1 00:00:10,343 --> 00:00:13,279 (applause) 2 00:00:13,279 --> 00:00:15,515 - So I'm Ryan Nolette, I've been doing 3 00:00:15,515 --> 00:00:18,885 IR forensic-ey fun stuff for about 15 years now. 4 00:00:20,053 --> 00:00:22,555 There's my GitHub page if you're interested 5 00:00:22,555 --> 00:00:24,791 in any of the public stuff I've done. 6 00:00:24,791 --> 00:00:27,460 As part of this talk I'm actually 7 00:00:27,460 --> 00:00:30,697 giving away an Amazon detonation lab. 8 00:00:30,697 --> 00:00:34,601 So that URL at the bottom is a quick easy way to set up 9 00:00:34,601 --> 00:00:37,103 a fully configured detonation lab in AWS 10 00:00:37,103 --> 00:00:40,140 takes about five minutes, builds a cool topology, 11 00:00:40,140 --> 00:00:42,075 I'll expand on that a little bit more. 12 00:00:43,576 --> 00:00:46,546 And of course, Time Person of the year 2006, come on. 13 00:00:48,081 --> 00:00:49,549 (person cheering) 14 00:00:49,549 --> 00:00:51,985 Three people got the reference, and I like you. 15 00:00:51,985 --> 00:00:55,121 All right, so the things that we're gonna go over 16 00:00:56,122 --> 00:00:59,993 are pretty much the overview of 17 00:00:59,993 --> 00:01:02,595 why cloud really isn't that scary, right. 18 00:01:02,595 --> 00:01:05,031 If you guys are all used to trying to protect 19 00:01:05,031 --> 00:01:08,234 a perimeter that's on your on-prem network, 20 00:01:08,234 --> 00:01:11,336 it's really the same thing just different words now. 21 00:01:11,337 --> 00:01:13,940 So I'm gonna go through some of the logging examples 22 00:01:13,940 --> 00:01:17,009 that you guys can do, and then go over an example 23 00:01:17,010 --> 00:01:19,479 showing how you could actually do the exact same 24 00:01:19,479 --> 00:01:21,114 investigation that you're doing 25 00:01:21,114 --> 00:01:23,316 or the same kind of hunts right now. 26 00:01:25,718 --> 00:01:27,020 The who did what and when. 27 00:01:28,588 --> 00:01:31,690 These are the questions that I like to try and go through 28 00:01:31,691 --> 00:01:34,594 for every single time I have to work through 29 00:01:34,594 --> 00:01:37,363 in any kind of threat, hunt, right. 30 00:01:37,363 --> 00:01:40,934 I want to bucket things into two groups, 31 00:01:40,934 --> 00:01:43,036 visibility and accountability. 32 00:01:43,036 --> 00:01:45,705 Because if you can't see it you can't account for it. 33 00:01:45,705 --> 00:01:49,075 Therefore, I need to keep increasing my visibility 34 00:01:49,075 --> 00:01:51,544 until I can account for everything. 35 00:01:53,646 --> 00:01:55,381 Which is a nice end state. 36 00:01:55,381 --> 00:01:57,083 So to get to that end state, 37 00:01:57,083 --> 00:01:59,051 we do the same typical things, right. 38 00:01:59,052 --> 00:02:03,957 Use OS hardening, you guys subscribe to NIST or BIS, 39 00:02:03,957 --> 00:02:05,958 or any of those benchmarks, right. 40 00:02:05,959 --> 00:02:09,628 You're still gonna apply those to your templates in AWS. 41 00:02:09,628 --> 00:02:12,899 Config management, you can run Ansible, Chef, 42 00:02:12,899 --> 00:02:14,868 you could use CloudFormation. 43 00:02:14,868 --> 00:02:18,638 There's a ton of tools that you can use to maintain that. 44 00:02:18,638 --> 00:02:21,341 Identity management and process monitoring, 45 00:02:21,341 --> 00:02:23,209 those are a little bit more interesting. 46 00:02:23,209 --> 00:02:26,012 And that's because of things like server-less computing. 47 00:02:28,014 --> 00:02:30,216 So bucketing those back into the visibility 48 00:02:30,216 --> 00:02:34,354 and accountability buckets, what you're really trying to do 49 00:02:34,354 --> 00:02:36,523 is answer those three questions 50 00:02:36,523 --> 00:02:41,194 of who did what and when they did it, right. 51 00:02:41,194 --> 00:02:43,796 Because if you can answer any of those questions 52 00:02:43,796 --> 00:02:47,066 you can cycle through and answer the other two, right. 53 00:02:47,066 --> 00:02:48,701 That's where you want to be. 54 00:02:48,701 --> 00:02:52,772 I want to be able to say I know when this happened, 55 00:02:52,772 --> 00:02:55,007 now who did what. 56 00:02:55,008 --> 00:02:57,210 And until you're able to answer those questions 57 00:02:57,210 --> 00:02:59,078 you haven't added enough visibility 58 00:02:59,078 --> 00:03:00,613 to have that accountability. 