├── .gitignore
├── README.md
├── analytics
    ├── Dockerfile
    ├── README.md
    ├── aws_credentials.txt
    ├── docker_build.sh
    ├── entrypoint.sh
    ├── environment.env
    ├── requirements.txt
    └── src
    │   ├── beaconer.py
    │   ├── cloud_sniper_800.png
    │   ├── pdf_reporter.py
    │   └── results_generator.py
├── cloud-sniper
    ├── cloudwatch-event-target.tf
    ├── cloudwatch_event_rule.tf
    ├── data.tf
    ├── dynamo.tf
    ├── iam-policy.tf
    ├── iam-role-policy-attachment.tf
    ├── iam-role-policy.tf
    ├── iam_group.tf
    ├── iam_group_policy_attachment.tf
    ├── kinesis_firehose_delivery_stream.tf
    ├── lambda-funtion.tf
    ├── lambda-permission.tf
    ├── lambdas
    │   └── functions
    │   │   ├── cloud-sniper-tagging
    │   │       └── cloud_sniper_tagging_ir.py
    │   │   └── cloud-sniper
    │   │       └── cloud_sniper.py
    ├── outputs.tf
    ├── role.tf
    ├── s3_bucket.tf
    ├── sqs_queue.tf
    ├── sqs_queue_policy.tf
    ├── variables.tf
    └── waf.tf
├── images
    ├── deployment.png
    └── logo.png
├── playbooks
    ├── cloudsniper_playbook_nist.md
    └── cloudsniper_playbook_nist.tf
└── wiki
    └── WIKI.md


/.gitignore:
--------------------------------------------------------------------------------
 1 | .DS_Store
 2 | *.zip
 3 | .idea
 4 | .terraform
 5 | main.tf
 6 | .terraform/
 7 | terraform.tfstate
 8 | terraform.tfstate.backup
 9 | terraform.tfvarsf
10 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | <br> </br>
 2 | ### [Cloud Sniper has a new home!! Click here to visit!!](https://github.com/cloud-sniper/cloud-sniper)
 3 | <br> </br>
 4 | <br> </br>
 5 | ![alt text](images/logo.png "Cloud Sniper")
 6 | <br> </br>
 7 | ## *Cloud Security Operations*
 8 | 
 9 | ### *What is Cloud Sniper?*
10 | 
11 | ***Cloud Sniper*** is a platform designed to manage *Security Operations* in cloud environments. It is an open platform which allows responding to security incidents by accurately analyzing and correlating native cloud artifacts. It is to be used as a *Virtual Security Operations Center (vSOC)* to detect and remediate security incidents providing a complete visibility of the company's cloud security posture.
12 | 
13 | With this platform, you will have a complete and comprehensive management of the security incidents, reducing the costs of having a group of level-1 security analysts hunting for cloud-based *Indicators of Compromise (IOC)*. These *IOCs*, if not correlated, will generate difficulties in detecting complex attacks. At the same time ***Cloud Sniper*** enables advanced security analysts integrate the platform with external forensic or incident-and-response tools to provide security feeds into the platform.
14 | 
15 | The cloud-based platform is deployed automatically and provides complete and native integration with all the necessary information sources, avoiding the problem that many vendors have when deploying or collecting data.
16 | 
17 | ***Cloud Sniper*** receives cloud-based and third-parties feeds and automatically responds protecting your infrastructure and generating a knowledge database of the *IOCs* that are affecting your platform. This is the best way to gain visibility in environments where information can be bounded by the *Shared Responsibility Model* enforced by cloud providers.
18 | 
19 | To detect advanced attack techniques, which may easily be ignored, the ***Cloud Sniper Analytics*** module correlates the events generating *IOCs*. These will give visibility on complex artifacts to analyze, helping both to stop the attack and to analyze the attacker's *TTPs*.
20 | 
21 | ***Cloud Sniper*** is currently available for *AWS*, but it is to be extended to others cloud platforms.
22 | <br> </br>
23 | ### *Automatic infrastructure deployment (for AWS)*
24 | 
25 | ![alt text](images/deployment.png "Cloud Sniper")
26 | <br> </br>
27 | ### WIKI => [HOW IT WORKS](wiki/WIKI.md)
28 | 
29 | ### Cloud Sniper releases
30 | 
31 |     1.  Automatic Incident and Response 
32 |         1.  WAF filtering
33 |         2.  NACLs filtering
34 |         3.  IOCs knowledge database. 
35 |         4.  Tactics, Techniques and Procedures (TTPs) used by the attacker
36 |     2.  Security playbooks
37 |         1.  NIST approach
38 |     3.  Automatic security tagging
39 |     4.  Cloud Sniper Analytics
40 |         1.  Beaconing detection with VPC Flow Logs (C2 detection analytics)
41 | 
42 | ### Upcoming Features and Integrations
43 | 
44 |     1.  Security playbooks for cloud-based environments
45 |     2.  Security incidents centralized management for multiple accounts. Web Management UI
46 |     3.  WAF analytics
47 |     4.  Case management (automatic case creation)
48 |     5.  IOCs enrichment and Threat Intelligence feeds
49 |     6.  Automatic security reports based on well-known security standards (NIST)
50 |     7.  Integration with third-party security tools (DFIR)
51 | 


--------------------------------------------------------------------------------
/analytics/Dockerfile:
--------------------------------------------------------------------------------
 1 | ARG BASE_CONTAINER=python:3
 2 | 
 3 | FROM $BASE_CONTAINER
 4 | 
 5 | FROM python:3
 6 | 
 7 | COPY requirements.txt .
 8 | RUN pip install --no-cache-dir -r requirements.txt
 9 | RUN pip install awscli
10 | 
11 | COPY aws_credentials.txt /root/.aws/credentials
12 | 
13 | WORKDIR /usr/src/beaconer
14 | 
15 | COPY entrypoint.sh ./
16 | COPY environment.env ./
17 | COPY ./src/* ./
18 | 
19 | ENTRYPOINT ["/bin/bash", "entrypoint.sh"]
20 | 


--------------------------------------------------------------------------------
/analytics/README.md:
--------------------------------------------------------------------------------
 1 | # Cloud Sniper Analytics module
 2 | 
 3 | Ideally, this should be deployed with terra. 
 4 | 
 5 | Currenly, VPC-Flowlogs should be stored on S3 and the beaconing module looks for beaconing patterns in those flows.
 6 | 
 7 | To configure it, update:
 8 | * aws_credentials.txt: your aws credentials for boto3
 9 | * environment.env: the s3 keys where to read the VPC flows from and where to write the generated report
10 | 
11 | Create the docker image on an EC2 instance (`sudo sh docker_build.sh`) and run the container (`sudo docker run cloudsniper/beaconer`). A pdf report is stored in the configured S3 path.
12 | 


--------------------------------------------------------------------------------
/analytics/aws_credentials.txt:
--------------------------------------------------------------------------------
1 | [default]
2 | aws_access_key_id = <your_access_key>
3 | aws_secret_access_key = <your_secret_access_key>
4 | 
5 | 


--------------------------------------------------------------------------------
/analytics/docker_build.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin
 2 | 
 3 | DEFAULT_IMAGE_NAME=cloudsniper/beaconer
 4 | 
 5 | usage()
 6 | {
 7 |     echo "Usage: docker_build.sh [image_name]"
 8 |     echo "\timage_name is optional (default "$DEFAULT_IMAGE_NAME")"
 9 | }
10 | 
11 | case $1 in
12 |     -h | --help )
13 |     usage
14 |     exit 0
15 | esac
16 | 
17 | SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
18 | echo "Building the docker image with Dockerfile defined at $SCRIPTPATH"
19 | 
20 | if [ "$#" -ge 2 ]; then
21 |     usage
22 | fi
23 | 
24 | IMAGE_NAME=${DEFAULT_IMAGE_NAME}
25 | if [ "$#" -eq 1 ]; then
26 |     IMAGE_NAME=$1
27 | fi
28 | 
29 | echo docker build $SCRIPTPATH -t $IMAGE_NAME
30 | docker build $SCRIPTPATH -t $IMAGE_NAME
31 | 


--------------------------------------------------------------------------------
/analytics/entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | source environment.env
4 | 
5 | python beaconer.py ${S3_BUCKET} ${S3_INPUT_PATH} ${S3_OUTPUT_PATH}
6 | 


--------------------------------------------------------------------------------
/analytics/environment.env:
--------------------------------------------------------------------------------
1 | export S3_BUCKET=cs-ekoparty
2 | export S3_INPUT_PATH=vpc-flows/
3 | export S3_OUTPUT_PATH=vpc-flowgs_analysis/
4 | 


--------------------------------------------------------------------------------
/analytics/requirements.txt:
--------------------------------------------------------------------------------
 1 | boto3==1.9.109
 2 | ipaddress==1.0.22
 3 | matplotlib==3.0.2
 4 | numpy==1.15.4
 5 | pandas==0.23.4
 6 | reportlab==3.5.13
 7 | scikit-learn==0.20.1
 8 | scipy==1.1.0
 9 | sklearn==0.0
10 | 


