How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with...

©2019 SANSTM Institute | www.sans.org Sponsored by:

Sponsored by

How to Build a Threat Hunting Capability in AWS


Today’s Speakers

• Shaun McCullough – SANS Instructor

• Ross Warren – Specialist Solution Architect at AWS

• David Aiken – Solutions Architect Manager at AWS

2


Today’s Agenda

• Discussion of threat hunting

• The Threat Hunting Loop and tools for analysis

• Creating a threat hunting strategy in AWS

• Enabling threat hunting through security efficiency in AWS

3


The proactive evaluation of infrastructure operations to detect a threat beyond the deployed security tools

Threat Hunting

4

… or, digging through logs to identify attacker behaviors.


Threat Hunting Loop

Create a Hypothesis

Investigate via Tools and Techniques

Uncover New Patterns and Apply Learned Lessons

Inform and Enrich with Analytics

5


Hunting – Creating a Hypothesis

6


Hunting – Investigate via Tools

7

Reduce complexity with infrastructure consistency.

Cloud infrastructure is elastic; systems can disappear before analysis is done.

Automated apps look different than human attackers.

©2019 SANSTM Institute | www.sans.org Sponsored by:8

Hunting – Investigate via Tools


Threat hunters will identify operational problems, difficult-to-analyze infrastructure and hard-to-defend systems.

Team up with infrastructure teams to continue improving infrastructure designs.

Hunting – Uncover Patterns

9


Hunting – Inform with Data

10

Gather the data, identify missing information and make that data available.

Enrich data to tell a story.

Build or buy tools to improve analysis speed.


Hunting – Inform with Data

11


Tools for Analysis

Quick Analysis in the Cloud

Security Information and Event Management (SIEM)

Security Orchestration, Automation and Response (SOAR)

12


AWS CloudTrail provides full logs of all API calls with a simple query interface.

Amazon CloudWatch provides dashboards and alerting.

Advanced systems, such as Amazon Athena, improve ad hoc querying.

Tools – Quick Analysis

13


Tools – Quick Analysis

14


Advanced querying, highly enriched dashboarding, or tracking in cloud and on-prem logs may require a SIEM.

Major SIEMs provide cloud-specific adapters to speed up data ingest and analysis.

Tools – SIEM

15


Cloud services enhances the ability to automate operations:

- Call host agent to pull process.

- Take snapshot of host and quarantine.

- Revoke user access keys.

Tools – SOAR

16


• Improving threat hunting is a continuous process.

• Build a solid threat modeling process to improve the hypothesis stage.

• Start small with free tools or easy scripts. Increase complexity of threat hunting while increasing consistency in the environment.

• Cloud-specific threat hunting is a rapidly changing landscape. Always be learning.

Consider This

17

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential

Creating a threat hunting strategy in AWS

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential

Efficient SOC creates a foundation for threat hunting


Planning for the threat hunting journey

Fully Manual Fully Automated

(Impossible)

Sweet

Spot!


Key data sources for threat hunting

AWS Sources• AWS CloudTrail

• Amazon CloudWatch Events

• Amazon GuardDuty Findings

• Amazon VPC Flow Logs

• Amazon Inspector Findings

• DNS Logs

{"Records": [{

"eventVersion": "1.0",

"userIdentity": {

"type": "IAMUser",

"principalId": "EX_PRINCIPAL_ID",

"arn": "arn:aws:iam::123456789012:user/Alice",

"accountId": "123456789012",

"accessKeyId": "EXAMPLE_KEY_ID",

"userName": "Alice"

},

"eventTime": "2014-03-06T21:01:59Z",

"eventSource": "ec2.amazonaws.com",

"eventName": "StopInstances",

"awsRegion": "us-east-2",

"sourceIPAddress": "205.251.233.176",

"userAgent": "ec2-api-tools 1.6.12.2",

"requestParameters": {

"instancesSet": {"items": [{"instanceId": "i-ebeaf9e2"}]},

"force": false

},

"responseElements": {"instancesSet": {"items": [{

"instanceId": "i-ebeaf9e2",

"currentState": {

"code": 64,

"name": "stopping"

},

"previousState": {

"code": 16,

"name": "running"

}


Defining the three data domains

Reveal Relationships

Clarify the Situation

Highlight Inconsistencies

Tell a Complete Story

Network Host Application

Amazon


The building blocks for a threat hunting program

Technology People Processes


Creating your threat hunting strategy

Where do I

start?

What should I look for?

What’s my path

to improve?

• Your strategy determines the quality of

your results.

• Choose a strategy that supports your

detection goals.

• Don’t underestimate the importance

of good planning!


The Hunting Maturity Model

Source: Enterprise Detection & Response, A Simple Hunting Maturity Model

http://detect-respond.blogspot.com/2015/10/a-simple-hunting-maturity-model.html


Example strategy: Extract value from existing data

Advantages Disadvantages

• Data is already being collected

• Someone is already familiar with

its contents

• You may already have some

idea of the key questions you

want answered

• Your ability to ask questions may

be limited by the available data

• External forces have more

influence over your results

• Don’t confuse “easy” with

“effective”


Hunting is a journey, not a destination

• There’s no single starting point that works for everyone.

• The Hunting Maturity Model is your map.

• Figure out where you already are on the road, then make a plan to get to the next level.

• There’s no rush! Feel free to get off the bus for a while and hop back on later.

• Each level is a victory! Celebrate your successes along the way.


Integrations that increase security efficiency

Amazon

Macie

AWS Security Services forwarding

findings into AWS Security Hub

AWS Security

Hub

AWS Security

HubAmazon

CloudWatch


How are AWS customers leveraging Sumo Logic?

Increase analyst

productivity

Create broad visibility

across AWS

environment

Enhance threat

detection through

context


Optimize security configuration and detection


Benefits:

• Saved hundreds of hours

across security team through

automation

• Increased visibility aided

cross-departmental alignment

and problem solving

• Reduced time spent on

compliance efforts

Pokémon creates SOC efficiencies

By leveraging cloud-native Machine Data Analytics Service


Pokémon further improves SOC efficiencies

Benefits:

• Provided scaling for cloud

environment

• Automated repetitive tasks,

enabling SecOps analysts to

focus on critical operations

• Active use cases include

phishing enrichment and

response, employee

onboarding, and EC2 and

account compromise

By adopting Demisto’s SOAR Platform

Lambda

Function

Lambda

Function

Queue Bucket Block on Palo

Alto Networks

Firewall

Demisto

IOCs

Blacklist


Why AWS Marketplace?

Flexible consumption

and contract models

Quick and

easy deploymentHelpful humans

to support you


How can you get started?

Find

A breadth of security

solutions:

Buy

Free trial

Pay-as-you-go

Hourly | Monthly | Annual |

Multi-Year

Bring Your Own License (BYOL)

Seller Private Offers

Channel Partner Private Offers

Through flexible

pricing options:

Deploy

SaaS

Amazon Machine Image (AMI)

CloudFormation Template

Amazon Elastic Container Services (ECS)

With multiple

deployment options:


And to our attendees, thank you for joining us today!

Acknowledgments

Thanks to our sponsor:

To our special guests: Ross Warren and David Aiken

36

How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with...

Documents

Transcript of How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with...