59 00:03:01,981 --> 00:03:05,285 What are some common tools that we all use? 60 00:03:05,285 --> 00:03:08,621 We use IDSes, we have EDR tools, 61 00:03:08,621 --> 00:03:12,625 we do different things for Netflow or Identity Management. 62 00:03:12,625 --> 00:03:16,696 Well these are the equivalents that are there. 63 00:03:16,696 --> 00:03:19,499 All right, instead of Netflow it's called VPCFlow. 64 00:03:19,499 --> 00:03:21,267 Do we know why? 65 00:03:21,267 --> 00:03:23,303 Because it's the Netflow in your VPC, 66 00:03:23,303 --> 00:03:25,505 which is your Virtual Private Cloud. 67 00:03:25,505 --> 00:03:27,807 When you set things up inside your Amazon account 68 00:03:27,807 --> 00:03:31,109 you're putting them in either one or a zillion 69 00:03:31,110 --> 00:03:33,446 different VPCs that you create. 70 00:03:33,446 --> 00:03:36,149 It's your own little virtual private space to play. 71 00:03:41,287 --> 00:03:43,389 So increasing that visibility, 72 00:03:43,389 --> 00:03:45,091 what we want to do 73 00:03:45,091 --> 00:03:49,762 is we want to use these different groupings of controls. 74 00:03:49,762 --> 00:03:52,799 Up here I've broken into about six different groups, 75 00:03:52,799 --> 00:03:55,702 there's more of course, you guys have all seen 76 00:03:55,702 --> 00:03:57,904 different compliance charts. 77 00:03:57,904 --> 00:04:00,506 So, this is going through more of what are the tools 78 00:04:00,506 --> 00:04:04,811 that are either native to the AWS realm, 79 00:04:04,811 --> 00:04:08,214 or are able to be used either free 80 00:04:08,214 --> 00:04:12,218 or just open source in general. 81 00:04:12,218 --> 00:04:16,421 So, authentication launcher using tools like IAM, 82 00:04:16,422 --> 00:04:19,993 which allows you to control the identities 83 00:04:19,993 --> 00:04:21,760 that log into your account 84 00:04:21,761 --> 00:04:24,797 and your different Amazon resources. 85 00:04:24,797 --> 00:04:26,699 But that doesn't say who logs in 86 00:04:26,699 --> 00:04:28,668 on the actual instance, right. 87 00:04:28,668 --> 00:04:30,637 So you still need to collect the logs 88 00:04:30,637 --> 00:04:32,605 off the instances that you spin up, 89 00:04:32,605 --> 00:04:36,609 to see did the person sign in as root, 90 00:04:36,609 --> 00:04:39,412 did they sign in as Apache for some reason. 91 00:04:39,412 --> 00:04:42,582 And those kinds of normal system configs. 92 00:04:44,250 --> 00:04:46,486 But, the end to end example, 93 00:04:47,520 --> 00:04:49,421 this is going to be kind of fun, 94 00:04:49,422 --> 00:04:51,924 because this is my detonation lab that I set up 95 00:04:51,924 --> 00:04:53,926 with these scripts that I'm giving away, 96 00:04:55,361 --> 00:04:59,299 and what's kind of cool is this is the typical instance 97 00:04:59,299 --> 00:05:04,236 for people that have extensions to their on-prem networks. 98 00:05:05,638 --> 00:05:08,840 So, right now show of hands whose boss has told them 99 00:05:08,841 --> 00:05:12,178 that they're going to the cloud, right. 100 00:05:12,178 --> 00:05:13,413 All right. 101 00:05:13,413 --> 00:05:17,417 Who actually wants to do that? (laughs) 102 00:05:17,417 --> 00:05:18,650 Right? 103 00:05:18,651 --> 00:05:20,086 It sounds scary, it has a whole lot of 104 00:05:20,086 --> 00:05:21,888 different controls and things, 105 00:05:21,888 --> 00:05:25,691 but what I kinda want to bring out is 106 00:05:26,859 --> 00:05:29,695 cloud's not gonna rain on your parade. (laughs) 107 00:05:29,696 --> 00:05:31,864 Yes, cloud reference, dad joke, thank you. 108 00:05:31,864 --> 00:05:36,234 The thing is, a lot of people are just looking at things 109 00:05:36,235 --> 00:05:39,906 as can I bring my current technologies up with me. 110 00:05:39,906 --> 00:05:42,208 And that's often no because those products 111 00:05:42,208 --> 00:05:45,712 were designed for static systems, 112 00:05:45,712 --> 00:05:48,147 in traditional networks. 