--------------------------------------------------------------------------------
/analytics/src/beaconer.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # coding: utf-8
  3 | 
  4 | import os
  5 | import argparse
  6 | import scipy.stats
  7 | import ipaddress
  8 | import numpy as np
  9 | import pandas as pd
 10 | import gzip
 11 | import datetime
 12 | import boto3
 13 | 
 14 | import results_generator
 15 | 
 16 | 
 17 | TMP_DOWNLOAD_DIR = "/tmp/s3_download"
 18 | TMP_REPORT_DIR = "/tmp/report"
 19 | PROCESS_LAST_HOURS = 10
 20 | now = datetime.datetime.now().strftime("%Y%m%d_%H%M%S")
 21 | RESULTS_FNAME = "%s.json" % now
 22 | RESULTS_FNAME_PDF = "%s.pdf" % now
 23 | 
 24 | FLOW_COLUMNS = [
 25 |     "date",
 26 |     "version",
 27 |     "account-id",
 28 |     "interface-id",
 29 |     "srcaddr",
 30 |     "dstaddr",
 31 |     "srcport",
 32 |     "dstport",
 33 |     "protocol",
 34 |     "packets",
 35 |     "bytes",
 36 |     "start",
 37 |     "end",
 38 |     "action",
 39 |     "log-status",
 40 | ]
 41 | 
 42 | def get_args():
 43 |     parser = argparse.ArgumentParser()
 44 |     parser.add_argument("s3_bucket", help="AWS S3 bucket name where to read the vpc flows from and write the results")
 45 |     parser.add_argument("s3_input_path", help="path in the s3_backet to look for the data")
 46 |     parser.add_argument("s3_output_path", help="path in the s3_backet to write the results")
 47 | 
 48 |     return parser.parse_args()
 49 | 
 50 | 
 51 | def load_data(s3_bucket, s3_input_path):
 52 |     s3 = boto3.resource('s3')
 53 | 
 54 |     bucket = s3.Bucket(name=s3_bucket)
 55 |     prefix = s3_input_path
 56 |     if not prefix.endswith("/"): prefix += "/"
 57 | 
 58 |     if not os.path.exists(TMP_DOWNLOAD_DIR):
 59 |         os.mkdir(TMP_DOWNLOAD_DIR)
 60 |     for i, s3_file_obj in enumerate(bucket.objects.filter(Prefix=prefix)):
 61 |         bucket.download_file(s3_file_obj.key, TMP_DOWNLOAD_DIR + "/%06d" % i + ".log.gz")
 62 |         if i == 110: break
 63 | 
 64 |     data = []
 65 |     for fname in sorted(os.listdir(TMP_DOWNLOAD_DIR)):
 66 |         if not fname.endswith(".log.gz"):
 67 |             continue
 68 |         with gzip.open(os.path.join(TMP_DOWNLOAD_DIR, fname), 'r') as fd:
 69 |             first_line = True
 70 |             for line in fd:
 71 |                 if first_line:
 72 |                     first_line = False
 73 |                     continue
 74 |                 data.append(line.decode("utf-8").strip().split(" "))
 75 | 
 76 |     if len(data[0]) == len(FLOW_COLUMNS):
 77 |         df = pd.DataFrame(data, columns=FLOW_COLUMNS)
 78 |         df.drop(['date'], axis=1, inplace=True)
 79 |     else:
 80 |         df = pd.DataFrame(data, columns=FLOW_COLUMNS[1:])
 81 |     return df
 82 | 
 83 | 
 84 | def filter_format_data(df):
 85 |     df = df[df.srcaddr != "-"]
 86 |     df = df[df.dstaddr != "-"]
 87 |     df.drop(["version", "account-id", "interface-id", "srcport"], axis=1, inplace=True)
 88 |     df = df.replace("-", np.nan)
 89 |     df = df.replace("-", np.nan)
 90 |     df[["dstport", "protocol", "packets", "bytes", "start", "end"]] = \
 91 |         df[["dstport", "protocol", "packets", "bytes", "start", "end"]].apply(pd.to_numeric)
 92 |     return df
 93 | 
 94 | 
 95 | def sort_data(df):
 96 |     df['datetime'] = pd.to_datetime(df.start, unit='s')
 97 |     # TODO: should we process just the last hours?
 98 |     if PROCESS_LAST_HOURS:
 99 |         last_N_hs = max(df.datetime) - datetime.timedelta(hours=PROCESS_LAST_HOURS)
100 |         df = df[df.datetime >= last_N_hs]
101 |     df = df.set_index('datetime')
102 |     df.sort_index(inplace=True)
103 |     return df.reset_index(level=0)
104 | 
105 | 
106 | def filter_useless_data(df):
107 |     # Requirements
108 |     # * srcIP should be private
109 |     # * dstport < 1024 and != 123
110 |     df = df[df.srcaddr.map(lambda x: ipaddress.ip_address(x).is_private)]
111 |     df = df[df.dstport <= 1024]
112 |     df = df[df.dstport != 123]
113 |     return df
114 | 
115 | 
116 | def filter_unfrequent_data(df):
117 |     # remove communications if there were less than 24 snippets
118 |     selection = df.groupby(["srcaddr", "dstaddr", "dstport"])
119 |     df = selection.filter(lambda x: len(x) >= 24)
120 |     df = df.reset_index(level=0)#, inplace=True)
121 |     return df
122 | 
123 | 
124 | def get_features(groups):
125 |     features = {}
126 |     histograms = {}
127 | 
128 |     def compute_features(series):
129 |         res = []
130 |         res.append(scipy.stats.skew(series, bias=False))
131 |         res.append(np.std(series))
132 |         res.append(series.kurt())
133 |         return res
134 | 
135 |     for (srcaddr, dstaddr, port), traffic in groups:
136 |         deltas = traffic.datetime - traffic.datetime.shift(1)
137 |         deltas = deltas.dt.seconds/60
138 |         deltas = deltas.fillna(0).astype(int)
139 |         packets = traffic.packets.astype(int)
140 |         bytes_ = traffic.bytes.astype(int)
141 |         cond = deltas > 0
142 |         deltas = deltas[cond]
143 |         packets = packets[cond]
144 |         bytes_ = bytes_[cond]
145 |         if deltas.size == 0 or packets.size == 0 or bytes_.size == 0:
146 |             continue
147 |         ftrs = [compute_features(x) for x in [deltas, packets, bytes_]]
148 |         ftrs = [x for sublist in ftrs for x in sublist] # flatten
149 |         if (srcaddr, dstaddr, port) not in features:
150 |             features[(srcaddr, dstaddr, port)] = []
151 |         features[(srcaddr, dstaddr, port)].append(ftrs)
152 |         histograms[(srcaddr, dstaddr, port)] = (deltas, packets, bytes_)
153 |     return features, histograms
154 | 
155 | 
156 | # Heuristics based classification
157 | def classify(features):
158 |     res = []
159 |     for k in features:
160 |         counter = 0
161 |         feature = features[k][0]
162 |         counter += feature[1] < 100 # deltas std
163 |         counter += abs(feature[3]) < 10 # packages skew
164 |         counter += feature[4] < 50 # packages std
165 |         counter += abs(feature[5]) < 100 or np.isnan(feature[5]) # packages kurt
166 |         counter += feature[7] < 5000 # bytes std
167 |         counter += feature[8] < 50 or np.isnan(feature[8])# bytes kurt
168 |         if counter >= 5:
169 |             res.append(k)
170 |     return res
171 | 
172 | 
173 | def get_report(groups, histograms, keys):
174 |     r = results_generator.ResultsGenerator()
175 | 
176 |     for (srcaddr, dstaddr, port) in keys:
177 |         first = groups.get_group((srcaddr, dstaddr, port)).iloc[0]
178 |         last = groups.get_group((srcaddr, dstaddr, port)).iloc[-1]
179 | 
180 |         deltas, packets, bytes_ = histograms[(srcaddr, dstaddr, port)]
181 |         comm_hist = results_generator.Histogram()
182 |         comm_hist.set_points(deltas.index.tolist(), deltas.values.tolist(), [True] * len(deltas))
183 |         pack_hist = results_generator.Histogram()
184 |         pack_hist.set_points(packets.index.tolist(), packets.values.tolist(), [True] * len(packets))
185 |         bytes_hist = results_generator.Histogram()
186 |         bytes_hist.set_points(bytes_.index.tolist(), bytes_.values.tolist(), [True] * len(bytes_))
187 | 
188 |         r.add_communication("", "", "", srcaddr, dstaddr, np.asscalar(port),
189 |                             "", first.datetime.ctime(), last.datetime.ctime(),
190 |                             comm_hist, pack_hist, bytes_hist)
191 |     return r
192 | 
193 | 
194 | def write_results(report, s3_bucket, s3_output_fname):
195 |     s3 = boto3.resource('s3')
196 |     s3.Object(s3_bucket, s3_output_fname).put(Body=report)
197 | 
198 | 
199 | def write_pdf_report(grouped_df, bad_stuff, s3_bucket, s3_output_fname):
200 |     if not os.path.exists(TMP_REPORT_DIR):
201 |         os.mkdir(TMP_REPORT_DIR)
202 |     tmp_fname = os.path.join(TMP_REPORT_DIR, RESULTS_FNAME_PDF)
203 |     create_pdf_report(tmp_fname, grouped_df, bad_stuff)
204 |     s3 = boto3.resource('s3')
205 |     s3.meta.client.upload_file(tmp_fname, s3_bucket, s3_output_fname)
206 | 
207 | 
208 | def create_pdf_report(tmp_fname, grouped_df, bad_stuff):
209 |     REPORT_TITLE = "CLOUD SNIPER®"
210 |     REPORT_SUBTITLE = "BEACONING DETECTION REPORT"
211 |     REPORT_DATE = datetime.datetime.now().strftime("%B %d, %Y (at %H:%M)")
212 | 
213 |     import io
214 |     from reportlab.lib.pagesizes import letter
215 |     from reportlab.platypus import SimpleDocTemplate, Paragraph, Spacer, Image, PageBreak
216 |     from reportlab.lib.styles import getSampleStyleSheet
217 |     from reportlab.lib.units import inch
218 |     import numpy as np
219 |     import matplotlib.pyplot as plt
220 |     import matplotlib.dates as mdates
221 | 
222 | 
223 |     def add_text_to_doc(text, style="Normal", fontsize=12):
224 |         Story.append(Spacer(1, 12))
225 |         ptext = "<font size={}>{}</font>".format(fontsize, text)
226 |         Story.append(Paragraph(ptext, styles[style]))
227 |         Story.append(Spacer(1, 12))
228 | 
229 |     def plot_hist(x, xlabel, ylabel, title, color='b'):
230 |         fig, ax = plt.subplots(figsize=(7, 1.8))
231 |         plt.hist(x, bins=300, facecolor=color, rwidth=2)
232 |         date_fmt = mdates.DateFormatter('%H:%M')
233 |         ax.xaxis.set_major_formatter(date_fmt)
234 |         ax.set(title=title)
235 |         ax.set_xlabel(xlabel)
236 |         ax.set_ylabel(ylabel)
237 | 
238 |         buf = io.BytesIO()
239 |         plt.savefig(buf, format='png', dpi=300)
240 |         buf.seek(0)
241 |         plt.close()
242 |         return buf
243 | 
244 |     styles=getSampleStyleSheet()
245 |     doc = SimpleDocTemplate(tmp_fname,pagesize=letter,
246 |                             rightMargin=inch/2,leftMargin=inch/2,
247 |                             topMargin=72,bottomMargin=18)
248 |     # Title section
249 |     Story=[]
250 |     Story.append(Image("./cloud_sniper_800.png", width=5*inch, height=1*inch))
251 |     Story.append(Spacer(1, 200))
252 | #     add_text_to_doc(REPORT_TITLE, style="Title", fontsize=24)
253 |     add_text_to_doc(REPORT_SUBTITLE, style="Title", fontsize=24)
254 |     add_text_to_doc("Report generated on " + REPORT_DATE, style="Title", fontsize=14)
255 | 
256 |     # Nothing to report
257 |     if not bad_stuff:
258 |         add_text_to_doc("No suspicious beaconing communications found :)")
259 | 
260 |     # Reporting for every suspicious communication
261 |     image_buffers = []
262 |     hist_size = (7*inch, 1.5*inch)
263 |     for (srcaddr, dstaddr, dstport) in bad_stuff:
264 |         Story.append(PageBreak())
265 |         # subtitle describing the communication IP -> IP (port number)
266 |         comm_description = "%s -> %s (port %s)" %(srcaddr, dstaddr, dstport)
267 |         add_text_to_doc(comm_description, style="Title", fontsize=14)
268 |         df = grouped_df.get_group((srcaddr, dstaddr, dstport))
269 |         # plotting delta time
270 |         plot = plot_hist(list(df.datetime), "Time (s)", "Frequency", 
271 |                          "Communications in the last %i hours" %PROCESS_LAST_HOURS)
272 |         image_buffers.append(plot)
273 |         im = Image(image_buffers[-1], hist_size[0], hist_size[1])
274 |         Story.append(im)
275 | #         # plotting packets
276 | #         hist = get_list_from_histogram(histograms["packets"])
277 | #         plot = plot_hist(hist, "Number of packets sent", "Frequency", 
278 | #                          "Packets sent distribution", color=(1,.5,0))
279 | #         image_buffers.append(plot)
280 | #         im = Image(image_buffers[-1], hist_size[0], hist_size[1])
281 | #         Story.append(im)
282 | #         # plotting bytes
283 | #         hist = get_list_from_histogram(histograms["bytes"])
284 | #         plot = plot_hist(hist, "Number of bytes sent", "Frequency", 
285 | #                          "Bytes sent distribution", color='m')
286 | #         image_buffers.append(plot)
287 | #         im = Image(image_buffers[-1], hist_size[0], hist_size[1])
288 | #         Story.append(im)
289 | 
290 |     doc.build(Story)
291 |     for image_buffer in image_buffers:
292 |         image_buffer.close()
293 | 
294 | 
295 | if __name__ == "__main__":
296 |     args = get_args()
297 |     df = load_data(args.s3_bucket, args.s3_input_path)
298 |     df = filter_format_data(df)
299 |     df = sort_data(df)
300 |     df = filter_useless_data(df)
301 |     df = filter_unfrequent_data(df)
302 |     groups = df.groupby(["srcaddr", "dstaddr", "dstport"])
303 |     features, histograms = get_features(groups)
304 |     bad_stuff_keys = classify(features)
305 |     report = get_report(groups, histograms, bad_stuff_keys)
306 |     s3_output_path = args.s3_output_path
307 |     if not s3_output_path.endswith("/"): s3_output_path += "/"
308 |     write_results(report.to_json(), args.s3_bucket, args.s3_output_path +  RESULTS_FNAME)
309 |     write_pdf_report(groups, bad_stuff_keys, args.s3_bucket, args.s3_output_path + RESULTS_FNAME_PDF)
310 | 
311 | 


