How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with...
Transcript of How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with...
![Page 1: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/1.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Sponsored by
How to Build a Threat Hunting Capability in AWS
![Page 2: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/2.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Today’s Speakers
• Shaun McCullough – SANS Instructor
• Ross Warren – Specialist Solution Architect at AWS
• David Aiken – Solutions Architect Manager at AWS
2
![Page 3: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/3.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Today’s Agenda
• Discussion of threat hunting
• The Threat Hunting Loop and tools for analysis
• Creating a threat hunting strategy in AWS
• Enabling threat hunting through security efficiency in AWS
3
![Page 4: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/4.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
The proactive evaluation of infrastructure operations to detect a threat beyond the deployed security tools
Threat Hunting
4
… or, digging through logs to identify attacker behaviors.
![Page 5: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/5.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Threat Hunting Loop
Create a Hypothesis
Investigate via Tools and Techniques
Uncover New Patterns and Apply Learned Lessons
Inform and Enrich with Analytics
5
![Page 6: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/6.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Hunting – Creating a Hypothesis
6
![Page 7: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/7.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Hunting – Investigate via Tools
7
Reduce complexity with infrastructure consistency.
Cloud infrastructure is elastic; systems can disappear before analysis is done.
Automated apps look different than human attackers.
![Page 8: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/8.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:8
Hunting – Investigate via Tools
![Page 9: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/9.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Threat hunters will identify operational problems, difficult-to-analyze infrastructure and hard-to-defend systems.
Team up with infrastructure teams to continue improving infrastructure designs.
Hunting – Uncover Patterns
9
![Page 10: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/10.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Hunting – Inform with Data
10
Gather the data, identify missing information and make that data available.
Enrich data to tell a story.
Build or buy tools to improve analysis speed.
![Page 11: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/11.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Hunting – Inform with Data
11
![Page 12: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/12.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Tools for Analysis
Quick Analysis in the Cloud
Security Information and Event Management (SIEM)
Security Orchestration, Automation and Response (SOAR)
12
![Page 13: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/13.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
AWS CloudTrail provides full logs of all API calls with a simple query interface.
Amazon CloudWatch provides dashboards and alerting.
Advanced systems, such as Amazon Athena, improve ad hoc querying.
Tools – Quick Analysis
13
![Page 14: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/14.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Tools – Quick Analysis
14
![Page 15: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/15.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Advanced querying, highly enriched dashboarding, or tracking in cloud and on-prem logs may require a SIEM.
Major SIEMs provide cloud-specific adapters to speed up data ingest and analysis.
Tools – SIEM
15
![Page 16: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/16.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
Cloud services enhances the ability to automate operations:
- Call host agent to pull process.
- Take snapshot of host and quarantine.
- Revoke user access keys.
Tools – SOAR
16
![Page 17: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/17.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
• Improving threat hunting is a continuous process.
• Build a solid threat modeling process to improve the hypothesis stage.
• Start small with free tools or easy scripts. Increase complexity of threat hunting while increasing consistency in the environment.
• Cloud-specific threat hunting is a rapidly changing landscape. Always be learning.
Consider This
17
![Page 18: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/18.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Creating a threat hunting strategy in AWS
![Page 19: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/19.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Efficient SOC creates a foundation for threat hunting
![Page 20: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/20.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Planning for the threat hunting journey
Fully Manual Fully Automated
(Impossible)
Sweet
Spot!
![Page 21: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/21.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Key data sources for threat hunting
AWS Sources• AWS CloudTrail
• Amazon CloudWatch Events
• Amazon GuardDuty Findings
• Amazon VPC Flow Logs
• Amazon Inspector Findings
• DNS Logs
{"Records": [{
"eventVersion": "1.0",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-03-06T21:01:59Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StopInstances",
"awsRegion": "us-east-2",
"sourceIPAddress": "205.251.233.176",
"userAgent": "ec2-api-tools 1.6.12.2",
"requestParameters": {
"instancesSet": {"items": [{"instanceId": "i-ebeaf9e2"}]},
"force": false
},
"responseElements": {"instancesSet": {"items": [{
"instanceId": "i-ebeaf9e2",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
![Page 22: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/22.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Defining the three data domains
Reveal Relationships
Clarify the Situation
Highlight Inconsistencies
Tell a Complete Story
Network Host Application
Amazon
![Page 23: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/23.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
The building blocks for a threat hunting program
Technology People Processes
![Page 24: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/24.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Creating your threat hunting strategy
Where do I
start?