113 00:05:48,147 --> 00:05:50,149 Well, that doesn't always work. 114 00:05:50,149 --> 00:05:54,120 So, what I've done here is I've built this 115 00:05:54,120 --> 00:05:56,622 CloudFormation template which I'll talk more about 116 00:05:56,622 --> 00:05:58,624 CloudFormation in the lightning talk, 117 00:05:58,624 --> 00:06:00,226 to give you an idea of what it does. 118 00:06:00,226 --> 00:06:02,562 But you basically run this script 119 00:06:02,562 --> 00:06:06,132 and it goes in and configures your entire topology for you. 120 00:06:06,132 --> 00:06:08,034 This is the topology that it builds. 121 00:06:08,034 --> 00:06:11,671 It has a private VPC that I stuck four systems in, 122 00:06:11,671 --> 00:06:13,772 and that's guarded by a Bastion host. 123 00:06:13,773 --> 00:06:16,175 So I can do all kinds of fun stuff in there, 124 00:06:16,175 --> 00:06:18,311 but nothing really leaks out. 125 00:06:18,311 --> 00:06:21,714 Inside I have a red team server, 126 00:06:21,714 --> 00:06:23,950 which is where I'm gonna be doing my attacks from 127 00:06:23,950 --> 00:06:25,450 for this demonstration. 128 00:06:25,451 --> 00:06:28,788 I have a Windows victim, and I have a Linux victim, 129 00:06:28,788 --> 00:06:31,424 and then I have a Wazuh server. 130 00:06:31,424 --> 00:06:34,025 Has anyone here ever heard of Wazuh or ever used it? 131 00:06:35,328 --> 00:06:36,262 No? 132 00:06:36,262 --> 00:06:38,398 All right, how about OSSEC. 133 00:06:38,398 --> 00:06:40,400 Do people know what that is? 134 00:06:40,400 --> 00:06:41,801 All right. 135 00:06:41,801 --> 00:06:45,604 Oh, Wazuh is a more commercial version of that. 136 00:06:45,605 --> 00:06:50,610 It's basically an elastic stack with a app that does 137 00:06:52,044 --> 00:06:54,714 OSSEC stuff on top of a lot of other new features. 138 00:06:54,714 --> 00:06:56,449 But the reason why I'm using them 139 00:06:56,449 --> 00:06:57,884 is because I worked with their team 140 00:06:57,884 --> 00:07:00,853 over the last three months to build in 141 00:07:00,853 --> 00:07:04,290 ways to ingest logs from AWS. 142 00:07:05,458 --> 00:07:08,528 All the different logs that I normally use 143 00:07:08,528 --> 00:07:10,830 to do detections they now can all ingest. 144 00:07:10,830 --> 00:07:14,366 So super big shout out to the developer, Marta, 145 00:07:14,367 --> 00:07:17,537 because she's the one that actually developed all of this 146 00:07:17,537 --> 00:07:19,638 (laughs) for the Wazuh side. 147 00:07:19,639 --> 00:07:22,275 The pipelines that this template builds 148 00:07:22,275 --> 00:07:25,344 look kind of complicated, and that's because 149 00:07:25,344 --> 00:07:29,115 there's a different methodology with things 150 00:07:29,115 --> 00:07:31,884 in AWS and other cloud providers. 151 00:07:31,884 --> 00:07:35,455 They're no longer talking about your application, 152 00:07:35,455 --> 00:07:38,157 your instance, or terms like that. 153 00:07:38,157 --> 00:07:40,592 Now things are being called workloads 154 00:07:40,593 --> 00:07:43,596 because people are moving off of, 155 00:07:43,596 --> 00:07:45,698 I'm gonna stand up an instance of E2, 156 00:07:45,698 --> 00:07:49,635 I'm gonna install Apache, NGX, whatever, 157 00:07:49,635 --> 00:07:53,306 and run my application off that instance. 158 00:07:53,306 --> 00:07:55,073 Well that's pretty expensive 159 00:07:55,074 --> 00:07:56,409 because there's a lot of overhead 160 00:07:56,409 --> 00:07:59,078 that's unnecessary to do your end goal 161 00:07:59,078 --> 00:08:01,580 which is run that one application 162 00:08:01,581 --> 00:08:03,382 or your one workload. 163 00:08:03,382 --> 00:08:06,752 That's where people start moving into things like Lambda 164 00:08:08,154 --> 00:08:12,391 or Kubernetes, I never can pronounce it. (laughs) 165 00:08:12,391 --> 00:08:15,628 You know, docker style virtualization systems. 166 00:08:15,628 --> 00:08:17,964 That's why people are moving their stuff there 167 00:08:17,964 --> 00:08:21,000 'cause it's significantly cheaper to run the same workloads. 168 00:08:22,435 --> 00:08:25,872 So the first tool that we went over is CloudFormation. 169 00:08:25,872 --> 00:08:29,208 This is what I use for automation. 