--------------------------------------------------------------------------------
/analytics/src/cloud_sniper_800.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nicolasriverocorvalan/cloud-sniper/def926d45e13c1084cd20e007023e110faf8dabb/analytics/src/cloud_sniper_800.png


--------------------------------------------------------------------------------
/analytics/src/pdf_reporter.py:
--------------------------------------------------------------------------------
 1 | from datetime import datetime
 2 | import io
 3 | 
 4 | from reportlab.lib.pagesizes import letter
 5 | from reportlab.platypus import SimpleDocTemplate, Paragraph, Spacer, Image, PageBreak
 6 | from reportlab.lib.styles import getSampleStyleSheet
 7 | from reportlab.lib.units import inch
 8 | 
 9 | import numpy as np
10 | import matplotlib.pyplot as plt
11 | 
12 | 
13 | 
14 | REPORT_TITLE = "CLOUD SNIPER®"
15 | REPORT_SUBTITLE = "BEACONING DETECTION REPORT"
16 | REPORT_DATE = datetime.now().strftime("%B %d, %Y (at %H:%M)")
17 | 
18 | 
19 | def get_list_from_histogram(histogram):
20 |     x = []
21 |     for entry in histogram:
22 |         x += entry["frequency"] * [entry["value"]]
23 |     return x
24 | 
25 | 
26 | def plot_hist(x, xlabel, ylabel, title, color='b'):
27 |     n, bins, patches = plt.hist(x, facecolor=color, alpha=0.75)
28 | 
29 |     plt.xlabel(xlabel)
30 |     plt.ylabel(ylabel)
31 |     plt.title(title)
32 |     plt.grid(True)
33 | 
34 |     buf = io.BytesIO()
35 |     plt.savefig(buf, format='png', dpi=300)
36 |     buf.seek(0)
37 |     plt.close()
38 | 
39 |     return buf
40 | 
41 | 
42 | def create_report(fname, report):
43 |     def add_text_to_doc(text, style="Normal", fontsize=12):
44 |         Story.append(Spacer(1, 12))
45 |         ptext = "<font size={}>{}</font>".format(fontsize, text)
46 |         Story.append(Paragraph(ptext, styles[style]))
47 |         Story.append(Spacer(1, 12))
48 | 
49 |     styles=getSampleStyleSheet()
50 |     doc = SimpleDocTemplate(fname,pagesize=letter,
51 |                             rightMargin=inch/2,leftMargin=inch/2,
52 |                             topMargin=72,bottomMargin=18)
53 |     # Title section
54 |     Story=[]
55 |     Story.append(Spacer(1, 200))
56 |     add_text_to_doc(REPORT_TITLE, style="Title", fontsize=24)
57 |     add_text_to_doc(REPORT_SUBTITLE, style="Title", fontsize=24)
58 |     add_text_to_doc("Report generated on " + REPORT_DATE, style="Title", fontsize=14)
59 | 
60 |     # Nothing to report
61 |     if not report.get("suspiciousCommunications"):
62 |         add_text_to_doc("No suspicious beaconing communications found :)")
63 | 
64 |     # Reporting for every suspicious communication
65 |     image_buffers = []
66 |     hist_size = (4.5*inch, 2.7*inch)
67 |     for comm in report.get("suspiciousCommunications"):
68 |         Story.append(PageBreak())
69 |         # subtitle describing the communication IP -> IP (port number)
70 |         comm_description = "%s -> %s (port %s)" %(comm["srcIp"], comm["dstIp"], comm["dstPort"])
71 |         add_text_to_doc(comm_description, style="Title", fontsize=14)
72 |         histograms = comm["histograms"]
73 |         # plotting delta time
74 |         hist = get_list_from_histogram(histograms["communicationDeltaTime"])
75 |         plot = plot_hist(hist, "Delta time (s)", "Frequency", 
76 |                          "Delta time between consecutive communications")
77 |         image_buffers.append(plot)
78 |         im = Image(image_buffers[-1], hist_size[0], hist_size[1])
79 |         Story.append(im)
80 |         # plotting packets
81 |         hist = get_list_from_histogram(histograms["packets"])
82 |         plot = plot_hist(hist, "Number of packets sent", "Frequency", 
83 |                          "Packets sent distribution", (1,.5,0))
84 |         image_buffers.append(plot)
85 |         im = Image(image_buffers[-1], hist_size[0], hist_size[1])
86 |         Story.append(im)
87 |         # plotting bytes
88 |         hist = get_list_from_histogram(histograms["bytes"])
89 |         plot = plot_hist(hist, "Number of bytes sent", "Frequency", 
90 |                          "Bytes sent distribution", 'm')
91 |         image_buffers.append(plot)
92 |         im = Image(image_buffers[-1], hist_size[0], hist_size[1])
93 |         Story.append(im)
94 | 
95 |     doc.build(Story)
96 |     for image_buffer in image_buffers:
97 |         image_buffer.close()
98 | 
99 | 


--------------------------------------------------------------------------------
/analytics/src/results_generator.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | 
 3 | class Histogram():
 4 |     def __init__(self):
 5 |         self.__points = []
 6 |     def add(self, value, freq, is_anomaly):
 7 |         self.__points.append((value, freq, is_anomaly))
 8 |     def set_points(self, values, frequencies, is_anomaly):
 9 |         for i in range(len(values)):
10 |             self.__points.append((values[i], frequencies[i], is_anomaly[i]))
11 |     def to_dict(self):
12 |         res = [{
13 |             "value": x[0],
14 |             "frequency": x[1],
15 |             "anomaly": x[2]
16 |         } for x in self.__points]
17 |         return res
18 | 
19 | class ResultsGenerator():
20 |     def __init__(self):
21 |         self.__version = "0.0.1"
22 |         self.__communications = []
23 |     def add_communication(self, version, account, interface, src_ip, dst_ip, dst_port,
24 |                           protocol, start_date, end_date, comm_hist, pack_hist, bytes_hist):
25 |         self.__communications.append({
26 |             "version":  version,
27 |             "accountId": account,
28 |             "interfaceId": interface,
29 |             "srcIp": src_ip,
30 |             "dstIp": dst_ip,
31 |             "dstPort": dst_port,
32 |             "protocol": protocol,
33 |             "startDate": start_date,
34 |             "endDate": end_date,
35 |             "histograms": {
36 |                 "communicationDeltaTime": comm_hist.to_dict(),
37 |                 "packets": pack_hist.to_dict(),
38 |                 "bytes": bytes_hist.to_dict()
39 |             }
40 |         })
41 |     def to_dict(self):
42 |         return {
43 |             "version": self.__version,
44 |             "suspiciousCommunications": self.__communications
45 |         }
46 |     def to_json(self):
47 |         return json.dumps(self.to_dict(), indent=4)
48 | 
49 | if __name__ == "__main__":
50 |     r = ResultsGenerator()
51 |     comm_hist = Histogram()
52 |     comm_hist.set_points([1,2,3],[100,10,3],[False, False, False])
53 |     pack_hist = Histogram()
54 |     bytes_hist = Histogram()
55 |     r.add_communication("2", "1234", "123", "1.2.3.4", "4.3.2.1",
56 |                         123, 6, "2018/12/20 13:40", "2018/12/21 10:37",
57 |                         comm_hist, pack_hist, bytes_hist)
58 |     print(r.to_json())


--------------------------------------------------------------------------------
/cloud-sniper/cloudwatch-event-target.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_cloudwatch_event_target" "aws_cloudwatch_event_target_cloud_sniper" {
 2 |   rule = "${aws_cloudwatch_event_rule.aws_cloudwatch_event_rule_cloud_sniper.name}"
 3 |   arn  = "${aws_sqs_queue.sqs_queue_cloud_sniper.arn}"
 4 | }
 5 | 
 6 | resource "aws_cloudwatch_event_target" "aws_cloudwatch_event_rule_schedule_cloud_sniper" {
 7 |   rule = "${aws_cloudwatch_event_rule.aws_cloudwatch_event_rule_schedule_cloud_sniper.name}"
 8 |   arn  = "${aws_lambda_function.lambda_function_cloud_sniper.arn}"
 9 | }
10 | 
11 | resource "aws_cloudwatch_event_target" "cloudwatch_event_target_cloud_sniper_tagging" {
12 |   rule = "${aws_cloudwatch_event_rule.cloudwatch_event_rule_cloud_sniper_tagging.name}"
13 |   arn  = "${aws_lambda_function.lambda_function_cloud_sniper_tagging_ir.arn}"
14 | }
15 | 


--------------------------------------------------------------------------------
/cloud-sniper/cloudwatch_event_rule.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_cloudwatch_event_rule" "aws_cloudwatch_event_rule_cloud_sniper" {
 2 |   name        = "aws_cloudwatch_event_rule_cloud_sniper"
 3 |   description = "aws_cloudwatch_event_rule_cloud_sniper"
 4 | 
 5 |   event_pattern = <<PATTERN
 6 | {
 7 |   "source": [
 8 |     "aws.guardduty"
 9 |   ],
10 |   "detail-type": [
11 |     "GuardDuty Finding"
12 |   ]
13 | }
14 | PATTERN
15 | }
16 | 
17 | resource "aws_cloudwatch_event_rule" "aws_cloudwatch_event_rule_schedule_cloud_sniper" {
18 |   name                = "aws_cloudwatch_event_rule_schedule_cloud_sniper"
19 |   description         = "aws_cloudwatch_event_rule_schedule_cloud_sniper"
20 |   schedule_expression = "rate(5 minutes)"
21 | }
22 | 
23 | resource "aws_cloudwatch_event_rule" "cloudwatch_event_rule_cloud_sniper_tagging" {
24 |   name        = "cloudwatch_event_rule_cloud_sniper_tagging"
25 |   description = "Trigger anytime an EC2 instance, EBS volume, EBS Snapshot or AMI is created"
26 | 
27 |   event_pattern = <<PATTERN
28 | {
29 |   "detail-type": [
30 |     "AWS API Call via CloudTrail"
31 |   ],
32 |   "detail": {
33 |     "eventSource": [
34 |       "ec2.amazonaws.com"
35 |     ],
36 |     "eventName": [
37 |       "CreateVolume",
38 |       "RunInstances",
39 |       "CreateImage",
40 |       "CreateSnapshot"
41 |     ]
42 |   }
43 | }
44 | PATTERN
45 | }
46 | 


