How to Build a Threat Hunting

Capability in AWS

Sponsored by

©2019 SANSTM Institute | www.sans.org Sponsored by:

 Today’s Speakers
• Shaun McCullough – SANS Instructor
• Ross Warren – Specialist Solution Architect at AWS
• David Aiken – Solutions Architect Manager at AWS

©2019 SANSTM Institute | www.sans.org 2 Sponsored by:

 Today’s Agenda
• Discussion of threat hunting
• The Threat Hunting Loop and tools
for analysis
• Creating a threat hunting strategy
in AWS
• Enabling threat hunting through
security efficiency in AWS
©2019 SANSTM Institute | www.sans.org 3 Sponsored by:
 Threat Hunting
The proactive evaluation of infrastructure
operations to detect a threat beyond the deployed
security tools

… or, digging through logs to identify attacker

behaviors.

©2019 SANSTM Institute | www.sans.org 4 Sponsored by:

 Create a Hypothesis

Threat Investigate via Tools and Techniques

Hunting
Loop Uncover New Patterns and Apply
Learned Lessons

Inform and Enrich with Analytics

©2019 SANSTM Institute | www.sans.org 5 Sponsored by:

 Hunting – Creating a Hypothesis

©2019 SANSTM Institute | www.sans.org 6 Sponsored by:

 Hunting – Investigate via Tools
Reduce complexity with infrastructure consistency.

Cloud infrastructure is elastic; systems can disappear

before analysis is done.

Automated apps look different than human attackers.

©2019 SANSTM Institute | www.sans.org 7 Sponsored by:

 Hunting – Investigate via Tools

©2019 SANSTM Institute | www.sans.org 8 Sponsored by:

 Hunting – Uncover Patterns
Threat hunters will identify operational
problems, difficult-to-analyze infrastructure
and hard-to-defend systems.

Team up with infrastructure teams to

continue improving infrastructure designs.

©2019 SANSTM Institute | www.sans.org 9 Sponsored by:

 Hunting – Inform with Data
Gather the data, identify missing information and
make that data available.

Enrich data to tell a story.

Build or buy tools to improve analysis speed.

©2019 SANSTM Institute | www.sans.org 10 Sponsored by:

 Hunting – Inform with Data

©2019 SANSTM Institute | www.sans.org 11 Sponsored by:

 Quick Analysis in the Cloud

Tools for Security Information and Event

Analysis Management (SIEM)

Security Orchestration,
Automation and Response (SOAR)

©2019 SANSTM Institute | www.sans.org 12 Sponsored by:

 Tools – Quick Analysis
AWS CloudTrail provides full logs of all API calls with a
simple query interface.

Amazon CloudWatch provides dashboards and

alerting.

Advanced systems, such as Amazon Athena, improve

ad hoc querying.

©2019 SANSTM Institute | www.sans.org 13 Sponsored by:

 Tools – Quick Analysis

©2019 SANSTM Institute | www.sans.org 14 Sponsored by:

 Tools – SIEM
Advanced querying, highly enriched
dashboarding, or tracking in cloud and
on-prem logs may require a SIEM.

Major SIEMs provide cloud-specific adapters

to speed up data ingest and analysis.

©2019 SANSTM Institute | www.sans.org 15 Sponsored by:

 Tools – SOAR
Cloud services enhances the ability to
automate operations:
- Call host agent to pull process.
- Take snapshot of host and quarantine.
- Revoke user access keys.

©2019 SANSTM Institute | www.sans.org 16 Sponsored by:

 Consider This
• Improving threat hunting is a continuous process.
• Build a solid threat modeling process to improve the
hypothesis stage.
• Start small with free tools or easy scripts. Increase
complexity of threat hunting while increasing
consistency in the environment.
• Cloud-specific threat hunting is a rapidly changing
landscape. Always be learning.

©2019 SANSTM Institute | www.sans.org 17 Sponsored by:

Creating a threat hunting
strategy in AWS

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Efficient SOC creates a foundation for threat hunting

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Planning for the threat hunting journey

Fully Manual Fully Automated

(Impossible)

Sweet
Spot!

