Amazon AWS Network ACL Remediation Guide€¦ · Lambda function shortly: 4. Now you will create...

© 2020 Cisco and/or its affiliates. All rights reserved. of 10

Technical Guide Cisco Public

Amazon AWS Network ACL Remediation Proof of

Concept Guide Cisco Stealthwatch Cloud

May 2020


This proof of concept shows how to leverage Stealthwatch Cloud’s ability to directly interact with the AWS services infrastructure to perform automated remediation when a threat is triggered. This action will block malicious attackers on the Internet that are attempting to exploit an exposed workload, dynamically protecting it via AWS VPC Network ACLs (NACLs) as the threat evolves in real-time. The use of NACLs does have threshold limitation of 200 ACLs, each with a 20-rule limit. For this reason, using NACLs at scale is not ideal and as such, substituting Security Group rules or other AWS operations in the provided script can easily be done to accomplish various remediations. The choice of NACL remediation is just to demonstrate a sample proof of concept.

How it works 1. There are 4 configurations that need to be made in this proof of concept. They are as follows:

a. Stealthwatch Cloud API access credential

b. AWS Lambda function with remediation python code

c. AWS SNS Topic connected to AWS Lambda function

d. Stealthwatch Cloud SNS Topic subscription

2. First you will create the Stealthwatch Cloud API access credential to be used within the Lambda remediation script code. Login to your Stealthwatch Cloud portal and navigate to the following URL: https://<customer>.obsrvbl.com/accounts/settings/user/


3. Click the “Generate New Key button as shown which will create the API credential set comprised of both the API user and API key. Take note of these as we will be copying/pasting them into the Lambda function shortly:

4. Now you will create your AWS Lambda Function. Open your AWS console and navigate to Compute

-> Lambda as shown. Click the Create function button:

5. Give the function a friendly name, select Python 3.6 as the Runtime and click the “Create function” button:


6. Once created you will be taken to the Lambda interactive designer screen. From here scroll down to the in-line code editor. You will see a default set of python code prefilled in the editor:

7. Erase this code and replace it with the remediation python code found the following GitHub repository: https://github.com/jmoncrief/stealthwatch/blob/master/stealthwatch_cloud_aws_nacl.py

8. The inline editor should now look as follows and be exactly 104 lines long:

9. Substitute the following values in the code with the values you noted when you created the Stealthwatch Cloud API credential. Place each value within each placeholder’s single quotations, ensuring the quotations remain:


10. You will now adjust the timeout value for the function to ensure it has enough time to execute the remediation NACL insertion block tasks. Scroll down in the Lambda designer to the Basic setting section and click Edit:

11. Set the timeout value to 5 minutes and click Save:

12. You will now give the Lambda appropriate permissions to access the AWS EC2 and VPC environments to make the necessary Network ACL changes for the automated remediation. Click on the Permissions tab as shown:


13. Click on the automatically generated Role name for this Lambda. This will open the Identity and Access Manager (IAM) service:

14. Click the “Attach policies” blue button and individually add the following required Lambda function

permissions:

15. The next step is to create the Simple Notification Service (SNS) topic that will essential link Stealthwatch Cloud and the Lambda that you have just created together. Navigate to Services – Simple Notification Service as shown:

16. Click Topics and then Create topic:

17. Enter a name for the topic, leave everything else as default and click Create topic:


18. Click the name of the topic to enter its configuration. Click on the Access Policy tab to edit the policy JSON to allow Stealthwatch Cloud permissions to submit Alert details to it. Append the following code to the existing JSON, replacing your SNS topic ARN as noted and save as follows:

The resulting policy should look as follows:

19. Now you will copy the ARN value for the newly created SNS topic which will be used to configure

Stealthwatch Cloud to relay Alert information to the topic. Copy the following value:

20. Now navigate to your Stealthwatch Cloud portal’s SNS configuration page: https://<customer>.obsrvbl.com/webhooks/create/aws_sns/

{

"Sid": "__console_pub_0",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::757972810156:role/site_role"

},

"Action": "sns:Publish",

"Resource": "<insert your sns topic ARN here>"

}


21. Paste the SNS Topic ARN in the following field and click “Add”:

22. Once done the Services/Webhooks main page should have an SNS entry similar to the following:

23. The last configuration is to go back into AWS to your Lambda function and to link the Lambda to the

SNS topic. From the Lambda designer click “Add Trigger”:


24. Choose the SNS Topic previously created and click Add:

25. You will now see the SNS Topic added in the designer as an enabled Trigger for the Lambda:


26. This process is now complete and you now have an enabled operational Lambda ready to perform automated NACL remediation. There will now be VPC rule insertions anytime a malicious IP on the Internet attempts to brute force into any exposed workload that Stealthwatch Cloud is monitoring. The Alert that the Lambda is listening for in this scenario is “Excessive Access Attempts (External)”

Once triggered the offenders will be automatically blocked 24x7 with NACL deny rules similar to the following:

Printed in USA Cxx-xxxxxx-xx 01/20

Amazon AWS Network ACL Remediation Guide€¦ · Lambda function shortly: 4. Now you will create...

Documents

Transcript of Amazon AWS Network ACL Remediation Guide€¦ · Lambda function shortly: 4. Now you will create...