Andrew Krug
@andrewkrug : Twitter
ImageCredit: OddDuckart http://bit.ly/2cl6qJ2
Note
Andrew Speaks
- Toni De la Fuente from Blyx.com
- Amazon Web Services
- We are not a corporation
- No one pays us to do this
- Everything we're going to talk about is FOSS
- All of us on the ThreatResponse Team have our day jobs.
- These are our opinions not the opinion of our employer.
Note
Andrew Speaks
Note
Andrew Speaks
Note
Alex Speaks
Note
Andrew Speaks
Note
Alex Speaks
Note
Alex Speaks
Note
Alex Speaks
- Curates awesome lists for you
- Security category includes Incident Response, Malware Analysis, etc
Note
Alex Speaks
Note
Alex Speaks Part of being prepared is hardening your systems and environment. But you can't just set it up and walk away, you should have a system of consistently evaluating your state to make sure your following the best practices.
Note
Alex Speaks
Trusted Advisor provides guidance to help you provision your resources following AWS best practices.
Not just security. Also performance and cost.
around 12 built in checks, but only 3 or 4 for free
Full checks come with a business or enterprise support plan starting at 100 a month.
No API
But it is CEO Friendly.
Note
Alex Speaks
AWS Blog: Dynamic Compliance Checking for Cloud Resources
Note
Alex Speaks
Config deals with logging what is called a configuration item for supported AWS resources whenever a supported resource is created, deleted, or changed.
Supported resource are things like ec2 instances, VPCs, iam users. This historical record allows you to answer the question, what policies were attached to a particular user at some time.
AWS Config rules is a distinct offering from config. Config Rules evaluates the configuration item against a set of predefined critieria
AWS provides a set of configurable rules users may use, as well as the ability to make custom rules.
Configuration items are one third of a cent. Config rules are $2/month with 20,000 evals. Further evals are $0.1 per 1,000.
Note
By our friend Toni De La Fuente
What we love about it!
- CIS Benchmarking Tool
- Can run out of your cloud
- Meaningful report data
- Actionable changes
Just under 1000 Lines of Code
Note
Alex Speaks
Note
Alex Speaks
By NCC Group. 63 rules. Easy to add your own.
Dead simple to use. Good Error Handling.
Simple Reporting.
What we love about it!
- Rule Based Approach
- Large coverage
- Can run on premise or in another account
- It solves real compliance problems that you have
Note
Alex Speaks
Cloud custodian is a rule engine for evaluation custom policies.
It covers a lot of the aws surface area: ~60 services and resources, ~160 actions.
Stateless
Made public back in feb and still has frequent updates.
Image Credit: http://securitymonkey.readthedocs.io/en/latest/quickstart.html
Note
Alex Speaks
A part of Netflix's SimianArmy suite of infrastructure tools.
Similar to Config it'll track item states over time and create a security scorecard.
Biggest Diff: this is statefull, you set up the infra and it runs periodic checks and logs findings
Example picture shows justifying an event, which you can then revisit later.
- Whatever works best for your environment
- Experiment with multiple tools
- Start with simple tools like Prowler or Scout2
- Move on to more complex tools as needed.
Note
Alex Speaks
Note
Alex Speaks Moving on to IAM User and Policy Auditing.
Differes from last section where we looked at different tools to check for compliance wiht best practices
Here we are going to talk specificaly about the best practice of least privilege.
Note
Alex Speaks Access Advisor is a tab located in the IAM Web console
the last time a user performed an action against an AWS service.
check users for permissive policies.
But no automation and not detailed enough.
Blog Post: Policy Tuning with CloudTrail
almac@box ~/Downloads $ cat 114406602329_CloudTrail_us-east-1_20160913* | \
jq -c \
'.Records[] |
{
eventName: .eventName,
userName: .userIdentity.userName,
eventSource: .eventSource
} |
select(.userName=="threatpreppolicytest") |
[.eventSource, .eventName]' \
| sort | uniq
["cloudtrail.amazonaws.com","DescribeTrails"]
["ec2.amazonaws.com","DescribeFlowLogs"]
["ec2.amazonaws.com","DescribeRegions"]
["ec2.amazonaws.com","DescribeVpcs"]
["iam.amazonaws.com","GenerateCredentialReport"]
["iam.amazonaws.com","GetCredentialReport"]
["iam.amazonaws.com","ListAttachedUserPolicies"]Video: AWS (SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
Note
Alex Speaks If you want API specific auditing Best for policies, not users.
- Have a test environment
- Security simulations & IR Game Days
- Note: Tell Amazon before you practice
Note
Alex Speaks
- Preparation
- Identification
- Containment
- Eradication
Note
Alex Speaks Recap of Preparation: Understand the environment, harden and audit, and keep an I on user permissions.
Moving on to Identification: Detect malicious activity at the AWS (not instance) level.
Note
Andrew Speaks
Note
Andrew Speaks
AWS CloudFormation Template For Security Events in CloudTrail
Note
Andrew Speaks The CloudWatchAlarmsForCloudTrail CloudFormationTemplate.
Auth failures (denials)
CloudTrail Changes
Console Signin Failures
Ec2 Instance Changes
Gateway changes
IAM Policy Changes
Network AclChanges
SecurityGroupChanges
VpcChanges
Andrew will give another example of detection in CloudWatch.
- Preparation
- Identification
- Containment
- Eradication
Note
Andrew Speaks To conclude the Identification section
Leverage CloudTrail, CloudWatch Alarms.
Contain a Host Compromise
Contain a Key Compromise
Note
Andrew Speaks
Explain AWS_IR. Contains and collects forensic evidence.
- Implement a security group to block all in/out traffic except to whitelist.
- Coming soon to aws_ir: add a network ACL.
aws_ir host_compromise 1.2.3.4Note
Andrew Speaks 2 Things to contain a host:
New Security Group
Change network ACL to sever established connections.
- Disable the access key.
- Coming soon to aws_ir: Block STS Tokens.
aws_ir key_compromise AYAabyabyabyabyabyaNote
Andrew Speaks 2 Things to contain a key:
Disable the access key
Block STS tokens, possiblly revoke all policies for that user until you understand what happened.
Note
Andrew Speaks
Host compromise leads to Key compromise from the metadata service
MetaData Service
https://aws.amazon.com/amazon-linux-ami/2016.03-release-notes/
13 package(s) needed for security, out of 26 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-172-31-37-29 ~]$ curl http://169.254.169.254/latest/meta-data/
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
iam/
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groupsNote
Andrew Speaks
Just curl a URL and you can get all kinds of information.
Determine Instance Profile
curl http://169.254.169.254/latest/meta-data/iam/info
{
"Code" : "Success",
"LastUpdated" : "2016-09-21T17:00:07Z",
"InstanceProfileArn" : "arn:aws:iam::671642278147:instance-profile/\
cloudresponse_workstation-cr-16-080120-e5c0-us-west-1",
"InstanceProfileId" : "AIPAJJWTONXQ7CLMRENCO"
}Note
Andrew Speaks
Curl /iam/info to get the role name from the InstanceProfileARN. Once you get the role name
Once you know the role name
curl http://169.254.169.254/latest/meta-data/iam/\
security-credentials/cloudresponse_workstation-cr-16-080120-e5c0-us-west-1
{
"Code" : "Success",
"LastUpdated" : "2016-09-21T17:00:55Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIAJDU**********REDACTED",
"SecretAccessKey" : "q7bVQVlV+9/ktjWgh5******REDACTED",
"Token" : "FQoDYXdzEGIaDGlEkwRSH8hHG+Oz***********REDACTED",
"Expiration" : "2016-09-21T23:05:14Z"
}Note
Andrew Speaks
Query for the security credentials for that role and you can get access key id and secret.
Good old iptables to the rescue.
iptables -A OUTPUT -m owner ! —uid-owner root -d 169.254.169.254 -j DROPNote
Andrew Speaks
Implement IP tables so only the processes owned by root can query the service.
- Snapshot Disk for Targeted Host
- Mount Snapshot onto attacker-controlled image
- ???
- Profit!
Note
Andrew Speaks
Read steps.