170 00:08:30,409 --> 00:08:33,746 If I want to stand up a stack to quickly poke at 171 00:08:33,746 --> 00:08:36,249 some new attacks that I just learned, 172 00:08:36,249 --> 00:08:38,317 I'll run this script and somewhere around 173 00:08:38,317 --> 00:08:39,919 five minutes from there I have 174 00:08:39,919 --> 00:08:41,787 that full detonation lab set up. 175 00:08:41,787 --> 00:08:43,656 Right, the same kind of idea. 176 00:08:43,655 --> 00:08:47,359 It's quick, it's repeatable, it's free. 177 00:08:47,360 --> 00:08:48,828 Big, big fan. 178 00:08:48,828 --> 00:08:52,265 S3, that's just where I dump all my logs, that's it. 179 00:08:52,265 --> 00:08:53,799 It's this giant bucket, 180 00:08:53,799 --> 00:08:56,602 and they're actually called buckets. (laughs) 181 00:08:56,602 --> 00:08:58,871 That allows me to store the data that I'm pulling 182 00:08:58,871 --> 00:09:01,274 from all these different logging sources. 183 00:09:01,274 --> 00:09:05,278 VPC we quickly went over, that's just the virtual network 184 00:09:05,278 --> 00:09:08,548 that all my instances are gonna be installed into. 185 00:09:08,548 --> 00:09:13,052 VPC Flow is what monitors inter-instance 186 00:09:13,052 --> 00:09:16,355 and extra-instance network traffic. 187 00:09:16,355 --> 00:09:19,725 That allows me to monitor any connections 188 00:09:19,725 --> 00:09:22,895 between the systems in the VPC 189 00:09:22,895 --> 00:09:25,064 as well as external to the VPC. 190 00:09:26,866 --> 00:09:29,869 Lambda, this is a piece of code that I'm using 191 00:09:29,869 --> 00:09:33,873 to add in enrichment metadata to my VPC flow. 192 00:09:35,074 --> 00:09:38,243 Firehose, this is what collects those logs. 193 00:09:38,244 --> 00:09:40,546 So I'm sending all my logs to Firehose 194 00:09:40,546 --> 00:09:43,449 which can actually handle that kind of volume. 195 00:09:43,449 --> 00:09:47,286 Because Firehose scales natively. 196 00:09:47,286 --> 00:09:50,589 So, if today I only have 20,000 logs, 197 00:09:50,590 --> 00:09:52,725 sorry 20,000 traffic events, 198 00:09:52,725 --> 00:09:55,261 but tomorrow I have 20 million, 199 00:09:55,261 --> 00:09:56,795 it will still scale for that. 200 00:09:58,397 --> 00:10:00,766 IAM, this is that identity management 201 00:10:00,766 --> 00:10:02,267 that we've been messing around with. 202 00:10:02,268 --> 00:10:03,903 This is how I create all the users 203 00:10:03,903 --> 00:10:06,305 that are allowed to access my S3 buckets, 204 00:10:06,305 --> 00:10:10,575 as well as are allowed to run different privileged items 205 00:10:10,576 --> 00:10:13,613 from inside my network. 206 00:10:13,613 --> 00:10:17,850 CloudTrail, CloudTrail monitors API calls. 207 00:10:17,850 --> 00:10:22,154 So anytime you interact with the AWS console, 208 00:10:22,154 --> 00:10:26,459 or use AWSCLI, or any of those native tools, 209 00:10:26,459 --> 00:10:30,662 you're interacting with the AWS APIs. 210 00:10:30,663 --> 00:10:32,331 Every single time you do that 211 00:10:32,331 --> 00:10:35,301 you are generating events in CloudTrail. 212 00:10:35,301 --> 00:10:39,138 So we use CloudTrail for all kinds of fun detection stuff. 213 00:10:39,138 --> 00:10:42,174 Did somebody just XFIL your temporary credentials 214 00:10:42,174 --> 00:10:43,209 from your instance and are now using them 215 00:10:43,209 --> 00:10:46,679 to access your S3 buckets? 216 00:10:46,679 --> 00:10:48,280 There's CloudTrail events for that, 217 00:10:48,280 --> 00:10:53,252 and we can use them to simply say this bad thing happened. 218 00:10:54,387 --> 00:10:55,854 Really, really useful for correlation. 219 00:10:55,855 --> 00:10:59,992 Macie, this is an actual security tool that people use. 220 00:10:59,992 --> 00:11:03,329 This monitors and categorizes data in your S3 buckets, 221 00:11:03,329 --> 00:11:07,465 so if Bill from accounting uploaded one of his spreadsheets 222 00:11:07,466 --> 00:11:09,535 and it has Social Security numbers in it, 223 00:11:10,736 --> 00:11:12,170 and stuff, that gets flagged. 