2022-07-25 –, Room 2/3
AWS offer many threat-detection and containment services, some of which we have come to rely on for a sense of security. In this presentation, we will look at GuardDuty's network-related findings, Route 53 Resolver DNS Firewall and Network Firewall, and demonstrate evading them using commonly available tools.
The evasion techniques will be an application of privacy-enhancing technologies meant for individuals behind Great Firewalls, but in a role swap, have recently been seen used by malware (such as denonia discovered by Cado Security) to circumvent sensors built into AWS.
All hope is not lost as we look at the Achilles heel, encrypted DNS masquerading as HTTPS traffic, and identify the infrastructure empowering its enablement. Could GuardDuty be supplemented with this knowledge and alert on some of this?
In the case of Network Firewall, we look at the interplay between DNS and TLS to baffle it, and discuss how AWS' advice on mitigating that is neither robust nor practical.
Finally, with the upcoming TLS extension to encrypt the handshake a little more (ESNI/ECH), we look at VPC Flow Logs and Network Firewall again to discover their packet-parsing limits and therefore guide ourselves in hiding our tracks on them.
Dhruv is a former SRE and presently the Chief Engineer at Chaser Systems. He's mostly Wiresharking, tinkering with PKI or tuning stacks as he had to once in the low latency world of financial data, only this time for firewalls.
He is also a Rust programmer, cares deeply about developer experience, dabbles in cryptography and holds a Master's degree in Advanced Software Engineering from King's College London. The most novel ideas occur to him when faced with a formidable opponent on the piste 🤺, led by such electrical signals to defeat that he suspects to be not tamper-resistant.