This may or may not actually get you on the box, depending on setup. But its possible /etc/shadow might show some weak hashes, or the credentials to the database are stored in plaintext some where.
- Preparation
- Identification
- Containment
- Eradication
Note
Andrew Speaks
In conclusion, contain quickly so host compromises and key compromises don't pile up.
Note
Alex Speaks
For eradication, focus on performing forensics on a compromised host to understand the extent of the breach, ensure we contained it, and determine the problem that needs to be patched.
In this video you'll see aws_ir run against a compromised host.
We should note its running at 5x speed.
It will contain the host, and then it will start extracting all the forensic evidence it can.
Lets Discuss what evicence to collect.
- AWS Data
- Disk
- Memory
- Network
Note
Alex Speaks You'll want to collect AWS specific data, disk, memory and Network data.
At this time aws_ir collects the AWS, Disk and Memory Data.
- EC2 Console Output
- EC2 Console Screenshot
- AWS Meta-Data
- Attached Device Volume IDs
- Network Devices and Local / Public IPs
- AMI-ID
- Relevant CloudTrail Logs
- Coming soon to aws_ir
Note
Alex Speaks
Insert Coin To Hear A BSides Presentation on This
You may get some network information from memory
- More information from VPC Flow Logs
- Coming soon to aws_ir
Note
Alex Speaks
Trusted Advisor, Config, Prowler, Scout2, CloudCustodian, SecurityMonkey
- Customize tooling for your environment
- Use all (or parts) our code. It's MIT Licensed
- Practice, Practice, Practice
Note
Alex Speaks
Who Said: "Defense without Offense is after all just Compliance."
A: "Dan Kaminsky in Read My Lips: Let’s Kill 0Day"
- Logging Disruption
- STS Persistence
- New Super Cool API Gateway Persistence
- Just Stop Trail - Boring
- Stop Regional Logging or Global Logging - Less Boring
- Make CloudTrail operate but logs are unreadable - Best!!
This is your CloudTrail on Crypto
The “bypass-policy-lockout-safety-check” flag allows you the make the key’s policy immutable after creation, making logging just an exercise in lighting money on fire with disk consumption. You can’t say Amazon didn’t warn you! - @danielgrzelak
- Requires a high level of privilege
- Handy for remaining undetected
- Not necessarily undetectable...
- Creating KMS Keys with this weird policy
- Calling update trail on your cloudtrail
- Metadata Compromise
- As a result of key compromise
- Leaked through an application running in a role
kali:$ aws sts get-session-token --duration-seconds 129600{
"Credentials": {
"SecretAccessKey": "S/aDDL86juKF3*****************************",
"SessionToken": "FQoDYXdzEG***********************************",
"Expiration": "2016-09-23T05:26:51Z",
"AccessKeyId": "ASIAJ5*****************************"
}
}- You can't revoke temporary STS tokens
- Without CloudTrail you have no way to know how many exist
- Someone can use these to end you
- Denying Access to the Creator
- Denying Access to by Name
3. Denying Access to Credentials Issued Before xx/xx/xx 00:00:00
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {"DateLessThan": {"aws:TokenIssueTime": "2014-05-07T23:47:00Z"}}
}
}
- Backdoors
- Exfiltrate data via http
- Run a CNC for BotNet
- Run a ransomware backend....
Who Said: "It was once my job to think as Dark Wizards do?"
Professor Moody: The Goblet of Fire is an exceptionally powerful magical object.
Only an exceptionally powerful Confundus charm could have hoodwinked it!
Magic way beyond the talents of a fourth year.
Igor Karkaroff: You seem to have given this a fair bit of thought, Mad-Eye!A: "Mad Eye Moody"
- Small payload
- Gives you persistence
- Cleans up it's own logs when it goes away
- Most platforms probably aren't auditing serverless
- No security groups for APIGateway endpoints
Is this three dumb clouds?
- CapitalOne
- Netflix
- Yelp!
- Prezi
- Individual Contributors
http://www.threatresponse.cloud
- Amazon Web Services Security
- Don Bailey, Henrik Johansson, Zack Glick
- BSides PDX Staff
- Toni De la Fuente
- Team Who Couldn't Be with Us Today ( Alex )