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Key data sources for threat hunting
{"Records": [{
"eventVersion": "1.0",
"userIdentity": {

AWS Sources
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Alice",

AWS CloudTrail
"accountId": "123456789012",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
•
},
"eventTime": "2014-03-06T21:01:59Z", • Amazon CloudWatch Events
Amazon GuardDuty Findings
"eventSource": "ec2.amazonaws.com",
"eventName": "StopInstances",
"awsRegion": "us-east-2",
•
"sourceIPAddress": "205.251.233.176",
"userAgent": "ec2-api-tools 1.6.12.2", • Amazon VPC Flow Logs
Amazon Inspector Findings
"requestParameters": {
"instancesSet": {"items": [{"instanceId": "i-ebeaf9e2"}]},
"force": false
•
},
"responseElements": {"instancesSet": {"items": [{ • DNS Logs
"instanceId": "i-ebeaf9e2",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Defining the three data domains

Reveal
Relationships

Clarify the
Situation

Network Host Application Highlight

Inconsistencies

Tell a Complete
Story
Amazon

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
The building blocks for a threat hunting program

Technology People Processes

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Creating your threat hunting strategy

Where
do I • Your strategy determines the quality of
start? your results.

What • Choose a strategy that supports your

should I
look for? detection goals.

What’s
my path • Don’t underestimate the importance
to of good planning!
improve?

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
The Hunting Maturity Model

Source: Enterprise Detection & Response, A Simple Hunting Maturity Model

http://detect-respond.blogspot.com/2015/10/a-simple-hunting-maturity-model.html

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Example strategy: Extract value from existing data

Advantages Disadvantages
• Data is already being collected • Your ability to ask questions may
be limited by the available data
• Someone is already familiar with
its contents • External forces have more
influence over your results
• You may already have some
idea of the key questions you • Don’t confuse “easy” with
want answered “effective”

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Hunting is a journey, not a destination

• There’s no single starting point that works for everyone.

• The Hunting Maturity Model is your map.

• Figure out where you already are on the road, then make a plan to get to the next level.

• There’s no rush! Feel free to get off the bus for a while and hop back on later.

• Each level is a victory! Celebrate your successes along the way.

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
 Enabling threat hunting through
security efficiency in AWS

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Integrations that increase security efficiency

AWS
AWSSecurity
Security Amazon
Hub CloudWatch
Hub

AWS Security Services forwarding

findings into AWS Security Hub

Amazon
Macie

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How are AWS customers leveraging Sumo Logic?

Create broad visibility

across AWS
environment

Increase analyst
productivity

Enhance threat
detection through
context

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Optimize security configuration and detection

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pokémon creates SOC efficiencies
By leveraging cloud-native Machine Data Analytics Service

Benefits:
• Saved hundreds of hours
across security team through
automation

• Increased visibility aided

cross-departmental alignment
and problem solving

• Reduced time spent on

compliance efforts

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pokémon further improves SOC efficiencies
By adopting Demisto’s SOAR Platform

Benefits:
• Provided scaling for cloud
environment
IOCs

• Automated repetitive tasks,

enabling SecOps analysts to Demisto Queue Lambda Bucket Block on Palo
Alto Networks
focus on critical operations Function
Firewall

• Active use cases include

phishing enrichment and
response, employee
onboarding, and EC2 and Lambda Blacklist
Function
account compromise

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why AWS Marketplace?

Flexible consumption Quick and Helpful humans

and contract models easy deployment to support you

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How can you get started?
Find Buy Deploy

A breadth of security Through flexible With multiple

solutions: pricing options: deployment options:

Free trial SaaS

Pay-as-you-go Amazon Machine Image (AMI)
Hourly | Monthly | Annual | CloudFormation Template
Multi-Year
Amazon Elastic Container Services (ECS)
Bring Your Own License (BYOL)
Seller Private Offers
Channel Partner Private Offers

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Acknowledgments
Thanks to our sponsor:

To our special guests: Ross Warren and David Aiken

And to our attendees, thank you for joining us today!

©2019 SANSTM Institute | www.sans.org 36 Sponsored by: