SlideShare une entreprise Scribd logo

Become a Cloud Security Ninja - RedLock Lab

Amazon Web Services
Amazon Web Services

by RedLock In order to confidently scale your AWS deployments, continuous security must be built into your continuous integration and continuous delivery architecture. Participate in a series of interactive capture the flag challenges to get hands on experience with DevSecOps. We’ll teach you how to think like a Security Ninja, highlight common mistakes that can have catastrophic consequences, and provide tips to avoid them.

1  sur  13
AWS Loft – RedLock Lab session Abstract submitted Become a Cloud Security Ninja In order to confidently scale your AWS deployments, continuous security must be built into your continuous integration and continuous delivery architecture. Participate in a series of interactive capture the flag challenges to get hands on experience with DevSecOps. We’ll teach you how to think like a security ninja, highlight common mistakes that can have catastrophic consequences, and provide tips to avoid them. More specifically, learn how to: - Establish security guardrails in the DevOps process - Detect and remediate risky configurations - Identify vulnerable hosts - Detect and respond to malicious activities - Rapidly investigate incidents We provide the infrastructure necessary for the lab - simply show up with your laptop. Get ready to have some fun and win some exciting prizes!
Lab workflow Suggested agenda/flow 30 minutes “welcome/intro” ● Welcome ● Presentation of agenda and topics that’ll be covered during the lab session. ● Explain flow and rules for the capture the flag challenge. ● Distribute Capture the Flag answer cards to everyone ● Ask everyone to fill out name and contact details to participate in the challenge. ● Ask everyone to separate the answer card into 4 individual cards (one for each capture the flag challenge) ● Ensure everyone is connected to WIFI. ● Ensure everyone can log into the RedLock admin and AWS admin consoles. ● RedLock Console overview / walkthrough / demo (Dashboard, Secure/Report, Investigate and Alerts) Start Capture the flag challenges: ● Present the challenge on the central monitor ● Start the timer (10 minutes) ● Collect capture the flag answers from the participants ● Lecture: Explain the importance of the use case covered in the challenge, and demo how to find the answers for the capture the flag challenge. ● Continue to next challenge.
Capture the flag challenge #1 (20 minutes) Topic: Config & compliance checks and reporting Challenge: Your security and compliance team reviewed the last compliance report, and wants to leverage the RedLock console to find answers for the following: Question #1: Question: How many S3 buckets has been accessible anonymously to the internet within the last month? Answer: Alerts -> Last Month -> find the number of “S3 buckets are accessible to public” alerts Question #2 How many documents are accessible from the internet within the “XX” S3 bucket? Answer: Option #1: Alerts -> “S3 buckets are accessible to public” -> Click the “AWS console link” associated with the “XX” S3 bucket alert to connect to the AWS admin console -> count the number of documents in the bucket. Option #2: Open AWS admin console, find the “XX” S3 bucket, and count the number of files in the bucket. Question #3: Question: The compliance report indicates RDS snapshots are accessible to the public for the “XX” resource in your environment? What’s the AWS CLI command that can be executed to remediate this security risk? Answer A: aws rds --region us-west-1 modify-db-snapshot-attribute --db-snapshot-identifier new-snapshot-public --attribute-name restore --values-to-remove "all" Answer B: aws rds --region us-east-1 modify-db-snapshot-attribute --db-snapshot-identifier new- snapshot-public --attribute-name restore --values-to-remove "all" Answer C: aws rds --region eu-west-1 modify-db-snapshot-attribute --db-snapshot-identifier new-snapshot-public --attribute-name restore --values-to-remove "all" Answer: Alerts -> Last 3 months -> RDS Snapshots are accessible to public -> resolve button Question #4: Find the RDS snapshot accessible to the internet and provide the unique identifier (ARN) associated with the instance? Answer A: arn:aws:rds:eu-west-1:274307705868:snapshot:test-ss Answer B: arn:aws:rds:eu-east-1:274307705868:snapshot:test-ss Answer C: arn:aws:rds:eu-west-1:43207705868:snapshot:test-ss Answer B: arn:aws:rds:eu-east-1:432007705868:snapshot:test-ss
Answer: Alerts -> “RDS snapshots are accessible to public” -> Find and click the “XX” resource in the RedLock admin console. Question #5: Question: The security team has noticed that a number of AWS Security Groups allow internet traffic, including the “default” Security Group. Security wants to understand the number of workloads that has accepted TCP traffic through the “default” security group within the last 2 weeks. Answer: Alerts -> Security Groups Allow Internet Traffic -> hover over the “default” SG -> investigate button -> set time range to the last 2 weeks -> Count the number of workloads. Collect answers Collect all answer cards for challenge #1. RedLock will calculate the score for each attendee Lecture for challenge #1: Explain the above use cases and why each of them are important. Demonstrate how to find the answer for each of the above questions. Remember to demonstrate how to leverage the AWS console link associated with RedLock alerts for easy launch/access to AWS console.
