TASK SHEET2

Introduction and setup

Amazon EC2 (Elastic Compute Cloud) is a foundational service within Amazon Web
Services (AWS) that offers resizable compute capacity in the cloud. It enables users to
launch virtual servers, known as instances, to run applications and host websites. In
summary:
 EC2 provides scalable compute capacity on-demand, allowing users to quickly
scale up or down based on their needs without upfront investments in
hardware.
 Users can choose from a variety of instance types with different compute,
memory, and storage configurations to best suit their workloads.
 EC2 instances are deployed in multiple Availability Zones within AWS regions
to ensure high availability and fault tolerance.
 The service offers flexible pricing models, including pay-as-you-go and
reserved instances, allowing users to optimize costs based on usage patterns.
 Security features such as security groups, network ACLs, and IAM roles help
users secure their instances and data.
 EC2 integrates seamlessly with other AWS services, enabling users to build
comprehensive and scalable solutions leveraging the broader AWS ecosystem.
To set up and launch ec2, these steps must be followed:
 Step1: create an AWS account as root user.
 Step2: Search for ec2 in the aws dashboard, then click “launch instances”, then
make all the necessary changes like setting up the keypair and storage space
etc. then click on launch instance.
 Step3: once you setup the instance you can see running in the instances list.
Click on the instance and then click on connect to instance, a new Linux
command window will pop up.
 Step4: type the command “sudo su -” to access it as a root user and “yum
update -y” to update the system.
 Step5: Type in the command “yum install -y httpd”

 Step6: make a new directory to open your html code file or a template. Then
unzip your file using “unzip” command.

 Step7: move the file to an HTML directory and use “ls -lrt” to check the
contents.

 Step8: then enable the httpd and start by using the commands “systemctl
enable httpd” and “systemctl start httpd” and to check the status use “systemctl
status httpd”.
 Step9: Now that httpd is up and running copy the PublicIps and paste it onto a
search bar, the website that you have created using ec2 will appear.
Modsecurity implementation
ModSecurity is a widely used open-source web application firewall (WAF) module
designed to enhance the security of web applications by detecting and preventing
various types of attacks. Developed by Ivan Ristic, it functions as an Apache or Nginx
module, offering real-time monitoring, logging, and access control capabilities.

 Step 1: install ubuntu, and configure your settings. Then login with your
username and password.
 Step2: install apache using these codes sudo apt update ; sudo apt-get install
apache2.

 Step3: then install modsecurity using “sudo apt install libapache2-mod-

security2 -y”

 Step4: go thru the the following lines of code

CODE:
1. sudo a2enmod headers
 2. sudo service apache2 restart
3. ls -alps /usr/share/modsecurity-crs //the core rules in mod security//
4. sudo rm -rf /usr/share/modsecurity-crs //remove the rules to add our own//
5. sudo apt install git //install git if not already installed//
6. sudo git clone https://github.com/coreruleset/coreruleset
/usr/share/modsecurity-crs // clone the directory with rules from git//
7. ls -alp /usr/share/modsecurity-crs/ //check the cloned directory rules//
8. sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example
/usr/share/modsecurity-crs/crs-setup.conf
9. mv /etc/modsecurity/modsecurity.conf-reco
10. mmended /etc/modsecurity/modsecurity.conf //rename it//

sudo nano /etc/apache2/sites-available/000-default.conf //connect to your ip//

<VirtualHost Your_Public_IPv4_Address:80>
ServerAdmin webmaster@localhost
ServerName Your_Public_IPv4_Address

DocumentRoot /var/www/html
<Directory /var/www/html>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