224 00:11:12,171 --> 00:11:14,140 So it does cool stuff like that. 225 00:11:14,140 --> 00:11:17,910 And you can create your own different triggers 226 00:11:17,910 --> 00:11:21,414 if you want something to flag on if the name Ben is in there 227 00:11:21,414 --> 00:11:23,883 you can write something like that. 228 00:11:23,883 --> 00:11:28,654 Kind of think of it like, it's based on, what it's called, 229 00:11:28,654 --> 00:11:32,692 but the data, it's not DEP, 230 00:11:34,293 --> 00:11:37,496 it's a compliance one that I can't think of right now. 231 00:11:37,496 --> 00:11:40,433 So Inspector, this is my vulnerability scanner. 232 00:11:41,634 --> 00:11:44,637 This allows me to scan against my instances 233 00:11:44,637 --> 00:11:49,074 for things like CIS compliance, common vulnerabilities, 234 00:11:49,075 --> 00:11:51,877 Oauths, Pop10, stuff like that. 235 00:11:53,045 --> 00:11:56,048 And CloudWatch Event Rules and Logs. 236 00:11:56,048 --> 00:11:59,485 This is the main thing that I use to capture 237 00:11:59,485 --> 00:12:02,722 events from these services, so I can forward those logs 238 00:12:02,722 --> 00:12:04,890 and write them to my S3 bucket. 239 00:12:04,890 --> 00:12:08,661 Without CloudWatch monitoring all those different services 240 00:12:08,661 --> 00:12:10,963 nothing's actually grabbing the logs 241 00:12:10,963 --> 00:12:13,332 out of the service when they happen. 242 00:12:13,332 --> 00:12:16,202 So you can log everything but the only way you'll see it 243 00:12:16,202 --> 00:12:18,637 is in the console of that tool. 244 00:12:18,637 --> 00:12:20,638 This allows me to take it out of that tool 245 00:12:20,639 --> 00:12:22,908 and drop it into S3 so then I can ingest it 246 00:12:22,908 --> 00:12:25,711 into an elastic stack kind of setup. 247 00:12:27,046 --> 00:12:28,247 And then GuardDuty. 248 00:12:28,247 --> 00:12:31,950 This is another tool that works kind of like, 249 00:12:33,252 --> 00:12:37,857 it's kind of like an IDS/behavioral analysis tool. 250 00:12:37,857 --> 00:12:40,593 And it has a bunch of pre-configured stuff 251 00:12:40,593 --> 00:12:42,127 that it looks for. 252 00:12:42,128 --> 00:12:46,398 This one is just looking for a cryptocurrency. 253 00:12:46,398 --> 00:12:49,568 This is traffic going from one of my instances 254 00:12:49,568 --> 00:12:52,238 to a known destination that's been categorized 255 00:12:52,238 --> 00:12:54,039 as cryptocurrency. 256 00:12:55,975 --> 00:12:57,409 And then this is Wazuh. 257 00:12:58,644 --> 00:13:00,179 Once again big shout out to them for all 258 00:13:00,179 --> 00:13:02,882 of the stuff that they did for me, huge, huge help. 259 00:13:02,882 --> 00:13:06,285 This is what I'm using for an EDR tool in here. 260 00:13:06,285 --> 00:13:10,723 This basically installs OSSEC on the different instances, 261 00:13:10,723 --> 00:13:15,093 as well as it's gonna pull stuff into my log stash 262 00:13:15,094 --> 00:13:18,330 and eventually feed my Kibana dashboards, 263 00:13:18,330 --> 00:13:20,199 which is extremely, extremely helpful 264 00:13:20,199 --> 00:13:23,234 'cause now I can do full stack analysis. 265 00:13:23,235 --> 00:13:24,837 I have an EDR tool, 266 00:13:26,038 --> 00:13:27,773 I have a tool to look at my network traffic, 267 00:13:27,773 --> 00:13:30,609 I have a tool to look at my identity management, 268 00:13:30,609 --> 00:13:32,378 my config, vulnerability scanning, 269 00:13:33,546 --> 00:13:36,515 and categorization of compliance stuff, 270 00:13:36,515 --> 00:13:38,818 and it all gets dropped into one place for me. 271 00:13:40,352 --> 00:13:45,057 This is what the detonation lab CloudFormation script does. 272 00:13:45,057 --> 00:13:47,359 So you guys can go in there and play around, 273 00:13:47,359 --> 00:13:49,728 and it'll tell you what breaks and where. 274 00:13:51,130 --> 00:13:53,499 To give you an idea of some of the mapping stuff 275 00:13:53,499 --> 00:13:57,102 that I've done, this is just for CloudTrail events. 276 00:13:57,102 --> 00:13:59,939 I wanted to give an idea of how many things overlap 277 00:13:59,939 --> 00:14:03,474 between these logs that allow you to map between them 278 00:14:03,475 --> 00:14:06,812 in order to do further kinds of detection, right. 