--------------------------------------------------------------------------------
/cloud-sniper/data.tf:
--------------------------------------------------------------------------------
 1 | data "archive_file" "lambda_function_cloud_sniper" {
 2 |   type        = "zip"
 3 |   source_dir  = "./lambdas/functions/cloud-sniper/"
 4 |   output_path = "./lambdas/archives/lambda_function_cloud_sniper.zip"
 5 | }
 6 | 
 7 | data "aws_iam_policy_document" "iam_policy_document_kinesis_waf" {
 8 |   statement {
 9 |     resources = ["*"]
10 | 
11 |     actions = [
12 |       "ec2:Describe*",
13 |       "firehose:DeleteDeliveryStream",
14 |       "firehose:PutRecord",
15 |       "firehose:PutRecordBatch",
16 |       "firehose:UpdateDestination",
17 |       "s3:*",
18 |     ]
19 |   }
20 | }
21 | 
22 | data "aws_iam_policy_document" "iam_policy_lambda" {
23 |   statement {
24 |     principals {
25 |       identifiers = ["lambda.amazonaws.com"]
26 |       type        = "Service"
27 |     }
28 | 
29 |     actions = ["sts:AssumeRole"]
30 |   }
31 | }
32 | 
33 | data "aws_iam_policy_document" "iam_policy_firehose" {
34 |   statement {
35 |     principals {
36 |       identifiers = ["firehose.amazonaws.com"]
37 |       type        = "Service"
38 |     }
39 | 
40 |     actions = ["sts:AssumeRole"]
41 |   }
42 | }
43 | 
44 | data "archive_file" "lambda_function_cloud_sniper_tagging" {
45 |   type        = "zip"
46 |   source_dir  = "./lambdas/functions/cloud-sniper-tagging/"
47 |   output_path = "./lambdas/archives/lambda_function_cloud_sniper_tagging_ir.zip"
48 | }
49 | 


--------------------------------------------------------------------------------
/cloud-sniper/dynamo.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_dynamodb_table" "dynamo_table_cloud_sniper" {
 2 |   name = "dynamo_table_cloud_sniper"
 3 | 
 4 |   read_capacity  = 5
 5 |   write_capacity = 5
 6 |   hash_key       = "ip_attacker"
 7 |   range_key      = "timestamp"
 8 | 
 9 |   attribute {
10 |     name = "timestamp"
11 |     type = "S"
12 |   }
13 | 
14 |   attribute {
15 |     name = "ip_attacker"
16 |     type = "S"
17 |   }
18 | }
19 | 


--------------------------------------------------------------------------------
/cloud-sniper/iam-policy.tf:
--------------------------------------------------------------------------------
  1 | data "aws_iam_policy_document" "iam_policy_document_cloud_sniper" {
  2 |   statement {
  3 |     effect = "Allow"
  4 | 
  5 |     actions = [
  6 |       "waf-regional:GetIPSet",
  7 |       "waf-regional:UpdateIPSet",
  8 |       "waf-regional:GetChangeToken",
  9 |     ]
 10 | 
 11 |     resources = [
 12 |       "*",
 13 |     ]
 14 |   }
 15 | 
 16 |   statement {
 17 |     effect = "Allow"
 18 | 
 19 |     actions = [
 20 |       "kms:*",
 21 |     ]
 22 | 
 23 |     resources = [
 24 |       "*",
 25 |     ]
 26 |   }
 27 | 
 28 |   statement {
 29 |     effect = "Allow"
 30 | 
 31 |     actions = [
 32 |       "ec2:Describe*",
 33 |       "ec2:*NetworkAcl*",
 34 |     ]
 35 | 
 36 |     resources = [
 37 |       "*",
 38 |     ]
 39 |   }
 40 | 
 41 |   statement {
 42 |     effect = "Allow"
 43 | 
 44 |     actions = [
 45 |       "logs:CreateLogGroup",
 46 |       "logs:CreateLogStream",
 47 |       "logs:PutLogEvents",
 48 |     ]
 49 | 
 50 |     resources = [
 51 |       "arn:aws:logs:*:*:*",
 52 |     ]
 53 |   }
 54 | 
 55 |   statement {
 56 |     effect = "Allow"
 57 | 
 58 |     actions = [
 59 |       "dynamodb:GetItem",
 60 |       "dynamodb:PutItem",
 61 |       "dynamodb:Query",
 62 |       "dynamodb:Scan",
 63 |       "dynamodb:DeleteItem",
 64 |     ]
 65 | 
 66 |     resources = [
 67 |       "*",
 68 |     ]
 69 |   }
 70 | 
 71 |   statement {
 72 |     effect = "Allow"
 73 | 
 74 |     actions = [
 75 |       "sqs:*",
 76 |     ]
 77 | 
 78 |     resources = [
 79 |       "*",
 80 |     ]
 81 |   }
 82 | 
 83 |   statement {
 84 |     effect = "Allow"
 85 | 
 86 |     actions = [
 87 |       "s3:*",
 88 |     ]
 89 | 
 90 |     resources = [
 91 |       "*",
 92 |     ]
 93 |   }
 94 | }
 95 | 
 96 | resource "aws_iam_policy" "iam_policy_cloud_sniper" {
 97 |   name        = "iam_policy_cloud_sniper"
 98 |   path        = "/"
 99 |   description = "iam_policy_cloud_sniper"
100 |   policy      = "${data.aws_iam_policy_document.iam_policy_document_cloud_sniper.json}"
101 | }
102 | 
103 | data "aws_iam_policy_document" "iam_policy_document_cloud_sniper_tagging_sniffer" {
104 |   statement {
105 |     effect = "Allow"
106 | 
107 |     actions = [
108 |       "cloudtrail:LookupEvents",
109 |     ]
110 | 
111 |     resources = [
112 |       "*",
113 |     ]
114 |   }
115 | 
116 |   statement {
117 |     effect = "Allow"
118 | 
119 |     actions = [
120 |       "ec2:CreateTags",
121 |       "ec2:Describe*",
122 |       "logs:CreateLogGroup",
123 |       "logs:CreateLogStream",
124 |       "logs:PutLogEvents",
125 |     ]
126 | 
127 |     resources = [
128 |       "*",
129 |     ]
130 |   }
131 | }
132 | 
133 | resource "aws_iam_policy" "iam_policy_cloud_sniper_tagging_sniffer" {
134 |   name        = "iam_policy_cloud_sniper_tagging_sniffer"
135 |   path        = "/"
136 |   description = "iam_policy_cloud_sniper_tagging_sniffer"
137 |   policy      = "${data.aws_iam_policy_document.iam_policy_document_cloud_sniper_tagging_sniffer.json}"
138 | }
139 | 
140 | data "aws_iam_policy_document" "iam_policy_document_cloud_sniper_tagging_incident_and_response" {
141 |   statement {
142 |     effect = "Allow"
143 | 
144 |     actions = [
145 |       "ec2:Describe*",
146 |       "ec2:RunInstances",
147 |     ]
148 | 
149 |     resources = [
150 |       "*",
151 |     ]
152 |   }
153 | 
154 |   statement {
155 |     effect = "Allow"
156 | 
157 |     actions = [
158 |       "ec2:StopInstances",
159 |       "ec2:StartInstances",
160 |       "ec2:RebootInstances",
161 |       "ec2:TerminateInstances",
162 |     ]
163 | 
164 |     resources = [
165 |       "*",
166 |     ]
167 | 
168 |     condition {
169 |       test     = "StringEquals"
170 |       variable = "ec2:ResourceTag/PrincipalId"
171 | 
172 |       values = [
173 |         "&{aws:userid}",
174 |       ]
175 |     }
176 |   }
177 | }
178 | 
179 | resource "aws_iam_policy" "iam_policy_cloud_sniper_tagging_incident_and_response" {
180 |   name        = "iam_policy_cloud_sniper_tagging_incident_and_response"
181 |   path        = "/"
182 |   description = "iam_policy_cloud_sniper_tagging_incident_and_response"
183 |   policy      = "${data.aws_iam_policy_document.iam_policy_document_cloud_sniper_tagging_incident_and_response.json}"
184 | }
185 | 


--------------------------------------------------------------------------------
/cloud-sniper/iam-role-policy-attachment.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_role_policy_attachment" "iam_role_policy_attachment_lambda_cloud_sniper" {
 2 |   role       = "${aws_iam_role.role_cloud_sniper.name}"
 3 |   policy_arn = "${aws_iam_policy.iam_policy_cloud_sniper.arn}"
 4 | }
 5 | 
 6 | resource "aws_iam_role_policy_attachment" "iam_role_policy_attachment_cloud_sniper_tagging" {
 7 |   role       = "${aws_iam_role.role_cloud_sniper_tagging.name}"
 8 |   policy_arn = "${aws_iam_policy.iam_policy_cloud_sniper_tagging_sniffer.arn}"
 9 | }
10 | 


--------------------------------------------------------------------------------
/cloud-sniper/iam-role-policy.tf:
--------------------------------------------------------------------------------
1 | resource "aws_iam_role_policy" "iam_role_policy_kinesis_waf" {
2 |   name = "iam_role_policy_kinesis_waf"
3 |   role = "${aws_iam_role.iam_role_firehose_waf.id}"
4 | 
5 |   policy = "${data.aws_iam_policy_document.iam_policy_document_kinesis_waf.json}"
6 | }
7 | 


--------------------------------------------------------------------------------
/cloud-sniper/iam_group.tf:
--------------------------------------------------------------------------------
1 | resource "aws_iam_group" "iam_group_cloud_sniper_tagging_incident_and_response" {
2 |   name = "iam_group_cloudsniper_tagging"
3 |   path = "/"
4 | }
5 | 


--------------------------------------------------------------------------------
/cloud-sniper/iam_group_policy_attachment.tf:
--------------------------------------------------------------------------------
1 | resource "aws_iam_group_policy_attachment" "iam_group_policy_attachment_cloudsniper_tagging" {
2 |   group      = "${aws_iam_group.iam_group_cloud_sniper_tagging_incident_and_response.name}"
3 |   policy_arn = "${aws_iam_policy.iam_policy_cloud_sniper_tagging_incident_and_response.arn}"
4 | }
5 | 


--------------------------------------------------------------------------------
/cloud-sniper/kinesis_firehose_delivery_stream.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_kinesis_firehose_delivery_stream" "aws_waf_logs_cloudsniper" {
 2 |   name        = "aws-waf-logs-cloudsniper"
 3 |   destination = "s3"
 4 | 
 5 |   s3_configuration {
 6 |     role_arn   = "${aws_iam_role.iam_role_firehose_waf.arn}"
 7 |     bucket_arn = "${aws_s3_bucket.s3_bucket_cloud_sniper_data_store.arn}"
 8 |   }
 9 | }
10 | 


--------------------------------------------------------------------------------
/cloud-sniper/lambda-funtion.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_lambda_function" "lambda_function_cloud_sniper" {
 2 |   function_name    = "lambda_function_cloud_sniper"
 3 |   description      = "lambda_function_cloud_sniper"
 4 |   handler          = "cloud_sniper.cloud_sniper"
 5 |   memory_size      = 1024
 6 |   timeout          = 300
 7 |   role             = "${aws_iam_role.role_cloud_sniper.arn}"
 8 |   runtime          = "python3.7"
 9 |   filename         = "${data.archive_file.lambda_function_cloud_sniper.output_path}"
10 |   source_code_hash = "${data.archive_file.lambda_function_cloud_sniper.output_base64sha256}"
11 | 
12 |   environment {
13 |     variables {
14 |       DYNAMO_TABLE_CLOUD_SNIPER = "${aws_dynamodb_table.dynamo_table_cloud_sniper.name}"
15 |     }
16 | 
17 |     variables {
18 |       IPSET_CLOUD_SNIPER_AUTOMATIC_BLOCK_THESE_IPS = "${aws_wafregional_ipset.ipset-cloud-sniper-automatic-block-these-ips.id}"
19 |     }
20 | 
21 |     variables {
22 |       SQS_QUEUE_CLOUD_SNIPER = "${aws_sqs_queue.sqs_queue_cloud_sniper.id}"
23 |     }
24 | 
25 |     variables {
26 |       BUCKET_CLOUD_SNIPER = "${aws_s3_bucket.s3_bucket_cloud_sniper_data_store.id}"
27 |     }
28 |   }
29 | }
30 | 
31 | resource "aws_lambda_function" "lambda_function_cloud_sniper_tagging_ir" {
32 |   function_name    = "lambda_function_cloud_sniper_tagging_incident_and_response"
33 |   description      = "lambda_function_cloud_sniper_tagging_incident_and_response"
34 |   handler          = "cloud_sniper_tagging_ir.cloud_sniper_tagging_ir"
35 |   memory_size      = 1024
36 |   timeout          = 300
37 |   role             = "${aws_iam_role.role_cloud_sniper_tagging.arn}"
38 |   runtime          = "python3.7"
39 |   filename         = "${data.archive_file.lambda_function_cloud_sniper_tagging.output_path}"
40 |   source_code_hash = "${data.archive_file.lambda_function_cloud_sniper_tagging.output_base64sha256}"
41 | }
42 | 


