Discover and read the best of Twitter Threads about #GuardDuty
Most recents (3)
Excited technologies announced by @aselipsky at #reinvent2022
Entire catalog of #AWS #Analytics and #MachineLearning services available on #ServerLess
It is a paradigm shifter!
It is a paradigm shifter!
'A Zero ETL Future' - Federated queries across data sources
bridging OLTP and OLAP those who know will get what folks like me have been struggling.
bridging OLTP and OLAP those who know will get what folks like me have been struggling.
Many target AWS from afar, but this #redteam played the long game:
1. Physical access to a laptop via a retail store
2. Persisted via a @Raspberry_Pi under a table
3. Lat. movement via SSH through OSX
4. Recon via Bash history
5. Used stolen .boto to access AWS
👇Thread 👇
1. Physical access to a laptop via a retail store
2. Persisted via a @Raspberry_Pi under a table
3. Lat. movement via SSH through OSX
4. Recon via Bash history
5. Used stolen .boto to access AWS
👇Thread 👇
1. Lock your laptops! Lower the password timeout window so your users don't have to think about it. With this access the red team was able to gain not only their initial access, but credentials they could use to SSH to several machines across the org.
2. Strong case for asset inventory, especially if a non-standard device such as a Raspberry Pi joins the network. Identifying and alerting on such devices would have caught this much earlier (especially if on a retail/guest wifi).
Highlights from chasing an attacker in #AWS this week:
Initial lead: custom alert using #CloudTrail
- SSH keygen from weird source
IP enrichment helped
Historical context for IAM user, "this isn't normal"
#GuardDuty was not initial lead
- Did have LOW sev high vol alerts
Initial lead: custom alert using #CloudTrail
- SSH keygen from weird source
IP enrichment helped
Historical context for IAM user, "this isn't normal"
#GuardDuty was not initial lead
- Did have LOW sev high vol alerts
Attacker tradecraft:
- Made ingress rules on sec groups that allowed any access to anything in VPC
- Interesting API calls: > 300 AuthorizeSecurityGroupIngress calls
- Spun up new ec2 instance likely to persist
- Mostly recon - "What policy permissions does this IAM user have?"
- Made ingress rules on sec groups that allowed any access to anything in VPC
- Interesting API calls: > 300 AuthorizeSecurityGroupIngress calls
- Spun up new ec2 instance likely to persist
- Mostly recon - "What policy permissions does this IAM user have?"
Investigations:
Orchestration was super helpful. We bring our own.
For any AWS alert we auto acquire:
- Interesting API calls (anything that isn't Get*, List*, Describe*)
- List of assumed roles (+ failures)
- AWS services touched user user/role
- Gave us answers, fast
Orchestration was super helpful. We bring our own.
For any AWS alert we auto acquire:
- Interesting API calls (anything that isn't Get*, List*, Describe*)
- List of assumed roles (+ failures)
- AWS services touched user user/role
- Gave us answers, fast
