Life is Short When You Get Hacked – Sydney AWS User Group

This blog post is the follow up and hopefully will provide more details for Amazonians attending Sydney AWS User Group running on 5th August 2015. We started the session with Ashley Madison story which inspired the title of the session: Life is Short Have an Affair when You get Hacked

Life is Short when You get Hacked

We don’t know where the Ashley Madison data is hosted or whether they really get hacked? Regardless the frequency and sophistication of cybersecurity attacks are getting worse. Below statistics are quite sobering:

Sobering Statistics

From above statistics we can map the nature of the cybersecurity attacks:


Compromising User Credentials

As we can see from the statistics more than 75% intrusions are due to compromised user credentials. For the purpose of this blog we will limit user credentials on AWS environment:

  • AWS IAM is your key for AWS subscription identity and access management. AWS posted the best practice on managing AWS IAM. The AWS CloudTrail is one of the recommended services to audit your AWS environment which will be useful for further investigation and forensic.
  • AWS Multi Factor Authentication (MFA) – Always use MFA for all your AWS accounts
  • If your on-premises environment using Active Directory, AWS Directory Services will allow you to connect your AWS resources with an existing on-premises Microsoft Active Directory or to set up a new, stand-alone directory in the AWS cloud. This means You can manage your AWS resources using your Corp account
  • Use Role based Access Control (RBAC) model on your Active Directory to ensure segregation of duties.
  • Identity Federation. You can also enable identity federation to AWS using Active Directory and SAML 2.0
  • Using Rapid7 User Insight to detect anomaly and detecting compromised users.

Legitimate IT Tools – Harder to Detect

Malware and malicious code become things of the past which most of the malicious codes mutate faster than our Anti-Malware solution. Most of the attackers are using legitimate IT Tools which harder to detect. This is quite a problem since we wouldn’t know if we already get hacked until it’s too late. Below tips can help to reduce the risk of the breach on our AWS environment:

  • Whitelist the Applications – Block all the applications that are not listed
  • Create the OS Baselines and Hardened for both Windows and Linux EC2
    This link from SANS Institute is a good start: Windows and Linux
  • Patch All Things – There is famous quote “Patch Tuesday, Breach Wednesday”, plan your patch management lifecycle for your EC2 both O/S and applications sitting on top of your EC2
  • This link from AWS contains tips to secure your EC2

Rogue Inside the Network

Rogue inside of breached environment can stay up to eight months in average before detection. Using legitimate credentials stolen, legitimate tools which ultimately “legitimate” activities will be a lot harder to detect the rogue. Below tips can help to reduce the risk of the breach on our AWS Network:

  • Always use AWS VPC which will enable us to use AWS security features: security groups and network access list
  • Do not design flat and open environment inside your AWS VPC – Use Defense in Depth technique
  • Use Intrusion Prevention and Detection security tools which are available on AWS MarketPlace : AlertLogic, Trend Micro, Barracuda, Sophos, F5 and Neusoft
  • Rapid7 User Insight also can help to catch the rogue by detecting user anomaly and suspicious activities of compromised creds

Data Breach

In Ashley Madison case, the attacker claims have stolen more than 37 million users data. There are few techniques we can adopt to protect our data sitting on AWS environment and reduce the risk of a breach:

  • Data Encryption. We can encrypt our S3 using Server-side Encryption or Client-side Encryption. This link from AWS provides brilliant three different models how encryption keys are managed and when they are used
  • Data Minimization : No single data vault (Do not put everything into one bucket), Access as needed basis, Purge the data

Overall, there is no silver bullet for securing our AWS environment. Rigorous action plan and work together with AWS is the best defense

I hope you’ve found this post useful – please leave any comments or questions below!

Read more from me on the Kloud Blog or on my own blog at

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.