sudo tail -f /var/log/apache2/modsec_audit.log //see the traffic log//

AWS Security Hub Setup

AWS Security Hub serves as a central hub for security-related information within your
AWS environment. It aggregates, prioritizes, and presents security findings from
multiple AWS services and third-party tools, providing you with a holistic view of
your security posture. Some key capabilities include:
1. Unified Security Findings: Security Hub consolidates security findings from
various AWS services like Amazon Guard Duty, Amazon Inspector, Amazon
Macie, and others, as well as supported third-party solutions. This aggregation
helps you gain insights into potential security issues across your AWS
accounts.
2. Prioritized Insights: It prioritizes security findings based on severity levels
and provides actionable insights into the most critical issues that require
immediate attention. This prioritization allows you to focus on addressing the
most significant security risks first.
3. Security Standards Compliance: Security Hub supports various security
standards and compliance frameworks, such as CIS AWS Foundations
Benchmark and AWS Foundational Security Best Practices. It continuously
evaluates your environment against these standards, helping you ensure
compliance and adherence to industry best practices.
4. Automated Remediation Actions: Security Hub allows you to automate
remediation actions through AWS Lambda functions or AWS Systems
Manager Automation documents. This enables you to respond swiftly to
security findings by automatically triggering predefined remediation steps or
custom workflows.
5. Custom Insights and Dashboards: You can create custom insights and
dashboards tailored to your specific security requirements. This flexibility
 allows you to focus on metrics and indicators relevant to your organization's
security goals and objectives.
6. Integration with AWS Services: Security Hub integrates seamlessly with
other AWS services, such as AWS Identity and Access Management (IAM),
AWS Config, and AWS CloudTrail, enhancing visibility and control over your
security environment.
7. Continuous Monitoring and Insights: By continuously monitoring your
AWS environment for security issues and compliance deviations, Security Hub
helps you stay proactive in identifying and addressing potential threats and
vulnerabilities.
Overall, AWS Security Hub simplifies security operations by providing a centralized
platform for monitoring, prioritizing, and managing security findings across your
AWS accounts and workloads. It empowers organizations to strengthen their security
posture and maintain compliance with industry standards effectively.
AWS Cloud Trails Configuration
AWS CloudTrail is a service provided by Amazon Web Services (AWS) that allows
users to monitor and record API activity within their AWS accounts. It tracks actions
performed by users, services, and resources within the AWS environment, providing a
detailed history of events such as calls made to AWS APIs, changes to AWS resources,
and user logins.
CloudTrail captures information such as the identity of the entity making the API call,
the time of the call, the source IP address, and the actions performed. This data is
recorded as event logs, which are stored securely in an Amazon S3 bucket or streamed
to Amazon CloudWatch Logs for real-time monitoring and analysis.
 Step1: Search for AWS cloudtrail in the aws dashboard and click on create a
trail.

 Step2: Edit your settings to your desire and needs ie, trail name, trail log
bucket etc.
 Step3: Choose your log events type and also the management events, the move
to review and create by clicking next.

 Step4: then proceed to click on create trail.

 Incident Response Simulation

Scenario: Unauthorized Access to Sensitive Data in AWS CloudTrail

Description: In this scenario, we will simulate an unauthorized access incident
where a malicious actor gains access to sensitive data stored in an AWS S3
bucket. The incident will be detected and investigated using AWS CloudTrail
logs.

1. Environment Setup:
 Create an AWS account and set up an S3 bucket to store sensitive data.
 Enable AWS CloudTrail to monitor and log all API activity within your
AWS environment.
2. Simulated Attack:
 The attacker gains unauthorized access to AWS credentials through a
phishing email targeting an employee with administrative privileges.
 Using the compromised credentials, the attacker gains access to the
AWS Management Console.
 The attacker then proceeds to access the S3 bucket containing sensitive
data.
3. Detection:
 AWS CloudTrail captures all API calls made within the AWS
environment, including authentication and access to S3 buckets.
 Anomalies in CloudTrail logs, such as unusual API calls or access
patterns, trigger alerts in a monitoring system like Amazon
CloudWatch or AWS Security Hub.
4. Investigation:
 Security analysts receive alerts indicating unauthorized access to the S3
bucket.
 They immediately access the CloudTrail logs to investigate the
incident.
 Analysts identify the suspicious API calls associated with the
unauthorized access, including the source IP address and user identity.
5. Response:
 The compromised credentials are revoked to prevent further
unauthorized access.
 Security policies and access controls are reviewed and strengthened to
prevent similar incidents in the future.
 Any data potentially accessed or compromised during the incident is
assessed for impact, and affected parties are notified as necessary.
6. Remediation:
 Implement multi-factor authentication (MFA) for all users accessing
the AWS Management Console to prevent unauthorized access.
 Regularly review and rotate AWS credentials to mitigate the risk of
credential theft.
  Utilize AWS IAM policies to enforce least privilege access, ensuring
that users only have access to the resources necessary for their roles.
7. Post-Incident Analysis:
 Conduct a thorough post-incident analysis to understand how the
incident occurred and identify areas for improvement in security
controls and incident response procedures.
 Update incident response playbooks based on lessons learned from the
incident to improve the organization's ability to detect, respond to, and
recover from similar incidents in the future.