Capture the flag challenge #2 (20 minutes) Topic: Privileged activity monitoring & user behavior analytics Your security team has detected some suspicious user activities for <user_x>, and needs answers for the following questions: Question #1: Question: How many unusual user activities has been detected for <user_x> in October? Answer: Alerts -> Unusual user activity -> set time range to October -> find <user_x> -> click investigate -> select October -> count the number of suspicious activities. Question #2: Question: Why was the user activity for <user_x> identified as suspicious? Answer A: The user logged in from an unusual machine and unusual browser Answer B: The user logged in from an unusual location and performed unusual activities. Answer: Answer B: Question #3: Analyze login behavior within your environment to identify and count the number of users whose credentials may have been compromised due to “impossible time travel” (account compromise) scenarios in October. Answer: Alerts -> set time range to October -> Account Hi-jack attempts -> analyze the alerts, and find plus count the number of alerts related to “impossible time travel”
Question #4: Unusual privileges user activities have been detected within your environment. Leverage the RedLock console to find the number of 'DeleteAccessKey', 'DeleteBucket' , 'DeleteCertificate' actions performed by user “X” within your environment in October. Answer: Investigate -> select October -> event where operation IN ( 'DeleteAccessKey', 'DeleteBucket' , 'DeleteCertificate' ) and user = 'X' Collect answers Collect all answer cards for challenge #2. RedLock will calculate the score for each attendee Lecture for challenge #2: Explain the above use cases and why each of them are important. Demonstrate how to find the answer for each of the above questions.
Capture the flag challenge #3 (20 minutes) Topic: Network Intrusion Detection monitoring and alerting Your DevOps team provisioned a number of new database servers, and accidentally exposed them to the internet. Question #1: Question: How many DB and RDS servers has received inbound traffic from the internet within the last 72 hours? Answer: Investigate -> last 3 days -> run the below query and count the result set network where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and dest.resource in ( resource where role IN ( 'AWS RDS' , 'Database' )) Question #2: Question: Which security group has led to that the “X” DB workload has received traffic directly from the internet within the last 72 hours? Answer A: Security Group A Answer B: Security Group B Answer C: Security Group C Answer: Investigate -> last 3 days -> run the below query -> click the “X” DB workload -> analyze the security groups, and determine which security allowed internet traffic: network where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and dest.resource in ( resource where role IN ( 'AWS RDS' , 'Database' )) Question #3: Question: How many DB workloads has exchanged more than 10,000 bytes within the last 72 hours? Investigate -> last 3 days -> run the below query network where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and dest.resource in ( resource where role IN ( 'AWS RDS' , 'Database' )) and bytes > 10000
Question #4: Question: How many egress attempts from an EC2 instance (instance X) were made to external server on port 25 potentially indicating that the EC2 instance was compromised and used as a spam bot? Answer: Investigate -> last 2 weeks -> run the following query -> click the outbound connection link from suspicious IPs to your email server -> Click “View Details’ on the right -> count the number of outbound attempts. network where source.resource IN ( resource where tag ( 'name' ) = 'X') and dest.port = 25 Collect answers Collect all answer cards for challenge #3. RedLock will calculate the score for each attendee Lecture for challenge #3: Explain the above use cases and why each of them are important. Demonstrate how to find the answer for each of the above questions.