What should I look for?
What’s my path
to improve?
• Your strategy determines the quality of
your results.
• Choose a strategy that supports your
detection goals.
• Don’t underestimate the importance
of good planning!
![Page 25: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/25.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
The Hunting Maturity Model
Source: Enterprise Detection & Response, A Simple Hunting Maturity Model
http://detect-respond.blogspot.com/2015/10/a-simple-hunting-maturity-model.html
![Page 26: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/26.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Example strategy: Extract value from existing data
Advantages Disadvantages
• Data is already being collected
• Someone is already familiar with
its contents
• You may already have some
idea of the key questions you
want answered
• Your ability to ask questions may
be limited by the available data
• External forces have more
influence over your results
• Don’t confuse “easy” with
“effective”
![Page 27: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/27.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Hunting is a journey, not a destination
• There’s no single starting point that works for everyone.
• The Hunting Maturity Model is your map.
• Figure out where you already are on the road, then make a plan to get to the next level.
• There’s no rush! Feel free to get off the bus for a while and hop back on later.
• Each level is a victory! Celebrate your successes along the way.
![Page 28: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/28.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Enabling threat hunting through
security efficiency in AWS
![Page 29: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/29.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Integrations that increase security efficiency
Amazon
Macie
AWS Security Services forwarding
findings into AWS Security Hub
AWS Security
Hub
AWS Security
HubAmazon
CloudWatch
![Page 30: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/30.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How are AWS customers leveraging Sumo Logic?
Increase analyst
productivity
Create broad visibility
across AWS
environment
Enhance threat
detection through
context
![Page 31: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/31.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Optimize security configuration and detection
![Page 32: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/32.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits:
• Saved hundreds of hours
across security team through
automation
• Increased visibility aided
cross-departmental alignment
and problem solving
• Reduced time spent on
compliance efforts
Pokémon creates SOC efficiencies
By leveraging cloud-native Machine Data Analytics Service
![Page 33: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/33.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pokémon further improves SOC efficiencies
Benefits:
• Provided scaling for cloud
environment
• Automated repetitive tasks,
enabling SecOps analysts to
focus on critical operations
• Active use cases include
phishing enrichment and
response, employee
onboarding, and EC2 and
account compromise
By adopting Demisto’s SOAR Platform
Lambda
Function
Lambda
Function
Queue Bucket Block on Palo
Alto Networks
Firewall
Demisto
IOCs
Blacklist
![Page 34: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/34.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why AWS Marketplace?
Flexible consumption
and contract models
Quick and
easy deploymentHelpful humans
to support you
![Page 35: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/35.jpg)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How can you get started?
Find
A breadth of security
solutions:
Buy
Free trial
Pay-as-you-go
Hourly | Monthly | Annual |
Multi-Year
Bring Your Own License (BYOL)
Seller Private Offers
Channel Partner Private Offers
Through flexible
pricing options:
Deploy
SaaS
Amazon Machine Image (AMI)
CloudFormation Template
Amazon Elastic Container Services (ECS)
With multiple
deployment options:
![Page 36: How to Build a Threat Hunting Capability in AWS … · Learned Lessons Inform and Enrich with Analytics 5 ©2019 SANSTM Institute | Sponsored by: Hunting –Creating a Hypothesis](https://reader036.fdocuments.net/reader036/viewer/2022071217/604d787d81be114edb4263e0/html5/thumbnails/36.jpg)
©2019 SANSTM Institute | www.sans.org Sponsored by:
And to our attendees, thank you for joining us today!
Acknowledgments
Thanks to our sponsor:
To our special guests: Ross Warren and David Aiken
36