Weitere ähnliche Inhalte
Ähnlich wie Meetup Protect from Ransomware Attacks (20)
Mehr von CloudHesive (20)
Kürzlich hochgeladen (20)
Meetup Protect from Ransomware Attacks
- 1. © 2021, Amazon Web Services, Inc. or its Affiliates.
Mike P., Solutions Architect
Eduardo Lovera, Solutions Architect
August 17, 2021
Ransomware
Protecting and Recovering
- 2. © 2021, Amazon Web Services, Inc. or its Affiliates.
Agenda
• What is Ransomware?
• AWS and Provable Security
• Protection and Recovery
• Amazon GuardDuty
• Amazon Detective
• AWS Backup
• Q&A
- 3. © 2021, Amazon Web Services, Inc. or its Affiliates.
What is Ransomware?
- 4. © 2021, Amazon Web Services, Inc. or its Affiliates.
1989
The first known
ransomware, the
1989 AIDS Trojan is
written.
Multiple variants
on multiple
platforms are
causing damage.
2015
A ransomware worm
based on the Stamp.Ek
exploit kit surfaces and a
Mac OS X-specific
ransomware worm arrives
on the scene.
CryptoLocker rakes in $5
million in the last four
months of the year.
2013
A ransomware worm
imitating the
Windows Product
Activation notice
appears.
2011
By mid-2006,
worms such as
Gpcode,
TROJ.RANSOM.A,
Archiveus, Krotten,
Cryzip and May Archive
start using more
sophisticated RSA
Encryption.
2006
In May, extortion
ransomware
appears.
2005
Ransomware evolution
- 5. © 2021, Amazon Web Services, Inc. or its Affiliates.
Ransomware – From minor annoyance to BIG business
Annoyance
Disruption
Extortion
- 6. © 2021, Amazon Web Services, Inc. or its Affiliates.
Does not encrypt files; it locks the victim out of their device, preventing them
from using it. Once they are locked out, cybercriminals demand a ransom to
unlock the device.
Locker Ransomware
Crypto Ransomware
Encrypts valuable files on a computer so that the user cannot access them;
attackers make money by demanding victims pay a ransom to get their files
back.
Main types of ransomware
- 7. © 2021, Amazon Web Services, Inc. or its Affiliates.
Why has ransomware been effective?
- 8. © 2021, Amazon Web Services, Inc. or its Affiliates.
Concrete examples of customer security events
Diverse initial vectors and impacts
• Exploit based
• Active Directory lateral movement
• Database vector
• AWS Credential vector
• S3 bucket ransom
• Threats of resource deletion
- 9. © 2021, Amazon Web Services, Inc. or its Affiliates.
AWS and Provable Security
- 10. © 2021, Amazon Web Services, Inc. or its Affiliates.
Shared responsibility model
AWS
Security OF the
Cloud
AWS is responsible for protecting
the infrastructure that runs all of
the services offered in the AWS
Cloud
Security IN the
Cloud
Customer responsibility will be
determined by the AWS Cloud
services that a customer selects
Customer
- 11. © 2021, Amazon Web Services, Inc. or its Affiliates.
Principle of least privilege
Storage
Development &
Management Tools
Content Delivery
Analytics
Compute
Messaging
Database
App Services
Mobile
Payments
Networking
On-Demand
Workforce
VPC
Securely control individual
And group access to your AWS
resources
User IAM
- 12. © 2021, Amazon Web Services, Inc. or its Affiliates.
Segment Amazon Virtual Private Clouds
- 13. © 2021, Amazon Web Services, Inc. or its Affiliates.
But how do you know
proactively that you are
prepared?
Not enough time, resources, money, or know-how . . .
- 14. © 2021, Amazon Web Services, Inc. or its Affiliates.
1. Inventory
2. Vulnerability
management
3. Policy
enforcement
4. Integrity
monitoring
5. Logging and
baselining
6. Backups
7. Secure storage
8. Network
protection
9. Blocklisting
- 15. © 2021, Amazon Web Services, Inc. or its Affiliates.
What is the NIST Cybersecurity Framework?
Executive Order
Presidential
Executive Order
13636, “Improving
Critical Infrastructure
Cybersecurity,”
charges NIST in Feb.
2013
Legislation
Cybersecurity
Enhancement Act of
2014 reinforced the
legitimacy and
authority of the CSF
by codifying it and its
voluntary adoption
into law
15
In February 2014, the National
Institute of Standards and Technology
(NIST) published the “Framework for
Improving Critical Infrastructure
Cybersecurity” (or CSF), a voluntary
framework to help organizations of
any size and sector improve the
cybersecurity, risk management, and
resilience of their systems.
Originally intended for critical
infrastructure, but broader
applicability across all organization
types.
Executive Order
Presidential EO 13800,
“Strengthening the
Cybersecurity of
Federal Networks and
Critical Infrastructure”
mandates the use of
CSF for all federal IT
- 16. © 2021, Amazon Web Services, Inc. or its Affiliates.