challenge #4 (20 minutes) Topic: Forensics Investigations and incident response Your AWS team has noticed changes and suspicious activities in core AWS configuration settings, and are looking for answers for the following questions: Question #1 Question: How many new Security Groups were created in the environment within the last month? Answer: Investigate -> last month -> count the results from the following query event where operation IN ('CreateSecurityGroup') Question #2: Question; How many workloads received traffic through the “default” Security Group within the last month? Answer: Option #1: Investigate -> last month -> count the results from the following query network where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and dest.resource IN ( resource where securitygroup.name IN ( 'default' )) Option #2: Security Groups Allows Internet Traffic -> Investigate button for “default” SG alert. Question #3: Question: Has any AWS instances with the tag “Environment” = ”Production” received traffic from suspicious IP addresses within the last week? Answer: Investigate -> last week -> and run the following query network where source.publicnetwork IN ( 'Suspicious IPs' ) and dest.resource IN ( resource where tag ( 'Environment' ) = 'Production ) and bytes >0
Question #4: Your security team has received reports that some of your Database and Web Servers has been compromised due to known host vulnerabilities, and need your help with the following: Question: How many workloads has reported a known host vulnerability within the last 7 days? Answer: Option #1: investigate -> last 7 days -> run the following query: network where dest.resource IN ( resource where alert.type IN ( 'cve' )) Option #2: network where source.ip = 0.0.0.0 and bytes >0 and manually count the number of workloads with “exclamation marks” Question #5: The security team has been notified that an EC2 instance running (host_x) is receiving traffic from internet AND also has known vulnerabilities and need your help to analyze which type of communication has been accepted by <host_x> within the last 2 weeks. Answer: Investigate -> last 2 weeks -> run the following query network where dest.resource IN ( resource where tag ( 'Name') = '<host_x>' ) and source.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) and bytes > 0 Answer A: SSH and Web Answer B: SSH Answer C: SSH, Web and FP Collect answers Collect all answer cards for challenge #4. RedLock will calculate the score for each attendee Lecture for challenge #2: Explain the above use cases and why each of them are important. Demonstrate how to find the answer for each of the above questions.
Wrap-up / prizes (15 minutes) 5 minutes wrap-up / summary of what was covered during the capture the flag challenges. Prizes ● Grand prize goes to the attendee with the most total points for all 4 challenges *) ● The prize for each of the 4 challenges goes to the attendee with the most point for each of the challenges *) ● Attendees can “only” win once. Draw if there is a tie for any of the above.
Capture the flag rules and logistics Each attendee will receive an answer card (see below) - maybe we can create “online” cards.. Each attendee will turn-in their answers after each capture the flag challenge. All correct answers will get a score of 2, and the total score for each challenge will be the sum of the correct answers on the answer card. The winner of each challenge is the one with the most points for each challenge, and if there is a tie we will draw a winner. There will be a prize for each capture the flag challenge. The grand-prize winner is the one with the most points for all 4 capture the flag challenges, and if there is a tie we will draw a winner. Each individual can “only” win once, and will be “excluded” for future drawings after winning a prize.
RedLock capture the flag answer card Capture the flag challenge #1: Config & compliance checks and reporting Participant #: <unique number will be printed on each card> Name: _______________________ Email: _______________________ Phone: _______________________ Answer for question #1: _______________________ Answer for question #2: _______________________ Answer for question #3: _______________________ Answer for question #4: _______________________ Answer for question #5: _______________________ ------------------------ cut answer card here ----------------------- Capture the flag challenge #2: User anomaly & user comprise monitoring and alerting Participant #: <unique number will be printed on each card> Answer for question #1: _______________________ Answer for question #2: _______________________ Answer for question #3: _______________________ Answer for question #4: _______________________ ------------------------ cut answer card here ----------------------- Capture the flag challenge #3: Network Intrusion Detection monitoring and Alerting Participant #: <unique number will be printed on each card> Answer for question #1: _______________________ Answer for question #2: _______________________ Answer for question #3: _______________________ Answer for question #4: _______________________ ------------------------ cut answer card here ----------------------- Capture the flag challenge #4: Forensics Investigations and incident response Participant #: <unique number will be printed on each card> Answer for question #1: _______________________ Answer for question #2: _______________________ Answer for question #3: _______________________ Answer for question #4: _______________________ Answer for question #5: _______________________

