Managed Host Intrusion Detection (HIDS)
Overview
Aptible is a container orchestration platform that enables users to deploy containerized workloads onto dedicated isolated networks. Each isolated network and its associated cloud infrastructure is called a Stack.
Aptible stacks contain several AWS EC2 instances (virtual machines) on which Aptible users deploy their apps and databases in Docker containers. The Aptible security team is responsible for the integrity of these instances and provides a HIDS compliance report periodically as evidence of its activity.
HIDS Compliance Report
Aptible includes access to the HIDS compliance report at no charge for all shared stacks. The report is also available for Dedicated Stacks for an additional cost. Contact Aptible Support for more information.
Methodology
Aptible collects HIDS events using OSSEC, a leading open-source intrusion detection system. Aptible’s security reporting platform ingests, and processes events generated by OSSEC in one of the following ways:
- Automated review
- Bulk review
- Manual review
If an intrusion is suspected or detected, the Aptible security team activates its incident response process to assess, contain, and eradicate the threat and notifies affected users, if any.
Review Process
The Aptible Security team uses the following review processes for intrusion detection.
Automated Review
Aptible’s security reporting platform automatically reviews a certain number of events generated by OSSEC.
Here are some examples of automated reviews:
- Purely informational events, such as events indicating that OSSEC performed a periodic integrity check. Their sole purpose is to let them appear in the HIDS compliance report.
- Acceptable security events. For example, an automated script running as root using
sudo
: usingsudo
is technically a relevant security event, but if the user already has root privileges, it cannot result in privilege escalation, so that event is automatically approved.
Bulk Review
Aptible’s security reporting platform integrates with several other systems with which members of the Aptible Operations and Security teams interact. Aptible’s security reporting platform collects information from these different systems to determine whether the events generated by OSSEC can be approved without further review.
Here are some notable examples of bulk-reviewed events:
- When a successful SSH login occurs on an Aptible instance, Aptible’s monitoring determines whether the SSH login can be tied to an authorized Aptible Operations team member and, if so, prompts them via Slack to confirm that they did trigger this login. An alert is immediately escalated to the Aptible security team if no authorized team member is found or the team member takes too long to respond. Related IDS events will automatically be approved and flagged as bulk review when a login is approved.
- When a member of the Aptible Operations team deploys updated software via AWS OpsWorks to Aptible hosts, corresponding file integrity alerts are automatically approved in Aptible’s security reporting platform and flagged as bulk reviews.
Manual Review
The Aptible Security team manually reviews any security event that is neither reviewed automatically nor in bulk.
Some examples of manually-reviewed events include:
- Malware detection events. Malware detection is often racy and generates several false positives, which need to be manually reviewed by Aptible.
- Configuration changes that were not otherwise bulk-reviewed. For example, changes that result from nightly automated security updates.
List of Security Events
Security Events monitored by Aptible Host Intrusion Detection:
CIS benchmark non-conformance
HIDS generates this event when Aptible’s monitoring detects an instance that does not conform to the CIS controls Aptible is currently targeting. These events are often triggered on older instances that still need configuring to follow Aptible’s latest security best practices.
Aptible’s Security team remediates the underlying non-conformance by replacing or reconfiguring the instance, and the team uses the severity of the non-conformance to determine priority.
File integrity change
HIDS generates this event when Aptible’s monitoring detects changes to a monitored file. These events are often the result of package updates, deployments, or the activity of Aptible operations team members and are reviewed accordingly.
Other informational event
HIDS generates this event when Aptible’s monitoring detects an otherwise un-categorized informational event. These events are often auto-reviewed due to their informational nature, and the Aptible security team uses them for high-level reporting.
Periodic rootkit check
Aptible performs a periodic scan for resident rootkits and other malware. HIDS generates this event every time the scan is performed. HIDS generates a rootkit check event alert if any potential infection is detected.
Periodic system integrity check
Aptible performs a periodic system integrity check to scan for new files in monitored system directories and deleted files. HIDS generates this event every time the scan is performed.
Among others, this scan covers /etc
, /bin
, /sbin
, /boot
, /usr/bin
, /usr/sbin
.
Note that Aptible also monitors changes to files under these directories in real-time. If they change, HIDS generates a file integrity alert.
Privilege escalation (e.g., sudo, su)
HIDS generates this event when Aptible’s monitoring detects a user escalated their privileges on a host using tools such as sudo or su. This activity is often the result of automated maintenance scripts or the action of Aptible Operations team members and is reviewed accordingly.
Rootkit check event
HIDS generates this event when Aptible’s monitoring detects potential rootkit or malware infection. Due to the inherently racy nature of most rootkit scanning techniques, these events are often false positives, but they are all investigated by Aptible’s security team.
SSH login
HIDS generates this event when Aptible’s monitoring detects host-level access via SSH. Whenever they log in to a host, Aptible operations team members are prompted to confirm that the activity is legitimate, so these events are often reviewed in bulk.
Uncategorized event
HIDS generates this event for uncategorized events generated by Aptible’s monitoring. These events are often reviewed directly by the Aptible security team.
User or group modification
HIDS generates this event when Aptible’s monitoring detects that a user or group was changed on the system. This change is usually the result of the activity of Aptible Operations team members.
Was this page helpful?