279 00:14:06,812 --> 00:14:08,714 If you're hunting through data 280 00:14:08,714 --> 00:14:13,385 and none of the data is communicating or connected together, 281 00:14:13,385 --> 00:14:15,354 how do you end up connecting 282 00:14:15,354 --> 00:14:17,890 those relationships between the data? 283 00:14:17,890 --> 00:14:20,925 Well, what I ended up doing is I took 284 00:14:20,926 --> 00:14:24,730 common overlapping things, for instance for the AWS account 285 00:14:24,730 --> 00:14:27,199 we have something called an ARN which is an ID. 286 00:14:27,199 --> 00:14:30,603 You have a principal ID, you have an access key ID, 287 00:14:30,603 --> 00:14:35,608 those are overlapping fields under account management. 288 00:14:36,809 --> 00:14:38,110 So those are what identify accounts. 289 00:14:38,110 --> 00:14:41,881 By using that I can now connect every event 290 00:14:41,881 --> 00:14:44,717 from every AWS service I have 291 00:14:44,717 --> 00:14:47,486 that uses one of those four identifiers, 292 00:14:47,486 --> 00:14:50,189 and I can map it to the same account now. 293 00:14:50,189 --> 00:14:53,992 So that's huge for the attack that I'm gonna be showing. 294 00:14:55,327 --> 00:14:58,030 So an example of a couple of the dashboards. 295 00:14:58,030 --> 00:15:01,600 Here's some simple, easy, pretty pictures. 296 00:15:01,600 --> 00:15:03,168 Management loves these. 297 00:15:03,168 --> 00:15:05,604 These are not that helpful, but management loves them, 298 00:15:05,604 --> 00:15:06,705 so keep them in mind. 299 00:15:08,140 --> 00:15:12,578 These idea for these are top external destination IPs. 300 00:15:13,312 --> 00:15:16,682 Now, not always helpful. 301 00:15:16,682 --> 00:15:19,885 I have the accounts for GuardDuty alerts. 302 00:15:19,885 --> 00:15:23,689 So these are the accounts that set up GuardDuty alerts. 303 00:15:23,689 --> 00:15:26,391 I already have one account in the test lab 304 00:15:26,392 --> 00:15:30,796 that gets destroyed so I only have one account there. 305 00:15:30,796 --> 00:15:33,399 But in a real production environment 306 00:15:33,399 --> 00:15:35,534 you could have a couple hundred IDs. 307 00:15:35,534 --> 00:15:38,404 And this tells you which one of your users 308 00:15:38,404 --> 00:15:40,706 is constantly doing things that are weird. 309 00:15:42,141 --> 00:15:45,877 Next up are talkative, the most talkative instances 310 00:15:45,878 --> 00:15:50,382 based on their interface ID, right. 311 00:15:50,382 --> 00:15:52,084 When you have these virtual instances 312 00:15:52,084 --> 00:15:55,320 you can put as many nicks in them as you want, 313 00:15:55,321 --> 00:16:00,292 so how do we know if a instance is being talkative 314 00:16:01,460 --> 00:16:04,663 or if their attacker is moving the nick 315 00:16:04,663 --> 00:16:07,333 to different systems so they can run traffic 316 00:16:07,333 --> 00:16:11,069 outside of your monitoring, cool attacks like that. 317 00:16:11,070 --> 00:16:13,272 This ends up capturing things like that. 318 00:16:14,940 --> 00:16:17,109 So, finding what matters. 319 00:16:17,109 --> 00:16:19,812 This is what I did with the Kibana boards, 320 00:16:20,779 --> 00:16:21,814 that come in this, 321 00:16:23,248 --> 00:16:26,585 I feel like the voice of god just happened there. (laughs) 322 00:16:26,585 --> 00:16:30,456 The Kibana boards, these are gonna use all these dashboards 323 00:16:30,456 --> 00:16:32,057 and they're gonna show you what's happening. 324 00:16:32,057 --> 00:16:34,326 So this is the threat hunt 325 00:16:34,326 --> 00:16:37,763 that I had a junior analyst do, right. 326 00:16:37,763 --> 00:16:40,899 They went in and they started looking at 327 00:16:40,899 --> 00:16:43,202 places where there's a ton of traffic. 328 00:16:43,202 --> 00:16:45,404 Now this is a test at Nation Lab, 329 00:16:45,404 --> 00:16:47,339 this is not production data, 330 00:16:47,339 --> 00:16:51,276 so it looks an awful lot like China (laughs) 331 00:16:51,276 --> 00:16:53,512 has a lot of traffic going to it. 332 00:16:54,813 --> 00:16:56,782 Maybe they're outsourcing their math, 333 00:16:56,782 --> 00:16:59,151 but most likely what's happening 334 00:16:59,151 --> 00:17:02,755 is something is sending out and talking. 