Recommandé

Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Amazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack SecurityAmazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014Amazon Web Services
 

Recommandé

Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Amazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack SecurityAmazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014Amazon Web Services
 
Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...
Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...
Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...Amazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 
Amazon Web Services Security
Amazon Web Services SecurityAmazon Web Services Security
Amazon Web Services SecurityJason Chan
 
Cloud-Native DDoS Attack Mitigation
Cloud-Native DDoS Attack MitigationCloud-Native DDoS Attack Mitigation
Cloud-Native DDoS Attack MitigationAmazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Amazon Web Services
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Amazon Web Services
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response SimulationsAmazon Web Services
 
Best Practices for SecOps on AWS
Best Practices for SecOps on AWSBest Practices for SecOps on AWS
Best Practices for SecOps on AWSAmazon Web Services
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponseAmazon Web Services
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack SecurityAmazon Web Services
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013Amazon Web Services
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...Amazon Web Services
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your ResourcesAmazon Web Services
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...Amazon Web Services
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security NinjaAmazon Web Services
 
How to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptxLibbySchulze1
 

Contenu connexe

Tendances

Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...
Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...
Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...Amazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 
Amazon Web Services Security
Amazon Web Services SecurityAmazon Web Services Security
Amazon Web Services SecurityJason Chan
 
Cloud-Native DDoS Attack Mitigation
Cloud-Native DDoS Attack MitigationCloud-Native DDoS Attack Mitigation
Cloud-Native DDoS Attack MitigationAmazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Amazon Web Services
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Amazon Web Services
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response SimulationsAmazon Web Services
 
Best Practices for SecOps on AWS
Best Practices for SecOps on AWSBest Practices for SecOps on AWS
Best Practices for SecOps on AWSAmazon Web Services
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013Amazon Web Services
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...Amazon Web Services
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your ResourcesAmazon Web Services
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...Amazon Web Services
 

Tendances (20)

Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...
Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...
Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
 
Amazon Web Services Security
Amazon Web Services SecurityAmazon Web Services Security
Amazon Web Services Security
 
Cloud-Native DDoS Attack Mitigation
Cloud-Native DDoS Attack MitigationCloud-Native DDoS Attack Mitigation
Cloud-Native DDoS Attack Mitigation
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
 
Best Practices for SecOps on AWS
Best Practices for SecOps on AWSBest Practices for SecOps on AWS
Best Practices for SecOps on AWS
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponse
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack Security
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
 
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your Resources
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
 

Similaire à Become a Cloud Security Ninja - RedLock Lab

How to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptxLibbySchulze1
 
Certified ethical hacker (cehv11) exam dumps 2022
Certified ethical hacker (cehv11) exam dumps 2022Certified ethical hacker (cehv11) exam dumps 2022
Certified ethical hacker (cehv11) exam dumps 2022SkillCertProExams
 
How to Monitor Microservices
How to Monitor MicroservicesHow to Monitor Microservices
How to Monitor MicroservicesSysdig
 
Microsoft az-500 Dumps
Microsoft az-500 DumpsMicrosoft az-500 Dumps
Microsoft az-500 DumpsArmstrongsmith
 
