Title

AWS re:Invent 2022 - Detecting SSRF events on AWS using Splunk (PRT325)

Summary

Tom Smith, a security strategist with eight years at Splunk, discusses detecting server-side request forgery (SSRF) events on AWS using Splunk.
He explains SSRF, recreates an attack based on a real-world event, and highlights the differences between what AWS logs and what Splunk can detect.
The attack involved exploiting the AWS metadata service endpoint to gain credentials and admin access within 15 minutes.
AWS services like Security Hub, GuardDuty, and CloudTrail provided some alerts, but not until after significant actions had already been taken by the attacker.
Splunk's capabilities, including Cloud Data Manager, Enterprise Security (ES), and SOAR, can help detect and automate responses to such attacks.
The presentation emphasizes the importance of the AWS shared responsibility model, testing code, and meticulous IAM strategy to prevent such breaches.

AWS's default configurations can leave systems vulnerable to SSRF attacks, as demonstrated by the ease with which the attack was recreated.
AWS services alone may not provide timely or detailed enough alerts to prevent or understand the full scope of an attack.
Integrating AWS data with Splunk can provide earlier detection of suspicious activities and a more comprehensive view of security events.
The use of Splunk's Cloud Data Manager simplifies the process of ingesting AWS data into Splunk, overcoming previous challenges with data onboarding.
Splunk's Enterprise Security can automatically detect and alert on unusual activities, such as new logins from unfamiliar locations or rapid IAM changes.
Automation and orchestration through SOAR can significantly reduce the time to respond to incidents and mitigate damage.
The shared responsibility model is crucial to understand; customers are responsible for securing their data, applications, and operating systems on AWS.
Regular testing of code and a well-planned IAM strategy are essential for maintaining security in the cloud.