335 00:17:02,755 --> 00:17:05,557 So I dig into that country. 336 00:17:05,557 --> 00:17:07,925 From there I can see a massive spike of traffic 337 00:17:07,925 --> 00:17:11,429 that happened yesterday, but all the other days before it, 338 00:17:11,430 --> 00:17:14,199 for 30 days, nothing has happened. 339 00:17:14,199 --> 00:17:17,369 I can dig into that and see that the top IP address 340 00:17:17,368 --> 00:17:19,838 is this 58.218 address. 341 00:17:21,240 --> 00:17:25,676 Well, from there I can go and see if any alerts happened 342 00:17:25,676 --> 00:17:27,579 for that destination. 343 00:17:27,579 --> 00:17:32,017 And lo and behold, I have some alerts from this IP, 344 00:17:32,017 --> 00:17:36,488 magically for this demo, everything worked out perfectly. 345 00:17:36,488 --> 00:17:41,493 So, this now allows me to find what internal instance 346 00:17:42,928 --> 00:17:44,830 has this fun traffic to it, and now I want to see 347 00:17:44,830 --> 00:17:48,533 why this thinks that I have something talking out 348 00:17:48,534 --> 00:17:51,870 to a cryptocurrency exchange, 349 00:17:51,870 --> 00:17:55,407 and I can use those logs for the EDR tool 350 00:17:55,407 --> 00:18:00,345 to find out that my netstat table changed, 351 00:18:00,345 --> 00:18:05,317 and it shows a binary called pip3.7, 352 00:18:06,418 --> 00:18:10,889 that is using that destination IP address. 353 00:18:10,889 --> 00:18:15,093 And when I go into that I can see that it was installed 354 00:18:15,094 --> 00:18:19,364 by the user Apache, and then I can look at the hashes 355 00:18:19,364 --> 00:18:22,067 for that binary and VirusTotal 356 00:18:23,235 --> 00:18:25,870 happens to have that as a known crypto miner. 357 00:18:27,573 --> 00:18:29,842 Yes, there's a lot of conspiracies 358 00:18:29,842 --> 00:18:31,977 about how well this worked out, 359 00:18:31,977 --> 00:18:35,080 but the overall idea is all of this information 360 00:18:35,080 --> 00:18:37,216 was able to be related together, 361 00:18:37,216 --> 00:18:40,119 and we're able to do a full stack (laughs) 362 00:18:40,119 --> 00:18:42,955 investigation of something that happened, right. 363 00:18:42,955 --> 00:18:45,890 All this was visual, I didn't have to go and dig through 364 00:18:45,891 --> 00:18:48,560 a couple million lines of text. 365 00:18:48,560 --> 00:18:51,697 I was able to pull these together very quickly 366 00:18:51,697 --> 00:18:55,601 and easily, to show this full picture. 367 00:18:55,601 --> 00:18:57,903 This is something I would end up presenting 368 00:18:57,903 --> 00:19:02,841 to management of a great example of this junior analyst 369 00:19:04,009 --> 00:19:05,744 who's ready to take on more responsibility. 370 00:19:05,744 --> 00:19:08,780 Right, they were able to go start to finish 371 00:19:08,780 --> 00:19:11,183 without any issues and were able to connect 372 00:19:11,183 --> 00:19:13,185 all the different disparate data sets 373 00:19:13,185 --> 00:19:15,486 that they ended up having to work with 374 00:19:15,487 --> 00:19:18,657 all within free and open source products. 375 00:19:20,325 --> 00:19:22,794 So, how did they get in? 376 00:19:22,794 --> 00:19:25,731 Now, this one I actually have a feature request out for 377 00:19:25,731 --> 00:19:28,066 because it's not currently baked in, 378 00:19:28,066 --> 00:19:32,437 but I went ahead and I used inspector to do some scanning 379 00:19:32,437 --> 00:19:36,875 of my instances, and I found that my web server 380 00:19:36,875 --> 00:19:40,379 on the Linux victim has not been patched. 381 00:19:41,480 --> 00:19:45,150 So, (laughs and imitates sad trombone) 382 00:19:45,150 --> 00:19:46,785 I wonder if it was a web shell, 383 00:19:48,453 --> 00:19:52,491 but most likely it was just a really bad web server 384 00:19:52,491 --> 00:19:55,160 that ran Netcat to an attacker. 385 00:19:56,895 --> 00:20:01,633 Now, to do kind of a recap, right. 386 00:20:01,633 --> 00:20:04,903 Does cloud seem as scary now? 387 00:20:04,903 --> 00:20:09,074 I hope not because every tool that I just used 388 00:20:09,074 --> 00:20:11,410 is available on prem, and most likely 389 00:20:11,410 --> 00:20:15,113 if you have a sock, hell if you have something simple 390 00:20:15,113 --> 00:20:19,618 like free and open source Security Onion running with OSSEC. 391 00:20:20,819 --> 00:20:24,489 That's all free, yes the cost is really an effort 392 00:20:24,489 --> 00:20:27,492 for setting stuff up, but you could do everything 393 00:20:27,492 --> 00:20:30,762 that I just did without spending any money 394 00:20:30,762 --> 00:20:32,898 outside of hardware, right. 395 00:20:34,266 --> 00:20:37,402 So I wanted to go through that stuff showing, 396 00:20:37,402 --> 00:20:39,338 these are common tools, 397 00:20:39,338 --> 00:20:41,607 they just have a different name right now, 398 00:20:41,607 --> 00:20:43,875 and we're working on naming conventions 399 00:20:43,875 --> 00:20:46,144 to make things a little clearer for people. 400 00:20:46,144 --> 00:20:49,381 But, with the last couple minutes that I have 401 00:20:49,381 --> 00:20:52,517 I want to get to the most serious question, 402 00:20:52,517 --> 00:20:54,319 the attacker lifestyle. 403 00:20:55,520 --> 00:20:59,057 Now, this is in honor of squirrel, 404 00:20:59,057 --> 00:21:02,561 because if anybody knows my corgi attacker life cycle, 405 00:21:02,561 --> 00:21:06,398 this is quite similar, though this is from the idea 406 00:21:06,398 --> 00:21:08,466 of the cryptocurrency miner. 407 00:21:08,467 --> 00:21:10,702 We have script kiddie scanning around the internet 408 00:21:10,702 --> 00:21:13,739 looking for open addresses, 409 00:21:13,739 --> 00:21:17,209 they end up popping one and run a cryptocurrency miner, 410 00:21:17,209 --> 00:21:19,278 all of a sudden they have some cash, 411 00:21:19,278 --> 00:21:21,780 so they buy a fancy car. 412 00:21:21,780 --> 00:21:24,649 They own the only Lamborghini in Eastern Europe. 413 00:21:24,650 --> 00:21:26,785 Somehow that stands out for some reason. 414 00:21:26,785 --> 00:21:29,087 They get investigated for tax evasion, 415 00:21:29,087 --> 00:21:32,357 they get arrested, they flip on people, 416 00:21:32,357 --> 00:21:34,993 and now they're in the witness protection agency, 417 00:21:34,993 --> 00:21:37,029 and they want to start it all over again. 418 00:21:39,031 --> 00:21:41,700 I'd watch that movie. (laughs) 419 00:21:42,934 --> 00:21:46,104 So kind of my motto that I like to have 420 00:21:46,104 --> 00:21:48,807 coming from a blue team perspective 421 00:21:48,807 --> 00:21:53,378 is Flag it, Tag it, and Bag it, AKA the double tap. 422 00:21:53,378 --> 00:21:57,515 If you find something, flag it, right. 423 00:21:57,516 --> 00:22:00,452 It's either the user manually looking for things 424 00:22:00,452 --> 00:22:03,388 in the threat hunt, your static defenses 425 00:22:03,388 --> 00:22:06,158 that are looking for common signatures 426 00:22:06,158 --> 00:22:08,793 or anything else, right. 427 00:22:08,794 --> 00:22:10,996 Show what happened and then tag it. 428 00:22:10,996 --> 00:22:14,499 Even if it doesn't look malicious, 429 00:22:14,499 --> 00:22:17,669 if it looks anomalous, tag it. 430 00:22:17,669 --> 00:22:20,706 And eventually you build enough information to it 431 00:22:20,706 --> 00:22:23,375 to bag it and get that out of your network. 432 00:22:24,576 --> 00:22:28,814 So, I ended up right on time for minutes, 433 00:22:28,814 --> 00:22:32,351 do we want to do questions or push them to the end, 434 00:22:32,351 --> 00:22:34,820 so that way we can keep on schedule? 435 00:22:37,923 --> 00:22:40,025 (laughs) 436 00:22:40,992 --> 00:22:41,827 Play Free Bird! 437 00:22:46,264 --> 00:22:48,132 All right, and while they're talking. 438 00:22:50,635 --> 00:22:54,004 That's just so much fun. (laughs) 439 00:22:54,005 --> 00:22:55,307 - All right. 440 00:22:55,307 --> 00:22:56,274 - It makes me happy. 441 00:22:58,910 --> 00:22:59,745 - You good? 442 00:22:59,745 --> 00:23:00,946 - Oh yeah. 443 00:23:00,946 --> 00:23:02,613 - All right, round of applause. (cheers) 444 00:23:02,614 --> 00:23:04,950 (applause) 445 00:23:04,950 --> 00:23:07,953 (light piano music)