--------------------------------------------------------------------------------
/cloud-sniper/lambda-permission.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_lambda_permission" "aws_lambda_permission_cloud_sniper" {
 2 |   action        = "lambda:InvokeFunction"
 3 |   function_name = "${aws_lambda_function.lambda_function_cloud_sniper.function_name}"
 4 |   principal     = "events.amazonaws.com"
 5 | }
 6 | 
 7 | resource "aws_lambda_permission" "lambda_function_cloud_sniper_tagging" {
 8 |   action        = "lambda:InvokeFunction"
 9 |   function_name = "${aws_lambda_function.lambda_function_cloud_sniper_tagging_ir.function_name}"
10 |   principal     = "events.amazonaws.com"
11 | }
12 | 


--------------------------------------------------------------------------------
/cloud-sniper/lambdas/functions/cloud-sniper-tagging/cloud_sniper_tagging_ir.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | import boto3
 3 | import logging
 4 | import time
 5 | import datetime
 6 | 
 7 | log = logging.getLogger()
 8 | log.setLevel(logging.INFO)
 9 | 
10 | 
11 | def cloud_sniper_tagging_ir(event, context):
12 |     
13 |     log.info('AWS API Call via CloudTrail event: ' + str(event))
14 |                                     
15 |     resources = []
16 |                 
17 |     try:        
18 |         raw = event['raw']
19 |         event_type = raw['eventName']
20 |         principal = raw['userIdentity']['principalId']
21 |         user_type = raw['userIdentity']['type']
22 |     
23 |         if user_type == 'IAMUser':
24 |             user = raw['userIdentity']['userName']        
25 |         else:
26 |             user = principal.split(':')[1]
27 | 
28 |         ec2 = boto3.resource('ec2')
29 | 
30 |         if event_type == 'CreateVolume':
31 |             resources.append(raw['responseElements']['volumeId'])
32 |             log.info(resources)        
33 |         
34 |         elif event_type == 'RunInstances':
35 |             items = raw['responseElements']['instancesSet']['items']
36 |             for item in items:
37 |                 resources.append(item['instanceId'])
38 |             log.info(resources)
39 |             log.info('number of instances: ' + str(len(resources)))
40 |         
41 |             base = ec2.instances.filter(InstanceIds=resources)
42 | 
43 |         elif event_type == 'CreateImage':
44 |             resources.append(raw['responseElements']['imageId'])
45 |             log.info(resources)
46 |         
47 |         elif event_type == 'CreateSnapshot':
48 |             resources.append(raw['responseElements']['snapshotId'])
49 |             log.info(resources)
50 | 
51 |             for instance in base:
52 |                 for vol in instance.volumes.all():
53 |                     resources.append(vol.id)
54 |                 for eni in instance.network_interfaces:
55 |                     resources.append(eni.id)
56 |                                                                 
57 |         else:
58 |             log.warning('Event type not supported')
59 |         
60 |         if resources:
61 |             for resourceid in resources:
62 |                 print('Tagging resource ' + resourceid)
63 |             ec2.create_tags(Resources=resources, Tags=[{'Key': 'Owner', 'Value': user}, {'Key': 'PrincipalId', 'Value': principal}])
64 |         
65 |         log.info(' Remaining time (ms): ' + str(context.get_remaining_time_in_millis()) + '\\n')
66 |         return True
67 |     
68 |     except Exception as e:
69 |         log.error('Something went wrong: ' + str(e))
70 |         return False
71 | 