Network Security Forensics
Network Security ForensicsNetwork Security Forensics
Network Security Forensicsseniorsam
 
CIS 333 Entire Course NEW
CIS 333 Entire Course NEWCIS 333 Entire Course NEW
CIS 333 Entire Course NEWshyamuopfive
 
Security Issues in OpenStack
Security Issues in OpenStackSecurity Issues in OpenStack
Security Issues in OpenStackoldbam
 
Cloudera Movies Data Science Project On Big Data
Cloudera Movies Data Science Project On Big DataCloudera Movies Data Science Project On Big Data
Cloudera Movies Data Science Project On Big DataAbhishek M Shivalingaiah
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseNathan Case
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docx1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docxpaynetawnya
 
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdfThe Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdfChristopher Doman
 
27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actorFreddy Buenaño
 
Making Runtime Data Useful for Incident Diagnosis: An Experience Report
Making Runtime Data Useful for Incident Diagnosis: An Experience ReportMaking Runtime Data Useful for Incident Diagnosis: An Experience Report
Making Runtime Data Useful for Incident Diagnosis: An Experience ReportQAware GmbH
 
ASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptxASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptxjzyNick
 
Netw200 final joshua_brown
Netw200 final joshua_brownNetw200 final joshua_brown
Netw200 final joshua_brownJoshuaBrown233
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 

Similaire à Become a Cloud Security Ninja - RedLock Lab (20)

Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
 
How to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptx
 
Certified ethical hacker (cehv11) exam dumps 2022
Certified ethical hacker (cehv11) exam dumps 2022Certified ethical hacker (cehv11) exam dumps 2022
Certified ethical hacker (cehv11) exam dumps 2022
 
How to Monitor Microservices
How to Monitor MicroservicesHow to Monitor Microservices
How to Monitor Microservices
 
Microsoft az-500 Dumps
Microsoft az-500 DumpsMicrosoft az-500 Dumps
Microsoft az-500 Dumps
 
Network Security Forensics
Network Security ForensicsNetwork Security Forensics
Network Security Forensics
 
CIS 333 Entire Course NEW
CIS 333 Entire Course NEWCIS 333 Entire Course NEW
CIS 333 Entire Course NEW
 
Security Issues in OpenStack
Security Issues in OpenStackSecurity Issues in OpenStack
Security Issues in OpenStack
 
Cloudera Movies Data Science Project On Big Data
Cloudera Movies Data Science Project On Big DataCloudera Movies Data Science Project On Big Data
Cloudera Movies Data Science Project On Big Data
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident response
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
 
1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docx1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docx
 
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdfThe Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
 
27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor
 
Making Runtime Data Useful for Incident Diagnosis: An Experience Report
Making Runtime Data Useful for Incident Diagnosis: An Experience ReportMaking Runtime Data Useful for Incident Diagnosis: An Experience Report
Making Runtime Data Useful for Incident Diagnosis: An Experience Report
 
ASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptxASE2023_SCPatcher_Presentation_V5.pptx
ASE2023_SCPatcher_Presentation_V5.pptx
 
Netw200 final joshua_brown
Netw200 final joshua_brownNetw200 final joshua_brown
Netw200 final joshua_brown
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Become a Cloud Security Ninja - RedLock Lab

