This blog post is the follow up and hopefully will provide more details for Amazonians attending Sydney AWS User Group running on 5th August 2015. We started the session with Ashley Madison story which inspired the title of the session: Life is Short
Have an Affair when You get Hacked
We don’t know where the Ashley Madison data is hosted or whether they really get hacked? Regardless the frequency and sophistication of cybersecurity attacks are getting worse. Below statistics are quite sobering:
From above statistics we can map the nature of the cybersecurity attacks:
Compromising User Credentials
As we can see from the statistics more than 75% intrusions are due to compromised user credentials. For the purpose of this blog we will limit user credentials on AWS environment:
- AWS IAM is your key for AWS subscription identity and access management. AWS posted the best practice on managing AWS IAM. The AWS CloudTrail is one of the recommended services to audit your AWS environment which will be useful for further investigation and forensic.
- AWS Multi Factor Authentication (MFA) – Always use MFA for all your AWS accounts
- If your on-premises environment using Active Directory, AWS Directory Services will allow you to connect your AWS resources with an existing on-premises Microsoft Active Directory or to set up a new, stand-alone directory in the AWS cloud. This means You can manage your AWS resources using your Corp account
- Use Role based Access Control (RBAC) model on your Active Directory to ensure segregation of duties.
- Identity Federation. You can also enable identity federation to AWS using Active Directory and SAML 2.0
- Using Rapid7 User Insight to detect anomaly and detecting compromised users.
Legitimate IT Tools – Harder to Detect
Malware and malicious code become things of the past which most of the malicious codes mutate faster than our Anti-Malware solution. Most of the attackers are using legitimate IT Tools which harder to detect. This is quite a problem since we wouldn’t know if we already get hacked until it’s too late. Below tips can help to reduce the risk of the breach on our AWS environment:
- Whitelist the Applications – Block all the applications that are not listed
- Create the OS Baselines and Hardened for both Windows and Linux EC2
This link from SANS Institute is a good start: Windows and Linux
- Patch All Things – There is famous quote “Patch Tuesday, Breach Wednesday”, plan your patch management lifecycle for your EC2 both O/S and applications sitting on top of your EC2
- This link from AWS contains tips to secure your EC2
Rogue Inside the Network
Rogue inside of breached environment can stay up to eight months in average before detection. Using legitimate credentials stolen, legitimate tools which ultimately “legitimate” activities will be a lot harder to detect the rogue. Below tips can help to reduce the risk of the breach on our AWS Network:
- Always use AWS VPC which will enable us to use AWS security features: security groups and network access list
- Do not design flat and open environment inside your AWS VPC – Use Defense in Depth technique
- Use Intrusion Prevention and Detection security tools which are available on AWS MarketPlace : AlertLogic, Trend Micro, Barracuda, Sophos, F5 and Neusoft
- Rapid7 User Insight also can help to catch the rogue by detecting user anomaly and suspicious activities of compromised creds
In Ashley Madison case, the attacker claims have stolen more than 37 million users data. There are few techniques we can adopt to protect our data sitting on AWS environment and reduce the risk of a breach:
- Data Encryption. We can encrypt our S3 using Server-side Encryption or Client-side Encryption. This link from AWS provides brilliant three different models how encryption keys are managed and when they are used
- Data Minimization : No single data vault (Do not put everything into one bucket), Access as needed basis, Purge the data
Overall, there is no silver bullet for securing our AWS environment. Rigorous action plan and work together with AWS is the best defense
I hope you’ve found this post useful – please leave any comments or questions below!