--------------------------------------------------------------------------------
/cloud-sniper/lambdas/functions/cloud-sniper/cloud_sniper.py:
--------------------------------------------------------------------------------
  1 | import boto3
  2 | import json
  3 | import datetime
  4 | import logging
  5 | import os
  6 | from boto3.dynamodb.conditions import Attr
  7 | 
  8 | log = logging.getLogger()
  9 | log.setLevel(logging.INFO)
 10 | 
 11 | IPSET_ID = os.environ['IPSET_CLOUD_SNIPER_AUTOMATIC_BLOCK_THIS_IPS']
 12 | DYNAMO_TABLE = os.environ['DYNAMO_TABLE_CLOUD_SNIPER']
 13 | SQS_QUEUE = os.environ['SQS_QUEUE_CLOUD_SNIPER']
 14 | 
 15 | s = boto3.session.Session(region_name=os.environ['AWS_REGION'])
 16 | 
 17 | json_a = []
 18 | json_b = []
 19 | 
 20 | message = []
 21 | 
 22 | sqs = s.client('sqs')
 23 | queue_url = SQS_QUEUE
 24 | waf = s.client('waf-regional')
 25 | ec2 = s.client('ec2')
 26 | dynamodb = s.resource('dynamodb')
 27 | r_ec2 = s.resource('ec2')
 28 | 
 29 | 
 30 | networkConnectionAction = [
 31 | 	"UnauthorizedAccess:EC2/SSHBruteForce",
 32 | 	"Recon:EC2/Portscan",
 33 | ]
 34 | 
 35 | portProbeAction = [
 36 | 	"Recon:EC2/PortProbeUnprotectedPort",
 37 | ]
 38 | 
 39 | awsApiCallAction = [
 40 | 	"Recon:IAMUser/MaliciousIPCaller.Custom",
 41 | 	"Recon:IAMUser/MaliciousIPCaller",
 42 | 	"Recon:IAMUser/TorIPCaller",
 43 | 	"PenTest:IAMUser/KaliLinux",
 44 | 	"PenTest:IAMUser/PentooLinux",
 45 | 	"PenTest:IAMUser/ParrotLinux",
 46 | ]
 47 | 
 48 | instanceDetails = [
 49 | 	"Trojan:EC2/BlackholeTraffic!DNS",
 50 | 	"Trojan:EC2/DGADomainRequest.B",
 51 | 	"Trojan:EC2/DGADomainRequest.C!DNS",
 52 | 	"Trojan:EC2/DNSDataExfiltration",
 53 | 	"Trojan:EC2/DriveBySourceTraffic!DNS",
 54 | 	"Trojan:EC2/DropPoint!DNS",
 55 | 	"Trojan:EC2/PhishingDomainRequest!DNS",
 56 | 	"Trojan:EC2/BlackholeTraffic",
 57 | 	"Trojan:EC2/DropPoint",
 58 | 	"CryptoCurrency:EC2/BitcoinTool.B!DNS",
 59 | 	"CryptoCurrency:EC2/BitcoinTool.B",
 60 | 	"Backdoor:EC2/C&CActivity.B!DNS",
 61 | 	"Backdoor:EC2/Spambot",
 62 | 	"Backdoor:EC2/XORDDOS",
 63 | 	"UnauthorizedAccess:EC2/MaliciousIPCaller.Custom",
 64 | 	"UnauthorizedAccess:EC2/RDPBruteForce",
 65 | 	"UnauthorizedAccess:EC2/TorClient",
 66 | 	"UnauthorizedAccess:EC2/TorIPCaller",
 67 | 	"UnauthorizedAccess:EC2/TorRelay",
 68 | ]
 69 | 
 70 | 
 71 | def read_sqs():
 72 | 
 73 | 	response = sqs.receive_message(
 74 | 		QueueUrl=queue_url,
 75 | 		MaxNumberOfMessages=10,
 76 | 		MessageAttributeNames=[
 77 | 			'All'
 78 | 		],		
 79 | 	)
 80 | 
 81 | 	if 'Messages' in response:
 82 | 		return response['Messages']
 83 | 	else:
 84 | 		return
 85 | 
 86 | 
 87 | def search_ioc():	
 88 | 	
 89 | 	log.info("searching for IOC ...")
 90 | 
 91 | 	global json_a
 92 | 	global json_b
 93 | 
 94 | 	for b in message:		
 95 | 		body = b['Body']
 96 | 		
 97 | 		data = json.loads(body)
 98 | 
 99 | 		try:	
100 | 			flag = 0
101 | 			for e in networkConnectionAction:
102 | 				if data["detail"]["type"] == e:
103 | 					flag = 1
104 | 					break
105 | 
106 | 			for e in portProbeAction:
107 | 					if data["detail"]["type"] == e:
108 | 						flag = 2
109 | 						break
110 | 
111 | 			for e in awsApiCallAction:
112 | 				if data["detail"]["type"] == e:
113 | 					flag = 3
114 | 					break
115 | 
116 | 			for e in instanceDetails:
117 | 				if data["detail"]["type"] == e:
118 | 					flag = 4
119 | 					break
120 | 			
121 | 			if flag == 1:
122 | 				ioc = []
123 | 				
124 | 				account_id = data["detail"]["accountId"]				
125 | 				region = data["region"]
126 | 				subnet_id = data["detail"]["resource"]["instanceDetails"]["networkInterfaces"][0]["subnetId"]
127 | 				nacl_id = get_netacl_id(subnet_id)
128 | 				src_ip = (json.dumps(data["detail"]["service"]["action"]["networkConnectionAction"]["remoteIpDetails"]["ipAddressV4"])).strip('"')		
129 | 				instance_id = data["detail"]["resource"]["instanceDetails"]["instanceId"]
130 | 				ttp = data["detail"]["type"]
131 | 
132 | 				asn = data["detail"]["service"]["action"]["networkConnectionAction"]["remoteIpDetails"]["organization"]["asn"]
133 | 				asn_org = (data["detail"]["service"]["action"]["networkConnectionAction"]["remoteIpDetails"]["organization"]["asnOrg"]).replace(","," ")
134 | 				isp = (data["detail"]["service"]["action"]["networkConnectionAction"]["remoteIpDetails"]["organization"]["isp"]).replace(","," ")
135 | 				org = (data["detail"]["service"]["action"]["networkConnectionAction"]["remoteIpDetails"]["organization"]["org"]).replace(","," ")
136 | 				country = data["detail"]["service"]["action"]["networkConnectionAction"]["remoteIpDetails"]["country"]["countryName"]
137 | 				city = (data["detail"]["service"]["action"]["networkConnectionAction"]["remoteIpDetails"]["city"]["cityName"]).replace(","," ")
138 | 							
139 | 				if nacl_id != '':									
140 | 					ioc = ttp + "," + account_id + "," + region + "," + subnet_id + "," + src_ip + "," + instance_id + "," + nacl_id + "," + country + "," + city + "," + asn_org + "," + org + "," + isp + "," + asn
141 | 				else:
142 | 					ioc = ttp + "," + account_id + "," + region + "," + subnet_id + "," + src_ip + "," + instance_id + "," + "external_nacl " + "," + country + "," + city + "," + asn_org + "," + org + "," + isp + "," + asn
143 | 
144 | 				if len(json_a) == 0:
145 | 					json_a.append(ioc)					
146 | 				else:
147 | 					for e in json_a:
148 | 						if e != ioc:											
149 | 							json_a.append(ioc)				
150 | 				
151 | 			elif flag == 2:
152 | 				ioc = []				
153 | 				
154 | 				account_id = data["detail"]["accountId"]				
155 | 				region = data["region"]
156 | 				subnet_id = data["detail"]["resource"]["instanceDetails"]["networkInterfaces"][0]["subnetId"]				
157 | 				nacl_id = get_netacl_id(subnet_id)
158 | 				src_ip = (json.dumps(data["detail"]["service"]["action"]["portProbeAction"]["portProbeDetails"][0]["remoteIpDetails"]["ipAddressV4"])).strip('"')				
159 | 				instance_id = data["detail"]["resource"]["instanceDetails"]["instanceId"]
160 | 				ttp = data["detail"]["type"]
161 | 				
162 | 				country = data["detail"]["service"]["action"]["portProbeAction"]["portProbeDetails"][0]["remoteIpDetails"]["country"]["countryName"]
163 | 				city = (data["detail"]["service"]["action"]["portProbeAction"]["portProbeDetails"][0]["remoteIpDetails"]["city"]["cityName"]).replace(",", " ")
164 | 				asn_org = (data["detail"]["service"]["action"]["portProbeAction"]["portProbeDetails"][0]["remoteIpDetails"]["organization"]["asnOrg"]).replace(",", " ")
165 | 				org = (data["detail"]["service"]["action"]["portProbeAction"]["portProbeDetails"][0]["remoteIpDetails"]["organization"]["org"]).replace(",", " ")
166 | 				isp = (data["detail"]["service"]["action"]["portProbeAction"]["portProbeDetails"][0]["remoteIpDetails"]["organization"]["isp"]).replace(",", " ")
167 | 				asn = data["detail"]["service"]["action"]["portProbeAction"]["portProbeDetails"][0]["remoteIpDetails"]["organization"]["asn"]
168 | 				
169 | 				if nacl_id != '':									
170 | 					ioc = ttp + "," + account_id + "," + region + "," + subnet_id + "," + src_ip + "," + instance_id + "," + nacl_id + "," + country + "," + city + "," + asn_org + "," + org + "," + isp + "," + asn
171 | 				else:
172 | 					ioc = ttp + "," + account_id + "," + region + "," + subnet_id + "," + src_ip + "," + instance_id + "," + "external_nacl" + "," + country + "," + city + "," + asn_org + "," + org + "," + isp + "," + asn
173 | 
174 | 				if len(json_a) == 0:
175 | 					json_a.append(ioc)					
176 | 				else:
177 | 					for e in json_a:
178 | 						if e != ioc:											
179 | 							json_a.append(ioc)				
180 | 				
181 | 			elif flag == 3:
182 | 				ioc = []				
183 | 			
184 | 				account_id = data["detail"]["accountId"]			
185 | 				region = data["region"]				
186 | 				src_ip = (json.dumps(data["detail"]["service"]["action"]["awsApiCallAction"]["remoteIpDetails"]["ipAddressV4"])).strip('"')
187 | 				ttp = data["detail"]["type"]
188 | 				
189 | 				asn = data["detail"]["service"]["action"]["awsApiCallAction"]["remoteIpDetails"]["organization"]["asn"]
190 | 				asn_org = (data["detail"]["service"]["action"]["awsApiCallAction"]["remoteIpDetails"]["organization"]["asnOrg"]).replace(",", " ")
191 | 				isp = (data["detail"]["service"]["action"]["awsApiCallAction"]["remoteIpDetails"]["organization"]["isp"]).replace(",", " ")
192 | 				org = (data["detail"]["service"]["action"]["awsApiCallAction"]["remoteIpDetails"]["organization"]["org"]).replace(",", " ")
193 | 				country = data["detail"]["service"]["action"]["awsApiCallAction"]["remoteIpDetails"]["country"]["countryName"]
194 | 				city = (data["detail"]["service"]["action"]["awsApiCallAction"]["remoteIpDetails"]["city"]["cityName"]).replace(",", " ")
195 | 				
196 | 				ioc = ttp + "," + account_id + "," + region + "," + src_ip + "," + country + "," + city + "," + asn_org + "," + org + "," + isp + "," + asn
197 | 
198 | 				if len(json_b) == 0:
199 | 					json_b.append(ioc)					
200 | 				else:
201 | 					for e in json_b:
202 | 						if e != ioc:											
203 | 							json_b.append(ioc)	
204 | 							
205 | 			elif flag == 4:				
206 | 				account_id = data["detail"]["accountId"]				
207 | 				region = data["region"]		
208 | 				subnet_id = data["detail"]["resource"]["instanceDetails"]["networkInterfaces"][0]["subnetId"]
209 | 				nacl_id = get_netacl_id(subnet_id)
210 | 				src_ip = (json.dumps(data["detail"]["resource"]["instanceDetails"]["networkInterfaces"][0]["publicIp"])).strip('"')
211 | 				instance_id = data["detail"]["resource"]["instanceDetails"]["instanceId"]
212 | 				ttp = data["detail"]["type"]				
213 | 
214 | 				if nacl_id != '':									
215 | 					ioc = ttp + "," + account_id + "," + region + "," + subnet_id + "," + src_ip + "," + instance_id + "," + nacl_id
216 | 				else:
217 | 					ioc = ttp + "," + account_id + "," + region + "," + subnet_id + "," + src_ip + "," + instance_id + "," + "external_nacl"
218 | 
219 | 				if len(json_a) == 0:
220 | 					json_a.append(ioc)					
221 | 				else:
222 | 					for e in json_a:
223 | 						if e != ioc:											
224 | 							json_a.append(ioc)
225 | 
226 | 				# dump_flows(subnet_id)
227 | 
228 | 		except Exception as e:
229 | 			log.info("json could not be parsed:", e)
230 | 
231 | 
232 | def get_netacl_id(subnet_id):	
233 | 	try:        
234 | 		response = ec2.describe_network_acls(
235 | 			Filters=[
236 | 				{
237 | 					'Name': 'association.subnet-id',
238 | 					'Values': [
239 | 						subnet_id,
240 | 					]
241 | 				}
242 | 			]
243 | 		)
244 | 		
245 | 		nacls = response['NetworkAcls'][0]['Associations']
246 | 		
247 | 		for n in nacls:            
248 | 			if n['SubnetId'] == subnet_id:
249 | 				nacl_id = n['NetworkAclId']
250 | 		
251 | 		return nacl_id
252 | 
253 | 	except:
254 | 		return ''
255 | 
256 | 
257 | def incident_and_response():	
258 | 
259 | 	log.info("Incident and Response...")
260 | 
261 | 	ts = str(datetime.datetime.now())
262 | 
263 | 	ujsa = set(json_a)
264 | 	ujsb = set(json_b)
265 | 
266 | 	for jsa in ujsa:
267 | 
268 | 		lst = jsa.split(",")
269 | 		ioc = len(lst)
270 | 		
271 | 		rule_no = "-1"		
272 | 		if ioc == 13:
273 | 			ttp, account_id, region, subnet_id, src_ip, instance_id, nacl_id, country, city, asn_org, org, isp, asn = jsa.split(",")
274 | 
275 | 			update_ip_set(src_ip)
276 | 
277 | 			if nacl_id != "external_nacl":
278 | 				rule_no = get_nacl_rule_no(nacl_id)				
279 | 				create_nacl_rule(nacl_id, src_ip, rule_no)
280 | 
281 | 			update_table_attackers(src_ip, ts, subnet_id, region, account_id, instance_id, nacl_id, ttp, country, city, asn_org, org, isp, asn, rule_no)
282 | 		else:
283 | 			country=city=asn_org=org=isp=asn="NIA"
284 | 			ttp, account_id, region, subnet_id, src_ip, instance_id, nacl_id = jsa.split(",")
285 | 			
286 | 
287 | 			update_ip_set(src_ip)
288 | 			
289 | 			if nacl_id != "external_nacl":
290 | 				rule_no = get_nacl_rule_no(nacl_id)
291 | 				create_nacl_rule(nacl_id, src_ip, rule_no)
292 | 
293 | 			update_table_attackers(src_ip, ts, subnet_id, region, account_id, instance_id, nacl_id, ttp, country, city, asn_org, org, isp, asn, rule_no)
294 | 
295 | 	for jsb in ujsb:
296 | 		
297 | 		ttp, account_id, region, src_ip, country, city, asn_org, org, isp, asn= jsb.split(",")
298 | 
299 | 		update_ip_set(src_ip)
300 | 		
301 | 		rule_no = "-1"
302 | 		if nacl_id != "external_nacl":
303 | 			rule_no = get_nacl_rule_no(nacl_id)
304 | 			create_nacl_rule(nacl_id, src_ip, rule_no)
305 | 
306 | 		update_table_attackers(src_ip, ts, subnet_id, region, account_id, instance_id, nacl_id, ttp, country, city, asn_org, org, isp, asn, rule_no)
307 | 
308 | 
309 | def update_ip_set(src_ip):
310 | 
311 | 	log.info("updating ip set...")
312 | 	try:
313 | 		response = waf.update_ip_set(
314 | 			IPSetId=IPSET_ID,
315 | 			ChangeToken=waf.get_change_token()['ChangeToken'],
316 | 			Updates=[{
317 | 				'Action': 'INSERT',
318 | 				'IPSetDescriptor': {
319 | 					'Type': 'IPV4',
320 | 					'Value': "%s/32"%src_ip
321 | 				}
322 | 			}]
323 | 		)       
324 | 	except Exception as e:
325 | 		log.info("WAF IPSet could not be updated",e)
326 | 
327 | 
328 | def update_table_attackers(attacker_ip, timestamp, subnet_id, region, account_id, instance_id, nacl_id, ttp, country, city, asn_org, org, isp, asn, rule_no):
329 | 
330 | 	if not city:
331 | 		city = "NIA"
332 | 
333 | 	log.info("updating table attackers ...")
334 | 
335 | 	table = dynamodb.Table(DYNAMO_TABLE)
336 | 
337 | 	try:
338 | 		response = table.put_item(
339 | 			Item={
340 | 				'ip_attacker': str(attacker_ip),
341 | 				'timestamp': str(timestamp),
342 | 				'subnet_id': str(subnet_id),
343 | 				'region': str(region),
344 | 				'account_id': str(account_id),
345 | 				'instance_id': str(instance_id),
346 | 				'nacl_id': str(nacl_id),
347 | 				'ttp': str(ttp),
348 | 				'country': str(country),		
349 | 				'city': str(city),
350 | 				'asn_org': str(asn_org),
351 | 				'org': str(org),
352 | 				'isp': str(isp),
353 | 				'asn': str(asn),
354 | 				'rule_no': str(rule_no)
355 | 				}
356 | 			)
357 | 
358 | 	except Exception as e:
359 | 		log.info("table could not be updated", e)
360 | 
361 | 
362 | def get_nacl_rule_no(nacl_id):
363 | 
364 | 	log.info("get NACL id")
365 | 	rule = get_rules(nacl_id)
366 | 	i = min(rule) + 1
367 | 
368 | 	if min(rule) == 100:
369 | 		rule_no = 1
370 | 	else:
371 | 		count = 1
372 | 		while count < 98:
373 | 			count += 1
374 | 			
375 | 			if i < 100 and i not in rule:
376 | 				rule_no = i
377 | 				break
378 | 			else:
379 | 				i += 1
380 | 	
381 | 	return rule_no
382 | 
383 | 
384 | def create_nacl_rule(nacl_id, attacker_ip, rule_no):
385 | 	
386 | 	nacl = r_ec2.NetworkAcl(nacl_id)
387 | 
388 | 	response = nacl.create_entry(
389 | 	CidrBlock = attacker_ip + '/32',
390 | 	Egress=False,
391 | 	PortRange={
392 | 		'From': 0,
393 | 		'To': 65535
394 | 	},
395 | 	Protocol='-1',
396 | 	RuleAction='deny',
397 | 	RuleNumber=rule_no
398 | 	)
399 | 
400 | 	if response['ResponseMetadata']['HTTPStatusCode'] == 200:
401 | 		return True
402 | 	else:
403 | 		return False
404 | 
405 | 
406 | def get_rules(nacl_id):
407 | 	
408 | 	log.info("get rules for", nacl_id)
409 | 
410 | 	rules = []
411 | 
412 | 	response = ec2.describe_network_acls(
413 | 		NetworkAclIds=[ 
414 | 			nacl_id,
415 | 		],
416 | 	)
417 | 
418 | 	data = response['NetworkAcls'][0]['Entries']
419 | 	
420 | 	for d in data:		
421 | 		rules.append(d['RuleNumber'])
422 | 	
423 | 	log.info("rules",rules)
424 | 	return set(rules)
425 | 	
426 | 		
427 | def delete_sqs():
428 | 
429 | 	log.info("deleting sqs queue ...")
430 | 	try:
431 | 		for rh in message:
432 | 			receipt_handle= rh['ReceiptHandle']
433 | 
434 | 			sqs.delete_message(
435 | 				QueueUrl=queue_url,
436 | 				ReceiptHandle=receipt_handle
437 | 				)
438 | 	except Exception as e:
439 | 		log.info("SQS queue could not be deleted", e)
440 | 
441 | 
442 | def dump_flows(subnet_id):
443 | 
444 | 	log.info("creating flows logs on the subnet:", subnet_id)
445 | 
446 | 	try:
447 | 		response = ec2.create_flow_logs(
448 | 			ResourceIds=[
449 | 				subnet_id,
450 | 			],
451 | 			ResourceType='Subnet',
452 | 			TrafficType='ALL',
453 | 			LogDestinationType='s3',
454 | 			LogDestination='arn:aws:s3:::s3-bucket-cloud-sniper/analytics/'
455 | 		)
456 | 	except Exception as e:
457 | 		log.info("Flow logs could not be created", e)
458 | 
459 | 
460 | def clean_nacls():
461 | 
462 | 	log.info("Cleaning NACls")
463 | 
464 | 	try:
465 | 		now = datetime.datetime.now()
466 | 
467 | 		table = dynamodb.Table(DYNAMO_TABLE)
468 | 		response = table.scan()
469 | 	
470 | 		for r in response['Items']:
471 | 
472 | 			t = r['timestamp']
473 | 			old = datetime.datetime.strptime(t, '%Y-%m-%d %H:%M:%S.%f')
474 | 			difh = (now - old).seconds//(60*60)					
475 | 			
476 | 			if difh >= 6:
477 | 				try:
478 | 					network_acl = r_ec2.NetworkAcl(r['nacl_id'])
479 | 					response2 = network_acl.delete_entry(
480 | 						Egress=False,
481 | 						RuleNumber=int(r['rule_no'])
482 | 					)
483 | 
484 | 					if response2['ResponseMetadata']['HTTPStatusCode'] == 200:
485 | 						log.info('NACL rule deleted')
486 | 
487 | 					else:
488 | 						log.info('Failed to delete the rule')
489 | 
490 | 				except Exception as e:
491 | 					log.info("Failed to instantiate resource NetworkAcl", e)
492 | 			
493 | 	except Exception as e:        
494 | 		log.info("NACls could not be deleted:", e)
495 | 
496 | 
497 | def cloud_sniper (event, context):
498 | 
499 | 	global message
500 | 
501 | 	log.info("GuardDuty findings: %s" % json.dumps(event))
502 | 
503 | 	try:
504 | 		message = read_sqs()
505 | 		if message:
506 | 			search_ioc()
507 | 			incident_and_response()
508 | 			clean_nacls()	
509 | 			delete_sqs()
510 | 
511 | 			log.info("Properly processed findings")
512 | 		else:
513 | 			log.info("There is no new message in the queue")
514 | 		
515 | 	except Exception as e:
516 | 		log.error('Failure to process GD finding')
517 | 