  • 1. AWS Loft – RedLock Lab session Abstract submitted Become a Cloud Security Ninja In order to confidently scale your AWS deployments, continuous security must be built into your continuous integration and continuous delivery architecture. Participate in a series of interactive capture the flag challenges to get hands on experience with DevSecOps. We’ll teach you how to think like a security ninja, highlight common mistakes that can have catastrophic consequences, and provide tips to avoid them. More specifically, learn how to: - Establish security guardrails in the DevOps process - Detect and remediate risky configurations - Identify vulnerable hosts - Detect and respond to malicious activities - Rapidly investigate incidents We provide the infrastructure necessary for the lab - simply show up with your laptop. Get ready to have some fun and win some exciting prizes!
  • 2. Lab workflow Suggested agenda/flow 30 minutes “welcome/intro” ● Welcome ● Presentation of agenda and topics that’ll be covered during the lab session. ● Explain flow and rules for the capture the flag challenge. ● Distribute Capture the Flag answer cards to everyone ● Ask everyone to fill out name and contact details to participate in the challenge. ● Ask everyone to separate the answer card into 4 individual cards (one for each capture the flag challenge) ● Ensure everyone is connected to WIFI. ● Ensure everyone can log into the RedLock admin and AWS admin consoles. ● RedLock Console overview / walkthrough / demo (Dashboard, Secure/Report, Investigate and Alerts) Start Capture the flag challenges: ● Present the challenge on the central monitor ● Start the timer (10 minutes) ● Collect capture the flag answers from the participants ● Lecture: Explain the importance of the use case covered in the challenge, and demo how to find the answers for the capture the flag challenge. ● Continue to next challenge.
  • 3. Capture the flag challenge #1 (20 minutes) Topic: Config & compliance checks and reporting Challenge: Your security and compliance team reviewed the last compliance report, and wants to leverage the RedLock console to find answers for the following: Question #1: Question: How many S3 buckets has been accessible anonymously to the internet within the last month? Answer: Alerts -> Last Month -> find the number of “S3 buckets are accessible to public” alerts Question #2 How many documents are accessible from the internet within the “XX” S3 bucket? Answer: Option #1: Alerts -> “S3 buckets are accessible to public” -> Click the “AWS console link” associated with the “XX” S3 bucket alert to connect to the AWS admin console -> count the number of documents in the bucket. Option #2: Open AWS admin console, find the “XX” S3 bucket, and count the number of files in the bucket. Question #3: Question: The compliance report indicates RDS snapshots are accessible to the public for the “XX” resource in your environment? What’s the AWS CLI command that can be executed to remediate this security risk? Answer A: aws rds --region us-west-1 modify-db-snapshot-attribute --db-snapshot-identifier new-snapshot-public --attribute-name restore --values-to-remove "all" Answer B: aws rds --region us-east-1 modify-db-snapshot-attribute --db-snapshot-identifier new- snapshot-public --attribute-name restore --values-to-remove "all" Answer C: aws rds --region eu-west-1 modify-db-snapshot-attribute --db-snapshot-identifier new-snapshot-public --attribute-name restore --values-to-remove "all" Answer: Alerts -> Last 3 months -> RDS Snapshots are accessible to public -> resolve button Question #4: Find the RDS snapshot accessible to the internet and provide the unique identifier (ARN) associated with the instance? Answer A: arn:aws:rds:eu-west-1:274307705868:snapshot:test-ss Answer B: arn:aws:rds:eu-east-1:274307705868:snapshot:test-ss Answer C: arn:aws:rds:eu-west-1:43207705868:snapshot:test-ss Answer B: arn:aws:rds:eu-east-1:432007705868:snapshot:test-ss
  • 4. Answer: Alerts -> “RDS snapshots are accessible to public” -> Find and click the “XX” resource in the RedLock admin console. Question #5: Question: The security team has noticed that a number of AWS Security Groups allow internet traffic, including the “default” Security Group. Security wants to understand the number of workloads that has accepted TCP traffic through the “default” security group within the last 2 weeks. Answer: Alerts -> Security Groups Allow Internet Traffic -> hover over the “default” SG -> investigate button -> set time range to the last 2 weeks -> Count the number of workloads. Collect answers Collect all answer cards for challenge #1. RedLock will calculate the score for each attendee Lecture for challenge #1: Explain the above use cases and why each of them are important. Demonstrate how to find the answer for each of the above questions. Remember to demonstrate how to leverage the AWS console link associated with RedLock alerts for easy launch/access to AWS console.