Identify
Which workloads are critical for recovery?
Recover
Set up your ability to recover
Protect, Detect, and Respond
Implement best security practices to prevent an attack
Aligning to AWS services
- 17. © 2021, Amazon Web Services, Inc. or its Affiliates.
Protection and Recovery
- 18. © 2021, Amazon Web Services, Inc. or its Affiliates.
Map Services/Solutions to the NIST CSF
Identify – AWS Systems Manager Inventory, Config
Protect – Network Segmentation, IAM, SCP, Federate Access, AWS Systems Manager
Patch Manager, Control Tower
Detect – Inspector, Security Hub, GuardDuty, Security Assessment Solution
Respond – Detective, ProServe Security Gameday, Incident Response Plan
Recover – Backup, S3 Cross-Region Replication/Glacier, CloudEndure
Identify Protect Detect Respond Recover
- 19. © 2021, Amazon Web Services, Inc. or its Affiliates.
Detect
Detect
AWS Security Hub Amazon
Inspector
Amazon
GuardDuty
Self Assessment Tool
AWS Well-
Architected
Framework
- 20. © 2021, Amazon Web Services, Inc. or its Affiliates.
What is Amazon GuardDuty?
Amazon GuardDuty is a threat detection service that uses machine learning,
anomaly detection, and integrated threat intelligence to identify and prioritize
potential threats.
Protects AWS accounts, workloads, and data stored in S3.
Identify malicious & highly suspicious activity
- 21. © 2021, Amazon Web Services, Inc. or its Affiliates.
How Amazon GuardDuty works?
VPC flow logs
DNS Logs
CloudTrail Events
Findings
Data Sources
Threat
intelligence
Anomaly
Detection
(ML)
AWS Security
Hub
CloudWatch Event
Finding Types
Examples
Bitcoin
Mining
C&C
Activity
Unusual User behavior
Example:
• Launch instance
• Change Network Permissions
Amazon GuardDuty
Threat Detection
Types
HIGH
MEDIUM
LOW
Unusual traffic patterns
Example:
• Unusual ports and volume
Amazon Detective
S3 Data Plane Events
- 22. © 2021, Amazon Web Services, Inc. or its Affiliates.
Respond
Respond
Amazon Detective
AWS Security Hub AWS Professional Services
- 23. © 2021, Amazon Web Services, Inc. or its Affiliates.
Amazon Detective
Analyze and visualize security data to rapidly get to the root cause of
potential security issues.
- 24. © 2021, Amazon Web Services, Inc. or its Affiliates.
Hosted Service: Automated data collection, synthesis, analysis
AWS Amazon Detective
Findings
Telemetry
Enrichment
Role
User
Instance
IP Address
Bucket
Behavior &
Baselines
Behavior Graph
Analytics & Insights
Data & context
S3 data storage
How Amazon Amazon Detective works?
- 25. © 2021, Amazon Web Services, Inc. or its Affiliates.
Recover
Recover
AWS Storage
Gateway
CloudEndure
Disaster Recovery
Amazon S3 Glacier
Amazon Simple Storage
Service
AWS Backup
- 26. © 2021, Amazon Web Services, Inc. or its Affiliates.
Introducing AWS Backup
Amazon EFS
Amazon EBS
Amazon RDS
Amazon
DynamoDB
AWS Storage
Gateway
AWS Backup
A fully managed, policy-
based backup service that
makes it easy to centrally
manage and automate the
backup of data across AWS
services
Amazon
Aurora
Amazon EC2
FSx for
Lustre
FSx for
Windows
- 27. © 2021, Amazon Web Services, Inc. or its Affiliates.
DR & Ransomware Recovery with AWS Backup
Vault characteristics:
• Backups are highly efficient incremental forever
• Backup copies cannot be changed or encrypted
• Manage with vault specific CMK/KMS best practices
• Air-gapped backups using vault access policies
• Prescriptive guidance for vault account access provided
AWS Backup
Recovery options:
• Supports 1-to-many, many-to-
many, many-to-1, etc.
• Recover from same account locally
or from across region
• Recover from cross-account locally
or across region
• Recover from RPOs that are hours,
days, weeks or months old
• Simple workflow to apply any
forensic analysis
Build an Isolated Backup Vault
- 28. © 2021, Amazon Web Services, Inc. or its Affiliates.
So what do I do?
Categorize applications into criticality
Align to a security framework
Test your incident response plan
Test your backups
Use AWS services to implement provable security / resiliency
Meet with AWS to do a deep dive on your mitigation
strategy for ransomware.
- 29. © 2021, Amazon Web Services, Inc. or its Affiliates.
Q&A
Mike P.
Eduardo Lovera
- 30. © 2021, Amazon Web Services, Inc. or its Affiliates.
Mike P.
preirmi@amazon.com
AWS Solutions Architect
Thank you
Eduardo Lovera
edulover@amazon.com
AWS Solutions Architect