--------------------------------------------------------------------------------
/cloud-sniper/outputs.tf:
--------------------------------------------------------------------------------
1 | output "bucket_arn" {
2 |   value = "${aws_s3_bucket.s3_bucket_cloud_sniper_data_store.arn}"
3 | }
4 | 


--------------------------------------------------------------------------------
/cloud-sniper/role.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_role" "role_cloud_sniper" {
 2 |   name               = "role_cloud_sniper"
 3 |   path               = "/"
 4 |   assume_role_policy = "${data.aws_iam_policy_document.iam_policy_lambda.json}"
 5 | }
 6 | 
 7 | resource "aws_iam_role" "iam_role_firehose_waf" {
 8 |   name               = "iam_role_firehose_waf"
 9 |   assume_role_policy = "${data.aws_iam_policy_document.iam_policy_firehose.json}"
10 | }
11 | 
12 | resource "aws_iam_role" "role_cloud_sniper_tagging" {
13 |   name = "role_cloud_sniper_tagging"
14 |   path = "/"
15 | 
16 |   assume_role_policy = <<EOF
17 | {
18 |   "Version": "2012-10-17",
19 |   "Statement": [
20 |     {
21 |       "Action": "sts:AssumeRole",
22 |       "Principal": {
23 |         "Service": "lambda.amazonaws.com"
24 |       },
25 |       "Effect": "Allow",
26 |       "Sid": ""
27 |     }
28 |   ]
29 | 
30 | }
31 | EOF
32 | }
33 | 


--------------------------------------------------------------------------------
/cloud-sniper/s3_bucket.tf:
--------------------------------------------------------------------------------
1 | resource "aws_s3_bucket" "s3_bucket_cloud_sniper_data_store" {
2 |   bucket = "${var.cloud_sniper_data_store}"
3 |   acl    = "private"
4 | }
5 | 


--------------------------------------------------------------------------------
/cloud-sniper/sqs_queue.tf:
--------------------------------------------------------------------------------
1 | resource "aws_sqs_queue" "sqs_queue_cloud_sniper" {
2 |   name = "sqs_queue_cloud_sniper"
3 | }
4 | 


--------------------------------------------------------------------------------
/cloud-sniper/sqs_queue_policy.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_sqs_queue_policy" "sqs_queue_policy_cloud_sniper" {
 2 |   queue_url = "${aws_sqs_queue.sqs_queue_cloud_sniper.id}"
 3 | 
 4 |   policy = <<POLICY
 5 | {
 6 |   "Version": "2012-10-17",
 7 |   "Id": "sqspolicycloudsniper",
 8 |   "Statement": [
 9 |     {
10 |       "Sid": "sqspolicycloudsniper",
11 |       "Effect": "Allow",
12 |       "Principal": "*",
13 |       "Action": "sqs:SendMessage",
14 |       "Resource": "${aws_sqs_queue.sqs_queue_cloud_sniper.arn}",
15 |       "Condition": {
16 |         "ArnEquals": {
17 |           "aws:SourceArn": "${aws_cloudwatch_event_rule.aws_cloudwatch_event_rule_cloud_sniper.arn}"
18 |         }
19 |       }
20 |     }
21 |   ]
22 | }
23 | POLICY
24 | }
25 | 


--------------------------------------------------------------------------------
/cloud-sniper/variables.tf:
--------------------------------------------------------------------------------
1 | //-------------------------------------------------------------------
2 | // Cloud Sniper settings
3 | //-------------------------------------------------------------------
4 | 
5 | variable "cloud_sniper_data_store" {
6 |   default     = "bucket-cloud-sniper-data-store"
7 |   description = "Bucket Cloud Sniper-data-store"
8 | }
9 | 


--------------------------------------------------------------------------------
/cloud-sniper/waf.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_wafregional_web_acl" "acl-cloud-sniper" {
 2 |   name        = "acl-cloud-sniper"
 3 |   metric_name = "aclCloudSniper"
 4 | 
 5 |   default_action {
 6 |     type = "ALLOW"
 7 |   }
 8 | 
 9 |   rule {
10 |     action {
11 |       type = "BLOCK"
12 |     }
13 | 
14 |     priority = 1
15 |     rule_id  = "${aws_wafregional_rule.rule-cloud-sniper-country-blocked.id}"
16 |     type     = "REGULAR"
17 |   }
18 | 
19 |   rule {
20 |     action {
21 |       type = "BLOCK"
22 |     }
23 | 
24 |     priority = 2
25 |     rule_id  = "${aws_wafregional_rule.rule-cloud-sniper-automatic-ip-defense.id}"
26 |     type     = "REGULAR"
27 |   }
28 | 
29 |   logging_configuration {
30 |     log_destination = "${aws_kinesis_firehose_delivery_stream.aws_waf_logs_cloudsniper.arn}"
31 |   }
32 | }
33 | 
34 | resource "aws_wafregional_rule" "rule-cloud-sniper-automatic-ip-defense" {
35 |   depends_on  = ["aws_wafregional_ipset.ipset-cloud-sniper-automatic-block-these-ips"]
36 |   name        = "rule-cloud-sniper-automatic-ip-defense"
37 |   metric_name = "ruleCloudSniperAutomaticIpDefense"
38 | 
39 |   predicate {
40 |     data_id = "${aws_wafregional_ipset.ipset-cloud-sniper-automatic-block-these-ips.id}"
41 |     negated = false
42 |     type    = "IPMatch"
43 |   }
44 | }
45 | 
46 | resource "aws_wafregional_rule" "rule-cloud-sniper-country-blocked" {
47 |   depends_on  = ["aws_wafregional_geo_match_set.geo-match-set-cloud-sniper-country-blocked"]
48 |   name        = "rule-cloud-sniper-country-blocked"
49 |   metric_name = "ruleCloudSniperCountryBlocked"
50 | 
51 |   predicate {
52 |     data_id = "${aws_wafregional_geo_match_set.geo-match-set-cloud-sniper-country-blocked.id}"
53 |     negated = false
54 |     type    = "GeoMatch"
55 |   }
56 | }
57 | 
58 | resource "aws_wafregional_geo_match_set" "geo-match-set-cloud-sniper-country-blocked" {
59 |   name = "geo-match-set-cloud-sniper-country-blocked"
60 | 
61 |   geo_match_constraint {
62 |     type  = "Country"
63 |     value = "KP"
64 |   }
65 | 
66 |   geo_match_constraint {
67 |     type  = "Country"
68 |     value = "HK"
69 |   }
70 | 
71 |   geo_match_constraint {
72 |     type  = "Country"
73 |     value = "RU"
74 |   }
75 | 
76 |   geo_match_constraint {
77 |     type  = "Country"
78 |     value = "SC"
79 |   }
80 | 
81 |   geo_match_constraint {
82 |     type  = "Country"
83 |     value = "KZ"
84 |   }
85 | 
86 |   geo_match_constraint {
87 |     type  = "Country"
88 |     value = "CN"
89 |   }
90 | }
91 | 
92 | resource "aws_wafregional_ipset" "ipset-cloud-sniper-automatic-block-these-ips" {
93 |   name = "ipset-cloud-sniper-automatic-block-these-ips"
94 | }
95 | 


--------------------------------------------------------------------------------
/images/deployment.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nicolasriverocorvalan/cloud-sniper/def926d45e13c1084cd20e007023e110faf8dabb/images/deployment.png


--------------------------------------------------------------------------------
/images/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nicolasriverocorvalan/cloud-sniper/def926d45e13c1084cd20e007023e110faf8dabb/images/logo.png


--------------------------------------------------------------------------------
/playbooks/cloudsniper_playbook_nist.md:
--------------------------------------------------------------------------------
 1 | # Cloud Sniper Playbook - NIST approach
 2 | 
 3 | 1.  Asset Management
 4 |     
 5 |     <details>
 6 |             <summary>ID.AM</summary>
 7 |     The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy
 8 |     </details>
 9 | 
10 |     1.  **IAM**
11 |         
12 |         1.  Checks whether IAM groups have at least one IAM user
13 |             **#IDENTIFY**            
14 | 
15 |         2.  Checks whether IAM users are members of at least one IAM group
16 |             **#IDENTIFY**
17 |         
18 |         3.  Checks that none of the IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles
19 |             **#IDENTIFY**
20 | 
21 |         4.  Checks whether your Identity and IAM users have passwords or active access keys that have not been used within the specified number of days you provided
22 |             **#IDENTIFY**
23 | 
24 |     2.  **Security groups**
25 |     
26 |         1.  Checks that the default security group of any VPC does not allow inbound or outbound traffic
27 |             **#IDENTIFY**
28 | 
29 |     2.  **ACM Certificates**
30 |     
31 |         1.  Checks whether ACM Certificates in your account are marked for expiration within the specified number of days
32 |             **#IDENTIFY**
33 | 
34 |     3.  **KMS**
35 | 
36 |         1.  Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge
37 |             **#IDENTIFY**
38 | 
39 |     4.  **CloudTrail**
40 | 
41 |         1.  Checks whether CloudTrail is enabled in your account
42 |             **#IDENTIFY**
43 | 
44 |         2. Checks whether CloudTrail trails are configured to send logs to CloudWatch logs
45 |             **#IDENTIFY**
46 | 
47 |         3. Checks whether CloudTrail is configured to use the server side encryption (SSE-KMS)
48 |             **#IDENTIFY**
49 | 
50 |         4. Checks whether CloudTrail creates a signed digest file with logs
51 |             **#IDENTIFY**
52 | 
53 |         5. Checks that there is at least one multi-region CloudTrail
54 |             **#IDENTIFY**
55 | 
56 |     5.  **GuardDuty**
57 | 
58 |         1.  Checks whether GuardDuty is enabled in your account and region
59 |             **#IDENTIFY**
60 | 
61 | 
62 | 
63 |  


--------------------------------------------------------------------------------
/playbooks/cloudsniper_playbook_nist.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_config_config_rule" "iam-group-has-users-check" {
  2 |   name        = "iam-group-has-users-check"
  3 |   description = "Checks whether IAM groups have at least one IAM user"
  4 | 
  5 |   source {
  6 |     owner             = "AWS"
  7 |     source_identifier = "IAM_GROUP_HAS_USERS_CHECK"
  8 |   }
  9 | }
 10 | 
 11 | resource "aws_config_config_rule" "iam-user-group-membership-check" {
 12 |   name        = "iam-user-group-membership-check"
 13 |   description = "Checks whether IAM users are members of at least one IAM group"
 14 | 
 15 |   source {
 16 |     owner             = "AWS"
 17 |     source_identifier = "IAM_USER_GROUP_MEMBERSHIP_CHECK"
 18 |   }
 19 | }
 20 | 
 21 | resource "aws_config_config_rule" "iam-user-no-policies-check" {
 22 |   name        = "iam-user-no-policies-check"
 23 |   description = "Checks that none of the IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles"
 24 | 
 25 |   source {
 26 |     owner             = "AWS"
 27 |     source_identifier = "IAM_USER_NO_POLICIES_CHECK"
 28 |   }
 29 | }
 30 | 
 31 | resource "aws_config_config_rule" "iam-user-unused-credentials-check" {
 32 |   name        = "iam-user-unused-credentials-check"
 33 |   description = "Checks whether your Identity and IAM users have passwords or active access keys that have not been used within the specified number of days you provided"
 34 | 
 35 |   source {
 36 |     owner             = "AWS"
 37 |     source_identifier = "IAM_USER_UNUSED_CREDENTIALS_CHECK"
 38 |   }
 39 | 
 40 |   input_parameters = <<EOF
 41 |   {
 42 |     "maxCredentialUsageAge": "90"
 43 |   }
 44 |   EOF
 45 | }
 46 | 
 47 | resource "aws_config_config_rule" "guardduty-enabled-centralized" {
 48 |   name        = "guardduty-enabled-centralized"
 49 |   description = "Checks whether GuardDuty is enabled in your account and region"
 50 | 
 51 |   source {
 52 |     owner             = "AWS"
 53 |     source_identifier = "GUARDDUTY_ENABLED_CENTRALIZED"
 54 |   }
 55 | }
 56 | 
 57 | resource "aws_config_config_rule" "vpc-default-security-group-closed" {
 58 |   name        = "vpc-default-security-group-closed"
 59 |   description = "Checks that the default security group of any VPC does not allow inbound or outbound traffic"
 60 | 
 61 |   source {
 62 |     owner             = "AWS"
 63 |     source_identifier = "VPC_DEFAULT_SECURITY_GROUP_CLOSED"
 64 |   }
 65 | }
 66 | 
 67 | resource "aws_config_config_rule" "acm-certificate-expiration-check" {
 68 |   name        = "acm-certificate-expiration-check"
 69 |   description = "Checks whether ACM Certificates in your account are marked for expiration within the specified number of days"
 70 | 
 71 |   source {
 72 |     owner             = "AWS"
 73 |     source_identifier = "ACM_CERTIFICATE_EXPIRATION_CHECK"
 74 |   }
 75 | 
 76 |   #21 days
 77 | }
 78 | 
 79 | resource "aws_config_config_rule" "access-keys-rotated" {
 80 |   name        = "access-keys-rotated"
 81 |   description = "Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge"
 82 | 
 83 |   source {
 84 |     owner             = "AWS"
 85 |     source_identifier = "ACCESS_KEYS_ROTATED"
 86 |   }
 87 | 
 88 |   input_parameters = <<EOF
 89 |   {
 90 |     "maxAccessKeyAge": "90"
 91 |   }
 92 |   EOF
 93 | }
 94 | 
 95 | resource "aws_config_config_rule" "cloudtrail-enabled" {
 96 |   name        = "cloudtrail-enabled"
 97 |   description = "Checks whether CloudTrail is enabled in your account"
 98 | 
 99 |   source {
100 |     owner             = "AWS"
101 |     source_identifier = "CLOUD_TRAIL_ENABLED"
102 |   }
103 | }
104 | 
105 | resource "aws_config_config_rule" "cloud-trail-cloud-watch-logs-enabled" {
106 |   name        = "cloud-trail-cloud-watch-logs-enabled"
107 |   description = "Checks whether CloudTrail trails are configured to send logs to CloudWatch Logs"
108 | 
109 |   source {
110 |     owner             = "AWS"
111 |     source_identifier = "CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED"
112 |   }
113 | }
114 | 
115 | resource "aws_config_config_rule" "cloud-trail-encryption-enabled" {
116 |   name        = "cloud-trail-encryption-enabled"
117 |   description = "Checks whether CloudTrail is configured to use the server side encryption (SSE-KMS)"
118 | 
119 |   source {
120 |     owner             = "AWS"
121 |     source_identifier = "CLOUD_TRAIL_ENCRYPTION_ENABLED"
122 |   }
123 | }
124 | 
125 | resource "aws_config_config_rule" "cloud-trail-log-file-validation-enabled" {
126 |   name        = "cloud-trail-log-file-validation-enabled"
127 |   description = "Checks whether CloudTrail creates a signed digest file with logs"
128 | 
129 |   source {
130 |     owner             = "AWS"
131 |     source_identifier = "CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED"
132 |   }
133 | }
134 | 
135 | resource "aws_config_config_rule" "multi-region-cloud-trail-enabled" {
136 |   name        = "multi-region-cloud-trail-enabled"
137 |   description = "Checks that there is at least one multi-region CloudTrail"
138 | 
139 |   source {
140 |     owner             = "AWS"
141 |     source_identifier = "MULTI_REGION_CLOUD_TRAIL_ENABLED"
142 |   }
143 | }
144 | 


--------------------------------------------------------------------------------
/wiki/WIKI.md:
--------------------------------------------------------------------------------
 1 | # *Cloud Sniper*
 2 | ## *How it works*
 3 | 
 4 | ### Cloud Sniper - AWS native version
 5 | 
 6 | ***Cloud Sniper*** receives cloud-based or third-party feeds to take remediation actions in the cloud. Currently, the AWS native version, gets feeds from GuardDuty, a continuous security monitoring service that detects threats based on *CloudTrial Logs/VPC Flow Logs/DNS Logs artifacts*.
 7 | 
 8 | The *GuardDuty* security analysis is based on the *Shared Responsibility Model* of cloud environments, in which the provider has access to hidden information for the security analyst (such as DNS logs). *GuardDuty* provides findings, categorized in a pseudo *MITRE's TTP's* tagging.
 9 | 
10 | When *GuardDuty* detects an incident, ***Cloud Sniper*** automatically analyzes what actions are available to mitigate and remediate that threat. If layer 7/4/3 attacks are taking place, it blocks the corresponding sources, both in the WAF and in the Network Access Control Lists of the affected instances.
11 | 
12 | A knowledge database will be created to store the *IOCs* that affect the cloud environments and will build its own *Threat Intelligence* feeds to use in the future.
13 | 
14 | The ***Cloud Sniper Analytics*** module allows to analyze the flow logs of the entire network where an affected instance is deployed and obtain analytics on traffic behavior, looking for *Command and Control (C2)* activity.
15 | 
16 | ### Installation (for AWS)
17 | 
18 |     Cloud Sniper uses Terraform to automatically deploy the entire infrastructure in the cloud. The core is programmed in python, so it can be extended according to the needs of each vSOC.
19 |     
20 |     You must have:
21 | 
22 |     1.  AWS cli  installed
23 |     2.  A programmatic access key
24 |     3.  AWS local profile configured
25 |     4.  Terraform client installed
26 | 
27 |     To deploy Cloud Sniper you must run:
28 | 
29 |     1.  ~$ git clone https://github.com/nicolasriverocorvalan/cloud-sniper.git
30 |     2.  ~$ cd Cloud-Sniper
31 |     3.  Set the environment variables corresponding to the account in the variables.tf file
32 |     4.  Edit the main.tf file
33 | 
34 |         provider "aws" {
35 |             region                    = "region"
36 |             shared_credentials_file   = "/your-home/.aws/credentials"
37 |             profile                   = "your-profile"
38 |         }
39 | 
40 |     5.  ~/Cloud-Sniper$ terraform init
41 |     6.  ~/Cloud-Sniper$ terraform plan
42 |     7.  ~/Cloud-Sniper$ terraform apply [yes]
43 | 
44 | 
45 | ### AWS artifacts integration:
46 | 
47 |     The platform is integrated with the following cloud technologies:
48 | 
49 |     1.  GuardDuty findings
50 |     2.  SQS
51 |     3.  CloudWatch
52 |     4.  WAF
53 |     5.  EC2 
54 |     6.  VPC Flow Logs
55 |     7.  DynamoDB
56 |     8.  IAM
57 |     9.  S3
58 |     10. Lambda
59 |     11. Kinesis Firehose
60 | 


--------------------------------------------------------------------------------