  • 5. Capture the flag challenge #2 (20 minutes) Topic: Privileged activity monitoring & user behavior analytics Your security team has detected some suspicious user activities for <user_x>, and needs answers for the following questions: Question #1: Question: How many unusual user activities has been detected for <user_x> in October? Answer: Alerts -> Unusual user activity -> set time range to October -> find <user_x> -> click investigate -> select October -> count the number of suspicious activities. Question #2: Question: Why was the user activity for <user_x> identified as suspicious? Answer A: The user logged in from an unusual machine and unusual browser Answer B: The user logged in from an unusual location and performed unusual activities. Answer: Answer B: Question #3: Analyze login behavior within your environment to identify and count the number of users whose credentials may have been compromised due to “impossible time travel” (account compromise) scenarios in October. Answer: Alerts -> set time range to October -> Account Hi-jack attempts -> analyze the alerts, and find plus count the number of alerts related to “impossible time travel”
  • 6. Question #4: Unusual privileges user activities have been detected within your environment. Leverage the RedLock console to find the number of 'DeleteAccessKey', 'DeleteBucket' , 'DeleteCertificate' actions performed by user “X” within your environment in October. Answer: Investigate -> select October -> event where operation IN ( 'DeleteAccessKey', 'DeleteBucket' , 'DeleteCertificate' ) and user = 'X' Collect answers Collect all answer cards for challenge #2. RedLock will calculate the score for each attendee Lecture for challenge #2: Explain the above use cases and why each of them are important. Demonstrate how to find the answer for each of the above questions.
  • 7. Capture the flag challenge #3 (20 minutes) Topic: Network Intrusion Detection monitoring and alerting Your DevOps team provisioned a number of new database servers, and accidentally exposed them to the internet. Question #1: Question: How many DB and RDS servers has received inbound traffic from the internet within the last 72 hours? Answer: Investigate -> last 3 days -> run the below query and count the result set network where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and dest.resource in ( resource where role IN ( 'AWS RDS' , 'Database' )) Question #2: Question: Which security group has led to that the “X” DB workload has received traffic directly from the internet within the last 72 hours? Answer A: Security Group A Answer B: Security Group B Answer C: Security Group C Answer: Investigate -> last 3 days -> run the below query -> click the “X” DB workload -> analyze the security groups, and determine which security allowed internet traffic: network where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and dest.resource in ( resource where role IN ( 'AWS RDS' , 'Database' )) Question #3: Question: How many DB workloads has exchanged more than 10,000 bytes within the last 72 hours? Investigate -> last 3 days -> run the below query network where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and dest.resource in ( resource where role IN ( 'AWS RDS' , 'Database' )) and bytes > 10000
  • 8. Question #4: Question: How many egress attempts from an EC2 instance (instance X) were made to external server on port 25 potentially indicating that the EC2 instance was compromised and used as a spam bot? Answer: Investigate -> last 2 weeks -> run the following query -> click the outbound connection link from suspicious IPs to your email server -> Click “View Details’ on the right -> count the number of outbound attempts. network where source.resource IN ( resource where tag ( 'name' ) = 'X') and dest.port = 25 Collect answers Collect all answer cards for challenge #3. RedLock will calculate the score for each attendee Lecture for challenge #3: Explain the above use cases and why each of them are important. Demonstrate how to find the answer for each of the above questions.
  • 9. challenge #4 (20 minutes) Topic: Forensics Investigations and incident response Your AWS team has noticed changes and suspicious activities in core AWS configuration settings, and are looking for answers for the following questions: Question #1 Question: How many new Security Groups were created in the environment within the last month? Answer: Investigate -> last month -> count the results from the following query event where operation IN ('CreateSecurityGroup') Question #2: Question; How many workloads received traffic through the “default” Security Group within the last month? Answer: Option #1: Investigate -> last month -> count the results from the following query network where source.publicnetwork IN ( 'Internet IPs' , 'Suspicious IPs' ) and dest.resource IN ( resource where securitygroup.name IN ( 'default' )) Option #2: Security Groups Allows Internet Traffic -> Investigate button for “default” SG alert. Question #3: Question: Has any AWS instances with the tag “Environment” = ”Production” received traffic from suspicious IP addresses within the last week? Answer: Investigate -> last week -> and run the following query network where source.publicnetwork IN ( 'Suspicious IPs' ) and dest.resource IN ( resource where tag ( 'Environment' ) = 'Production ) and bytes >0
