.
network where source.resource IN ( resource where tag ( 'name' ) = 'X') and dest.port = 25
Collect answers
Collect all answer cards for challenge #3. RedLock will calculate the score for each attendee
Lecture for challenge #3: Explain the above use cases and why each of them are important.
Demonstrate how to find the answer for each of the above questions.
9. challenge #4 (20 minutes)
Topic: Forensics Investigations and incident response
Your AWS team has noticed changes and suspicious activities in core AWS configuration
settings, and are looking for answers for the following questions:
Question #1
Question: How many new Security Groups were created in the environment within the last
month?
Answer: Investigate -> last month -> count the results from the following query
event where operation IN ('CreateSecurityGroup')
Question #2:
Question; How many workloads received traffic through the “default” Security Group within the
last month?
Answer:
Option #1: Investigate -> last month -> count the results from the following query
network where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and dest.resource IN (
resource where securitygroup.name IN ( 'default' ))
Option #2: Security Groups Allows Internet Traffic -> Investigate button for “default” SG alert.
Question #3:
Question: Has any AWS instances with the tag “Environment” = ”Production” received traffic
from suspicious IP addresses within the last week?
Answer: Investigate -> last week -> and run the following query
network where source.publicnetwork IN ( 'Suspicious IPs' ) and dest.resource IN ( resource
where tag ( 'Environment' ) = 'Production ) and bytes >0
10. Question #4:
Your security team has received reports that some of your Database and Web Servers has
been compromised due to known host vulnerabilities, and need your help with the following:
Question: How many workloads has reported a known host vulnerability within the last 7 days?
Answer:
Option #1: investigate -> last 7 days -> run the following query:
network where dest.resource IN ( resource where alert.type IN ( 'cve' ))
Option #2: network where source.ip = 0.0.0.0 and bytes >0 and manually count the number of
workloads with “exclamation marks”
Question #5:
The security team has been notified that an EC2 instance running (host_x) is receiving traffic
from internet AND also has known vulnerabilities and need your help to analyze which type of
communication has been accepted by <host_x> within the last 2 weeks.
Answer: Investigate -> last 2 weeks -> run the following query
network where dest.resource IN ( resource where tag ( 'Name') = '<host_x>' ) and
source.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) and bytes > 0
Answer A: SSH and Web
Answer B: SSH
Answer C: SSH, Web and FP
Collect answers
Collect all answer cards for challenge #4. RedLock will calculate the score for each attendee
Lecture for challenge #2: Explain the above use cases and why each of them are important.
Demonstrate how to find the answer for each of the above questions.
11. Wrap-up / prizes (15 minutes)
5 minutes wrap-up / summary of what was covered during the capture the flag challenges.
Prizes
● Grand prize goes to the attendee with the most total points for all 4 challenges *)
● The prize for each of the 4 challenges goes to the attendee with the most point for each
of the challenges *)
● Attendees can “only” win once.
Draw if there is a tie for any of the above.
12. Capture the flag rules and logistics
Each attendee will receive an answer card (see below) - maybe we can create “online” cards..
Each attendee will turn-in their answers after each capture the flag challenge.
All correct answers will get a score of 2, and the total score for each challenge will be the sum of
the correct answers on the answer card.
The winner of each challenge is the one with the most points for each challenge, and if there is
a tie we will draw a winner.
There will be a prize for each capture the flag challenge.
The grand-prize winner is the one with the most points for all 4 capture the flag challenges, and
if there is a tie we will draw a winner.
Each individual can “only” win once, and will be “excluded” for future drawings after winning a
prize.
13. RedLock capture the flag answer card
Capture the flag challenge #1: Config & compliance checks and reporting
Participant #: <unique number will be printed on each card>
Name: _______________________
Email: _______________________
Phone: _______________________
Answer for question #1: _______________________
Answer for question #2: _______________________
Answer for question #3: _______________________
Answer for question #4: _______________________
Answer for question #5: _______________________
------------------------ cut answer card here -----------------------
Capture the flag challenge #2: User anomaly & user comprise monitoring and alerting
Participant #: <unique number will be printed on each card>
Answer for question #1: _______________________
Answer for question #2: _______________________
Answer for question #3: _______________________
Answer for question #4: _______________________
------------------------ cut answer card here -----------------------
Capture the flag challenge #3: Network Intrusion Detection monitoring and Alerting
Participant #: <unique number will be printed on each card>
Answer for question #1: _______________________
Answer for question #2: _______________________
Answer for question #3: _______________________
Answer for question #4: _______________________
------------------------ cut answer card here -----------------------
Capture the flag challenge #4: Forensics Investigations and incident response
Participant #: <unique number will be printed on each card>
Answer for question #1: _______________________
Answer for question #2: _______________________
Answer for question #3: _______________________
Answer for question #4: _______________________
Answer for question #5: _______________________