Presentation

• We will have skeleton slide deck in class, which will lead to this page.
• All links will be posted here.
• This makes it easier for us to update content for future classes.
• If there are bugs, students can use Github Issues for submitting fixes.

Introduction links

• Create CSA account and download the core document.

THREAT #1: Identity & Access Management

• Concept: Page # 8
• Threat / Vulnerability:

Insufficient Identity and Credential Management overprovisioned EC2 and S3 roles for WAF and storage.

• CWE-288: Authentication Bypass Using an Alternate Path or Channel

• Company: Capital One
• Attack Detail: Former engineer of AWS with insider knowledge on platform vulnerabilities gained credentials from a misconfigured web application to extract sensitive information from protected cloud folders.
• Impact: Cloud access to 106 million records were exfiltrated.
• Link: https://krebsonsecurity.com/tag/capital-one-breach/

SOLUTION #1: User authentication, authorization, multi-factor authentication, and activity monitoring

• Link: https://aws.amazon.com/iam/features/mfa/
• Prerequisites: phone / fido
• Demonstration:
• Deployment: LAB 1
• LAB 2
• Execution - Process:

THREAT #2 Misconfiguration

• Concept: Misconfiguration and Inadequate Change Control - The Dow Jones Watchlist database was deployed in AWS without password protection no one verify this database configuration. Actor: An authorized 3rd party vendor for Dow Jones failed to password protect an AWS-hosted Elasticsearch database belonging to Dow Jones.
• Threat / Vulnerability:
• CWE: 16 (not specific enough)
• Company: Dow Jones
• Link: https://techcrunch.com/2019/02/27/dow-jones-watchlist-leak/

SOLUTION #2A: Change control practices, baseline configuration, best practices. Can you test for these flaws across entire environment?

• Link:

• https://aws.amazon.com/config/
• https://aws.amazon.com/inspector/

• Prerequisites: Understanding https://aws.amazon.com/architecture/
• Demonstration: Lab 3 Firewall
• Monitor Lab 4

SOLUTION #2B: Vulnerability Management

Demonstration: 5 Vulnerability Management Lab

THREAT #3: Encryption key management / rotation

• Concept: Page # 22
• Threat / Vulnerability:
• Insufficient credential management and effective encryption measures facilitated lateral movement across the network.
• CWE CATEGORY: Key Management Errors
• Company: Tesla
• Link:https://www.osradar.com/tesla-cloud-account-data-breached/

SOLUTION #3:

• Which is best for Tesla? (Read and vote next)
• AWS Systems Manager Parameter Store

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html

• Secrets Manager

https://aws.amazon.com/secrets-manager/

• Key Management Service

https://aws.amazon.com/kms/

THREAT #5: DOS

• Concept: Page # 14
• The actor used a technique known as Memcrashing to create a DDoS attack. Memcrashin exploits memcached database servers open to the public internet with no authentication.
• DDOS amplification: actor sends a 203-byte request database command to an open memcached server, sets the spoofs SRC address to Github. The database responds 50,000 times the amount of data it received in the command  a 203-byte request results in a 100MB response. Github Inbound network traffic peaked at 1.35Tbps Threat / Vulnerability: Availability DDOS-network or application
• CWE: CWE-406: Insufficient Control of Network Message Volume (Network Amplification)
• Company: Github
• Link:
• CWE:

SOLUTION #5: Architecture / Monitoring / Content Delivery Network (CDN)

• Links
• https://aws.amazon.com/cloudfront/
• https://aws.amazon.com/shield/
• NOT covered Application Monitoring with Amazon CloudWatch
• https://aws.amazon.com/solutions/implementations/application-monitoring-with-cloudwatch/
• Prerequisites:
• CloudFront distributions
• Application Load Balancers and/or Amazon API Gateway
• Demonstration:
• Deployment: DDOS LAB
• Execution - Process: Shield Advanced includes DDoS cost protection, a safeguard from scaling charges as a result of a DDoS attack

THREAT #6: third-party trackers ( PII data spill w/o resolution)

• Concept: Page # 18
• Threat / Vulnerability:
• An investigation by EFF of the Ring doorbell app for Android found it to be packed with third-party trackers sending out a plethora of customers personally identifiable information (PII). Four main analytics and marketing companies: branch.io, mixpanel.com, appsflyer.com and facebook.com (even if you dont have a Facebook account) were receiving names, IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers.
• Company: Ring parent Amazon
• Link: https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers

SOLUTION #6: (we can talk about) Amazon Macie - DLP /

• Link
• https://aws.amazon.com/blogs/industries/common-techniques-to-detect-phi-and-pii-data-using-aws-services/
• https://aws.amazon.com/blogs/architecture/bbva-architecture-for-large-scale-macie-implementation/
• Prerequisites:
• Demonstration:
• Deployment:
• Execution - Process:

If time build your process

THREAT #--:

• Concept: Page #
• Threat / Vulnerability:
• CWE:

https://cwe.mitre.org/find/index.html

• CCM:

https://docs.google.com/spreadsheets/d/17UtKDdpE58SpuHpeGu9VvnjGXFdt175D2sh35C3yS0Q/edit?gid=642078477#gid=642078477

• Company:

SOLUTION #--:

• Link(s):
• Prerequisites:
• Demonstration:
• Deployment:
• Execution - Process: