The document discusses scaling threat detection and response on AWS. It provides an overview of AWS security services for threat detection such as GuardDuty, Macie, and Security Hub which analyze log data using machine learning. It also discusses tools for threat response including Lambda, Inspector, and Systems Manager. The document outlines an attacker lifecycle and how findings map to stages. It provides examples of automated detection and response playbooks and remediation actions.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scaling threat detection and
response in AWS
Ahmed Gouda
Solutions Architect, AWS
gouda@amazon.com
/ahmedgouda
@AskGouda

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elevate your security with the AWS Cloud

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Inherit global security and compliance controls
SOC 1 SOC 2 SOC 3 CJIS
GxP MPAA
My Number
Act
VPAT
Section 508
G-Cloud
DoD SRG FERPA
SEC Rule
17a-4(f)

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Control where your data is stored
and who can access it
Fine-grain identity & access control
so resources have the right access
Reduce risk via security automation and
continuous monitoring
Integrate AWS services with your solutions
to support existing workflows, streamline ops,
and simplify compliance reporting
Scale with visibility and control

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat remediation
and response
Securely deploy business
critical applications
Operational efficiencies to
focus on critical issues
Continuous monitoring
and protection
Automate with integrated services
Comprehensive set of APIs
and security tools

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shared responsibility model
AWS
Security OF
the Cloud
AWS is responsible for
protecting the infrastructure
that runs all of the services
offered in the AWS Cloud
Security IN the
Cloud
Customer responsibility will be
determined by the AWS Cloud
services that a customer selects
Customer

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traditional on-premises security model
Compute Storage Database Networking
Regions Availability zones Edge locations

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security and Compliance is a Shared Responsibility
Customer
Responsible
for security
IN the cloud
AWS
Responsible
for security
OF the cloud
Customer data
Platform, applications, identity, and access management
Operating system, network and firewall configuration
Client-side data
encryption and data
integrity authentication
Server-side encryption
(file system and/or data)
Network traffic protection
(encryption/
integrity/identity)
Compute Storage Database Networking
AWS global
infrastructure
Regions
Edge locations
Availability zones

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM
AWS Single Sign-On
AWS Directory Service
Amazon Cognito
AWS Organizations
AWS Secrets Manager
AWS Resource Access
Manager
AWS Security Hub
Amazon GuardDuty
AWS Config
AWS CloudTrail
Amazon
CloudWatch
Amazon Virtual Private
Cloud (Amazon VPC)
flow logs
AWS Systems Manager
AWS Shield
AWS WAF
(web application firewall)
AWS Firewall Manager
Amazon Inspector
Amazon VPC
AWS Key Management
Service (KMS)
AWS CloudHSM
AWS Certificate Manager
Amazon Macie
Server-side encryption
AWS Config rules
AWS Lambda
AWS Systems Manager
Identity Detect
Infrastructure
protection
Respond
Data
protection
AWS Security Solutions

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Are you Well-Architected?
Security Reliability
Performance
efficiency
Cost
optimization
Operational
excellence
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why AWS
Well-Architected
Framework?
Learn AWS best practices
Build and deploy faster
Lower or mitigate risks
Make informed decisions

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM
Use automation
Enable detection
Prepare for an incident
What should you do first?

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security by Design principles
Implement a strong identity foundation
Enable traceability
Apply security at all layers
Automate security best practices
Protect data in transit and at rest
Keep people away from data
Prepare for security events

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS security services ecosystem
Protect Detect Respond
Automate
Investigate
RecoverIdentify
AWS
Systems
Manager
AWS Config
AWS
Lambda
Amazon
CloudWatch
Amazon
Inspector
Amazon
Macie
Amazon
GuardDuty
AWS
Security Hub
AWS IoT
Device
Defender
KMSIAM
AWS
Single
Sign-On
Snapshot ArchiveAWS
CloudTrail
Amazon
CloudWatch
Amazon
VPC
AWS
WAF
AWS
Shield
AWS
Secrets
Manager
AWS
Firewall
Manager
AWS
Organizations
Personal
Health
Dashboard
Amazon
Route 53
AWS
Direct
Connect
AWS Transit
Gateway
Amazon
VPC
PrivateLink
AWS Step
Functions
Amazon
Cloud
Directory
AWS
CloudHSM
AWS
Certificate
Manager
AWS
Control
Tower
AWS
Service
Catalog
AWS Well-
Architected
Tool
AWS
Trusted
Advisor
Resource
Access
manager
AWS
Directory
Service
Amazon
Cognito
Amazon S3
Glacier
AWS
Security Hub
AWS
Systems
Manager

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why is threat detection so hard?
Skills shortageSignal to noiseLarge datasets

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM
AWS Single Sign-On
AWS Directory Service
Amazon Cognito
AWS Organizations
AWS Secrets Manager
AWS Resource Access
Manager
AWS Security Hub
Amazon GuardDuty
AWS Config
AWS CloudTrail
Amazon
CloudWatch
Amazon Virtual Private
Cloud (Amazon VPC)
flow logs
AWS Systems Manager
AWS Shield
AWS WAF
(web application firewall)
AWS Firewall Manager
Amazon Inspector
Amazon VPC
AWS Key Management
Service (KMS)
AWS CloudHSM
AWS Certificate Manager
Amazon Macie
Server-side encryption
AWS Config rules
AWS Lambda
AWS Systems Manager
Identity Detect
Infrastructure
protection
Respond
Data
protection
Deep set of security tools

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat detection: Log data inputs
DNS logs
Track user activity
and API usage
IP traffic to and from
network interfaces
in a VPC
Monitor applications
using log data; store
and access log files
Log of DNS queries in
a VPC when using the
VPC DNS resolver
AWS CloudTrail Flow logs Amazon CloudWatch

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat detection: Machine learning
Intelligent threat detection and
continuous monitoring to protect
your AWS accounts and workloads
Machine learning-powered security
service to discover, classify, and
protect sensitive data
Amazon GuardDuty Amazon Macie

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat detection: Amazon GuardDuty

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty: Threat detection and notification
Detect Notify
Amazon
GuardDuty
VPC flow
logs
DNS logs
AWS CloudTrail
events
High
Medium
Low
FindingsData sources

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty data sources
VPC flow logs
VPC flow logs do not need to be
turned on to generate findings;
data is consumed through
independent duplicate stream
Provides information about
network communications for
threat intel and behavioral
detections
DNS logs
DNS logs are based on queries
made from Amazon EC2
instances to known and
unknown questionable domains
DNS logs are in addition to
Amazon Route 53 query logs;
Route 53 is not required for
Amazon GuardDuty to generate
DNS-based findings
AWS CloudTrail events
AWS CloudTrail history of AWS
API calls that are used to access
the AWS Management Console,
SDKs, AWS CLI, etc.
Identification of user and
account activity, including
source IP address used to make
the calls

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty service benefits
Continuous
monitoring of your
AWS accounts and
resources
Detects
unknown threats
(behavior-based)
Detects known
threats (threat
intel-based)
Global coverage with
regional results
One-click activation
with no architectural
or performance
impact
Managed threat detection service
Enterprise-wide
consolidation and
management

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What can Amazon GuardDuty detect?
Detecting known threats using threat intelligence
• Amazon GuardDuty leverages threat intelligence
from various sources
• AWS security intel
• Open source and AWS partners
• Customer-provided threat intel
• Threat intelligence enables Amazon GuardDuty to
identify the following
• Known malware-infected hosts
• Anonymizing proxies
• Sites hosting malware and hacker tools
• Cryptocurrency mining pools and wallets

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Unknown threats using machine learning
Algorithms to detect unusual behavior
• Inspecting signal patterns for heuristics
• Profiling normal and looking at deviations
• Machine learning classifiers

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Comprehensive view of your security and compliance state
within AWS
• Aggregates security findings generated by other AWS security
services and partners
• Analyze security trends and identify the highest-priority
security issues
Amazon
Inspector
Amazon
GuardDuty
Amazon
Macie
AWS Security Hub
Security
findings
providers
Findings
Insights &
standards
Other
AWS
Config
Partner
solutions
Threat detection: AWS Security Hub

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat detection: Evocations and triggers
Continuously tracks your resource
configuration changes and
whether they violate any of the
conditions in your rules
Delivers a near real-time stream
of system events that describe
changes in AWS resources
Amazon CloudWatch
Events
AWS Config

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Attacker lifecycle: Stages
Reconnaissance
Establish
foothold
Escalate
privileges
Internal
reconnaissance
Maintain
persistence

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Attacker lifecycle: Attacker actions
RDP brute
force
RAT installed
Exfiltrate data
over DNS
Probe API
with temp
creds
Attempt to
compromise
account

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Attacker lifecycle: Amazon GuardDuty findings
RDP brute
force
RAT installed
Exfiltrate data
over DNS
Probe API
with temp
creds
Attempt to
compromise
account
Malicious or
suspicious IP
Unusual ports
DNS exfiltration
Unusual traffic volume
Connect to blacklisted site
Recon:EC2/PortProbeUnprotectedPort
Anonymizing proxy
Unusual ISP caller
Bitcoin activity
Unusual instance launch

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat response: Amazon CloudWatch Events
Amazon GuardDuty findings
AWS Lambda
function
Partner
solutions
Automated
response
Anything
else
Amazon CloudWatch
Events

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Systems
Manager
AWS
Lambda
Amazon
Inspector
Run code for
virtually any kind of
application or
backend service—
zero administration
Gain operational
insights and take
action on AWS
resources
Automate security
assessments of
Amazon EC2
instances
Threat response: Services

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat response: High-level playbook
Adversary
or intern
Your
environment
AWS Lambda
function
Amazon
CloudWatch Events

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Threat response: Detailed playbook
Amazon
CloudWatch
Events
AWS Config
AWS Lambda
function
AWS APIs
Detect
Investigate
Respond
Team
collaboration
(e.g., Slack)
Amazon
Inspector
AWS Security Hub
Amazon
GuardDuty
Amazon Macie
Amazon
Inspector

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Incident response: Network ACL and AWS WAF rules
AWS Step
Functions
AWS WAF
Application requests
(static + dynamic)
AWS Lambda
AWS Lambda
Amazon
GuardDuty
Amazon
CloudWatch
Application
Load
Balancer
AWS ShieldAmazon
CloudFront
Network access control list

38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automating data collection: AWS Lambda + AWS
Systems Manager
Systems
Manager
Documents
Amazon
CloudWatch
Rule
Amazon EC2
instance contents
Instance:~ ec2-user$ top
Instance:~ ec2-user$ pcap
Instance:~ ec2-user$ lime
AWS
Lambda
Amazon
GuardDuty
AWS
Lambda
function
Amazon EBS
volume
Amazon EBS
forensicsAmazon EBS
snapshot

39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automatic remediation examples
Amazon
CloudWatch
Rule
1. Detach instance from Auto Scaling
group and Elastic Load Balancing
2. Remove IAM role
3. Snapshot volume
4. Replace security group on elastic
network interface(s) to disallow all
traffic
5. Attach forensics network interface
Amazon
GuardDuty
AWS
Lambda
function
1. Terminate instance

40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
https://aws.amazon.com/security/
https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf
https://www.nist.gov/cyberframework
https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf
https://aws.amazon.com/security/penetration-testing/
Useful links

41. Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ahmed Gouda
Solutions Architect, AWS
gouda@amazon.com
/ahmedgouda
@AskGouda

42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
https://www.meetup.com/AWS-Saudi-user-group/