  • 10. Question #4: Your security team has received reports that some of your Database and Web Servers has been compromised due to known host vulnerabilities, and need your help with the following: Question: How many workloads has reported a known host vulnerability within the last 7 days? Answer: Option #1: investigate -> last 7 days -> run the following query: network where dest.resource IN ( resource where alert.type IN ( 'cve' )) Option #2: network where source.ip = 0.0.0.0 and bytes >0 and manually count the number of workloads with “exclamation marks” Question #5: The security team has been notified that an EC2 instance running (host_x) is receiving traffic from internet AND also has known vulnerabilities and need your help to analyze which type of communication has been accepted by <host_x> within the last 2 weeks. Answer: Investigate -> last 2 weeks -> run the following query network where dest.resource IN ( resource where tag ( 'Name') = '<host_x>' ) and source.publicnetwork IN (‘Internet IPs’, ‘Suspicious IPs’) and bytes > 0 Answer A: SSH and Web Answer B: SSH Answer C: SSH, Web and FP Collect answers Collect all answer cards for challenge #4. RedLock will calculate the score for each attendee Lecture for challenge #2: Explain the above use cases and why each of them are important. Demonstrate how to find the answer for each of the above questions.
  • 11. Wrap-up / prizes (15 minutes) 5 minutes wrap-up / summary of what was covered during the capture the flag challenges. Prizes ● Grand prize goes to the attendee with the most total points for all 4 challenges *) ● The prize for each of the 4 challenges goes to the attendee with the most point for each of the challenges *) ● Attendees can “only” win once. Draw if there is a tie for any of the above.
  • 12. Capture the flag rules and logistics Each attendee will receive an answer card (see below) - maybe we can create “online” cards.. Each attendee will turn-in their answers after each capture the flag challenge. All correct answers will get a score of 2, and the total score for each challenge will be the sum of the correct answers on the answer card. The winner of each challenge is the one with the most points for each challenge, and if there is a tie we will draw a winner. There will be a prize for each capture the flag challenge. The grand-prize winner is the one with the most points for all 4 capture the flag challenges, and if there is a tie we will draw a winner. Each individual can “only” win once, and will be “excluded” for future drawings after winning a prize.
  • 13. RedLock capture the flag answer card Capture the flag challenge #1: Config & compliance checks and reporting Participant #: <unique number will be printed on each card> Name: _______________________ Email: _______________________ Phone: _______________________ Answer for question #1: _______________________ Answer for question #2: _______________________ Answer for question #3: _______________________ Answer for question #4: _______________________ Answer for question #5: _______________________ ------------------------ cut answer card here ----------------------- Capture the flag challenge #2: User anomaly & user comprise monitoring and alerting Participant #: <unique number will be printed on each card> Answer for question #1: _______________________ Answer for question #2: _______________________ Answer for question #3: _______________________ Answer for question #4: _______________________ ------------------------ cut answer card here ----------------------- Capture the flag challenge #3: Network Intrusion Detection monitoring and Alerting Participant #: <unique number will be printed on each card> Answer for question #1: _______________________ Answer for question #2: _______________________ Answer for question #3: _______________________ Answer for question #4: _______________________ ------------------------ cut answer card here ----------------------- Capture the flag challenge #4: Forensics Investigations and incident response Participant #: <unique number will be printed on each card> Answer for question #1: _______________________ Answer for question #2: _______________________ Answer for question #3: _______________________ Answer for question #4: _______________________ Answer for question #5: _______________________