 Step1: set up an s3 bucket. Set up all the necessary configuration.

 Step2: upload sensitive file into the s3 bucket

 Step3: Enable cloud trail for this bucket.

 Step4: In aws cloud trail, it captures the events in the chosen s3 bucket.

 Step5: Here you can check if your details have been compromised or not.

 Step6: you can further protect your files by applying two factor authorization
or changing your credentials in the IAM dashboard.
Finalize and Present Findings
ModSecurity, Suricata, AWS Security Hub, and AWS CloudTrail are all tools used for
monitoring and enhancing security in different environments. They are all used on
web applications for better security of the web application preventing unauthorized
access to the data, hackers ie.

 ModSecurity:
ModSecurity is an open-source web application firewall (WAF) designed to
detect and prevent web-based attacks. It analyzes HTTP traffic and applies
rules to identify and block malicious requests or payloads. Key findings
include the detection of suspicious HTTP requests, SQL injection attempts,
cross-site scripting (XSS) attacks, and other web application vulnerabilities.
ModSecurity provides detailed logs and alerts, allowing administrators to
monitor and respond to security incidents in real-time.

 Suricata:
Suricata is an open-source intrusion detection system (IDS) and intrusion
prevention system (IPS) capable of analyzing network traffic at high speeds. It
inspects packets and applies rulesets to detect and block malicious activity on
the network. Findings from Suricata include the detection of network-based
attacks such as port scans, denial-of-service (DoS) attacks, malware command-
and-control traffic, and suspicious network behavior. Suricata generates alerts
and logs, providing visibility into network threats and enabling rapid response
to security incidents.

 AWS Security Hub:

AWS Security Hub is a security service that provides a comprehensive view of
an organization's security posture across AWS accounts and resources. It
aggregates findings from various AWS security services, including Amazon
GuardDuty, Amazon Inspector, and AWS Config. Key findings from AWS
Security Hub include the identification of security vulnerabilities,
misconfigurations, suspicious activity, and compliance violations across AWS
environments. Security Hub correlates and prioritizes findings, allowing
organizations to focus on the most critical security issues and streamline
remediation efforts.

 AWS CloudTrail:
AWS CloudTrail is a service that records and logs API activity within AWS
environments, including identity and access management (IAM) actions,
resource changes, and AWS service activity. CloudTrail provides a
comprehensive audit trail of user and resource activity, helping organizations
maintain visibility and accountability. Findings from CloudTrail include
unauthorized access attempts, changes to AWS configurations, and API calls
related to security-sensitive operations. CloudTrail logs can be used for
security analysis, compliance auditing, and incident response, enabling
 organizations to detect and investigate security incidents in AWS environments
effectively.

In summary, ModSecurity and Suricata focus on detecting and preventing web-based

and network-based attacks, respectively, while AWS Security Hub and AWS
CloudTrail provide centralized monitoring and analysis of security findings and
activity within AWS environments. Together, these tools offer comprehensive security
capabilities to help organizations protect against a wide range of threats and maintain
a secure posture in today's dynamic threat landscape.
Suricata implementation:
Steps to install suricata:
 Step1: sudo apt-get install software-properties-common
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update

 Step 2: sudo apt-get install suricata

 Step3: Run Suricata

service suricata start
service suricata status
service suricata stop
 Step4: Configure Suricata:
 ls -al /etc/suricata
 sudo vim /etc/suricata/suricata.yaml

 step5: CODE: ip a s
 Interface : eth0
 Subnet : 192.168.113.43/20
 vars
 Search: af-packet, pcap, community-id
 CODE: sudo suricata-update
 ls -al /var/lib/suricata/rules //list rules directory//
 sudo ls -al /var/lib/suricata/rules //rules set sources //
 sudo suricata-update enable-source malsilo/win-malware //enable the rules //
 sudo suricata -T -c /etc/suricata/suricata.yaml -v //run suricata in test mode//

  Step6: alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1;
rev:1;)

 Step 7: Go Back to the suricata.yaml file : sudo vim

/etc/suricata/suricata.yaml
 Search : rule-file
 ADD: /var/lib/suricata/rules/local.rules



 Test The Configuration to see if there is any issue in it :
 sudo suricata -T -c /etc/suricata/suricata.yaml -v
service suricata start
ls -al /var/log/suricata/
Note : fast.log contains the intrusion log in standard format.

curl http://testmynids.org/uid/index.html //gain access to root//

CHECK: sudo cat /var/log/suricata/fast.log