Machine Learning Model Validation (Aijun Zhang 2024).pdf
Automated Intrusion Detection and Response on AWS
1. 1SANS Technology Institute - Candidate for Master of Science Degree 1
Automated Intrusion Detection and
Response on Amazon Web Services
Teri Radichel
September 2016
GIAC GSEC, GCIH and GCIA
2. SANS Technology Institute - Candidate for Master of Science Degree 2
Can AWS Improve
Security Operations?
• Whitepaper: Overview of AWS Security
Processes – Are Yours Better?
• Shared Responsibility Model
• Separation of duties
• Built in inventory and scalable logging
• DevSecOps: Write code to configure
infrastructure and respond to events
3. SANS Technology Institute - Candidate for Master of Science Degree 3
What Is AWS?
• Platform for
infrastructure
management
• Start, stop and
configure
resources via
console or code
• Automated scaling
4. SANS Technology Institute - Candidate for Master of Science Degree 4
Start Instance From Console
EC2 instances (virtual machines) can be
managed via the web console
5. SANS Technology Institute - Candidate for Master of Science Degree 5
Start Instance Via Code
Better: Write code to manage instances
Start an instance:
$ aws ec2 run-instances --image-id ami-xxxxxx
View details about an instance:
$ aws ec2 describe-instances --instance-id ixxxxxxxx
Terminate an instance:
$ aws ec2 terminate-instances --instance-id ixxxxxxxx
6. SANS Technology Institute - Candidate for Master of Science Degree 6
CloudFormation Templates
• Configuration files for AWS resources
• Store configuration in source control
• Decouple configuration and deployment
• Handles dependency management
• Deploy via AWS tools such as AWS CLI:
$ aws cloudformation create-stack –template-url [path]
7. SANS Technology Institute - Candidate for Master of Science Degree 7
AWS Networking
• VPC (Virtual Private Cloud)
• Subnets and Security Groups
• Internet Gateway
• Virtual Private Gateway
• Direct Connect, VPN
• VPC Flow Logs
8. SANS Technology Institute - Candidate for Master of Science Degree 8
Sample Code
• Follow instructions in README.md
https://github.com/tradichel/AWSSecurityAutomationFramework
• Execute run.sh and specify mode:
– CREATE will create cloud resources
– PINGTEST generates unwanted traffic and
triggers a response
– DELETE will delete resources created by
either CREATE or PINGTEST
10. SANS Technology Institute - Candidate for Master of Science Degree 10
PINGTEST Mode
One instance is configured to ping other
"UserData":
{ "Fn::If" :
[
"PingMe",
{ "Fn::Base64":
{ "Fn::Join": [ "", [
"#!/bin/bash -en",
"echo ping ",
{"Fn::GetAtt" : [ "Ec2Instance1" , "PrivateIp" ]},
" > /tmp/ping.shn",
"cd /tmpn",
"chmod 777 ping.shn",
"nohup ./ping.sh &n"
] ] } },
{"Ref" : "AWS::NoValue"}
]
}
11. SANS Technology Institute - Candidate for Master of Science Degree 11
Click a Log Group to see Log Streams
VPC Flow Logs
12. SANS Technology Institute - Candidate for Master of Science Degree 12
CloudWatch Log Stream
• Click on ENI to see related logs
13. SANS Technology Institute - Candidate for Master of Science Degree 13
Code Evaluates Logged Events
Function monitors VPC flow logs for
REJECTs and logs statistics
14. SANS Technology Institute - Candidate for Master of Science Degree 14
REJECT Triggers Response
Snapshot Instance
Terminate Instance
15. SANS Technology Institute - Candidate for Master of Science Degree 15
AWS Security Benefits
• Comprehensive inventory
• Built in, scalable logging
• Infrastructure as code
• Tools that facilitate automated intrusion
detection and response
• Augmented security for some ~ if you
follow AWS security best practices.