Managed Host Intrusion Detection (HIDS)

Aptible Deploy is a container orchestration platform that enables users to deploy containerized workloads onto dedicated isolated networks. Each isolated network and its associated cloud infrastructure is called a Stack.

Aptible Deploy stacks contain a number of AWS EC2 instances (virtual machines), on which Aptible Deploy customers deploy their apps and databases in Docker containers. The Aptible Deploy security team is responsible for the integrity of these instances, and provides a HIDS compliance report on a periodic basis as evidence of its activity.

HIDS Compliance Report

Access to the HIDS Compliance Report is included at no charge for all shared stacks. For dedicated stacks, the HIDS Compliance Report is available for an additional charge. See the Aptible Deploy Pricing Page for detailed pricing information.

Methodology

Aptible Deploy collects HIDS events using OSSEC, a leading open-source intrusion detection system.

The events generated by OSSEC are ingested in Aptible’s security reporting platform, to be processed in one of the following ways:

  • Automated Review
  • Bulk Review
  • Manual Review

If an intrusion is suspected or detected, the Deploy security team activates its incident response process to assess, contain, and eradicate the threat, and notifies affected customers, if any.

Aptible’s incident response program has been developed in alignment with ISO 27001 standards. A copy of Aptible’s ISO 27001 certification is available on the Aptible website.

Review Process

This section explains the review processes used by the Aptible Deploy security team for intrusion detection.

Automated Review

Aptible Deploy’s security reporting platform automatically reviews a certain number of events generated by OSSEC.

Here are some examples of automated review:

  • Purely informational events such as events indicating that OSSEC performed a periodic integrity check. These are automatically reviewed because their sole purpose is to let them appear in the HIDS compliance report.
  • Acceptable security events. For example, an automated script running as root using sudo: using sudo is technically a relevant security event, but if the user already has root privileges, it cannot result in privilege escalation, so that event is automatically approved.

Bulk Review

Aptible Deploy’s security reporting platform integrates with a number of other systems that members of the Aptible operations and security teams interact with. Information from these other systems is collected by Aptible’s security reporting platform to determine whether the events generated by OSSEC can be approved without further review.

Here are some notable examples of bulk-reviewed events:

  • When a successful SSH login occurs on a Deploy instance, Deploy’s monitoring determines whether the SSH login can be tied to an authorized Aptible operations team member, and if so prompts them via Slack to confirm that they did trigger this login (if no authorized team member can be found, or the team member takes too long to respond, an alert is immediately escalated to the Aptible security team). When a login is approved this way, corresponding IDS events will be automatically approved and flagged as bulk review.
  • When a member of the Aptible operations team deploys updated software via AWS OpsWorks to Aptible Deploy hosts, corresponding file integrity alerts are automatically approved in Aptible’s security reporting platform, and flagged as bulk reviews.

Manual Review

When a security event is neither reviewed automatically nor in bulk, it is escalated to the Aptible security team for manual review, which is performed on a regular basis in conformance with Aptible’s ISO 27001-certified policies and procedures.

Some examples of manually-reviewed events include:

  • Malware detection events. Malware detection is often racy and generates a number of false positives, which need to be manually reviewed by Aptible.
  • Configuration changes that were not otherwise bulk-reviewed. For example, changes that result from nightly automated security updates.

List of Security Events

This section lists the Security Events monitored by Aptible Deploy Host Intrusion Detection.

CIS benchmark non-conformance

This event is generated when Aptible Deploy’s monitoring detects an instance that does not conform to the CIS Controls Aptible Deploy is currently targeting.

These events are often triggered on older instances that are not yet configured to follow Aptible Deploy’s latest security best practices.

The underlying conformance is remediated by replacing or reconfiguring the instance, and is prioritized by the Aptible security team depending on the severity of the non-conformance.

File integrity change

This event is generated when Aptible Deploy’s monitoring detects a change to a monitored file.

These events are often the result of package updates, deployments, or the activity of Aptible Deploy operations team members, and are reviewed accordingly.

Other informational event

This event is generated when Aptible Deploy’s monitoring detects an otherwise un-categorized informational event.

These events are often auto-reviewed due to their informational nature, and they’re used by the Aptible Deploy security team for high-level reporting.

Periodic rootkit check

Aptible Deploy performs a periodic scan for resident rootkits and other malware. This event is generated every time the scan was performed.

If potential infection is detected, a rootkit check event alert will be generated.

Periodic system integrity check

Aptible Deploy performs a periodic system integrity check to scan for new files in monitored system directories as well as deleted files. This event is generated every time the scan was performed.

Among others, this scan covers /etc, /bin, /sbin, /boot, /usr/bin, /usr/sbin.

Note that Aptible Deploy also monitors changes to files under these directories in real-time. If they change, a file integrity alert will be generated.

Privilege escalation (e.g. sudo, su)

This event is generated when Aptible Deploy’s monitoring detects that a user escalated their privileges on a host, using tools such as sudo or su.

This activity is often the result of automated maintenance scripts or the activity of Aptible Deploy operations team members, and is reviewed accordingly.

Rootkit check event

This event is generated when Aptible Deploy’s monitoring detects potential rootkit or malware infection.

Due to the inherently racy nature of most rootkit scanning techniques, these events are often false positives, but they are all investigated by Aptible Deploy’s security team.

SSH login

This event is generated when Aptible Deploy’s monitoring detects host-level access via SSH.

Whenever they log in to a host, Aptible Deploy operations team members are prompted to confirm that the activity is legitimate, so these events are often reviewed in bulk.

Uncategorized event

This event is generated for uncategorized events generated by Aptible Deploy’s monitoring. These events are often reviewed directly by the Aptible Deploy security team.

User or group modification

This event is generated when Aptible Deploy’s monitoring detects that a user or group was changed on the system. This is usually the result of the activity of Aptible Deploy operations team members.