Security Tools

Defensive security tools used in cloud and network security work.

---

Ultra-Short Summary

Security tools fall into categories: reconnaissance, traffic analysis, vulnerability scanning, monitoring, and access control. Understanding how these tools work — even if you're on the defender side — makes you better at building secure systems. You need to know what attackers can see before you can defend against it.

---

AWS Security Services

GuardDuty

Threat detection using ML and threat intelligence:

Input sources:
  VPC Flow Logs, CloudTrail, DNS logs, EKS audit logs, S3 access logs

Detects:
  -> Unusual API calls (e.g. someone calling GetSecretValue at 3am from a new country)
  -> Port scanning from EC2 instances
  -> Communication with known malicious IPs/domains
  -> Credential exfiltration patterns
  -> Crypto mining (unusual compute patterns)

Output: Findings in GuardDuty console, Security Hub, or EventBridge

AWS Inspector

Automated vulnerability scanning:

EC2 instances: scans OS packages for CVEs, checks network reachability
Lambda functions: scans function code for vulnerable dependencies
Container images (ECR): scans before push or on demand

Output: Findings ranked by severity (Critical/High/Medium/Low)
Key metric: "Inspector score" -- accounts for exploitability, not just CVSS base score

AWS Security Hub

Centralised security findings aggregation:

Aggregates findings from: GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager
Supports: CIS AWS Foundations Benchmark, PCI DSS, SOC 2 checks
Use: single pane of glass for security posture across accounts

Macie

Discovers and protects sensitive data in S3:

Uses ML to classify S3 objects:
  -> PII (names, addresses, credit card numbers, NI numbers)
  -> Credentials (private keys, passwords)
  -> Financial data

Sends findings to Security Hub or EventBridge

AWS WAF

Web Application Firewall — Layer 7 protection:

Attach to: ALB, CloudFront, API Gateway, AppSync

Rules can block:
  -> Known bad IP addresses / geographic locations
  -> SQL injection patterns
  -> Cross-site scripting (XSS) patterns
  -> Rate limits (e.g. max 1000 requests/IP/minute)
  -> AWS Managed Rules (regularly updated rulesets)

Use WAF when: public-facing APIs or web apps need Layer 7 protection

---

Network Analysis Tools

Wireshark

GUI packet capture and analysis — captures raw network traffic:

Use cases:
  -> Analyse which protocols a device is using
  -> Debug TLS handshake failures
  -> See what data is being sent in plaintext (useful for testing your own apps)
  -> Verify that HTTPS is actually encrypting your data

Filter examples:
  http                    -- show only HTTP traffic
  ip.addr == 192.168.1.1  -- traffic to/from this IP
  tcp.port == 443         -- HTTPS traffic only
  dns                     -- DNS queries and responses

tcpdump

Command-line packet capture — the Wireshark equivalent for headless servers:

# Capture all traffic on eth0
tcpdump -i eth0

# Capture only HTTP traffic
tcpdump -i eth0 port 80

# Write to file for later analysis in Wireshark
tcpdump -i eth0 -w capture.pcap

# Show DNS queries
tcpdump -i eth0 port 53

# Show traffic to a specific host
tcpdump -i eth0 host 192.168.1.100

nmap

Network scanning — discovers hosts, open ports, and services:

# Scan a single host for open ports
nmap 192.168.1.1

# Scan a subnet
nmap 192.168.1.0/24

# Detect OS and service versions
nmap -O -sV 192.168.1.1

# Scan specific ports
nmap -p 22,80,443,8080 192.168.1.1

# Aggressive scan (OS, version, scripts, traceroute)
nmap -A 192.168.1.1

On your own systems only — unauthorised scanning is illegal.

Use case in cloud security: verify what ports are actually exposed after setting security groups.

---

Anonymity and Privacy Tools

Tor (The Onion Router)

Routes traffic through multiple encrypted relays:

Your traffic -> Entry node -> Middle node -> Exit node -> Destination
              (encrypted)   (encrypted)   (decrypted here)

Each node only knows:
  -> Entry node: your IP + middle node IP
  -> Middle node: entry node + exit node
  -> Exit node: middle node + destination

No single node knows both who you are AND what you're accessing.

Legitimate uses: journalists, whistleblowers, privacy-conscious users, OSINT research
Limitations: slow, exit node can see unencrypted traffic (use HTTPS end-to-end)

Pi-hole

DNS-level ad and tracker blocking:

Normal DNS:  Device -> Router -> ISP DNS -> Ad network (request goes through)

With Pi-hole:
  Device -> Pi-hole (Raspberry Pi or container)
          -> Blocks DNS lookups for known ad/tracker domains
          -> Forwards legitimate lookups to upstream DNS

What it blocks: ads, trackers, malware domains, telemetry
What it doesn't block: first-party tracking, HTTPS content inspection

Setup: Run as Docker container or on Raspberry Pi, set as DNS server in router

---

Vulnerability Concepts

CVE — Common Vulnerabilities and Exposures

CVE-2021-44228 = Log4Shell

Format: CVE-YEAR-NUMBER
Database: nvd.nist.gov (National Vulnerability Database)

CVSS Score: 0-10 severity rating
  Critical: 9.0-10.0
  High:     7.0-8.9
  Medium:   4.0-6.9
  Low:      0.1-3.9

AWS Inspector reports CVEs found in your EC2/Lambda/ECR workloads

Common Attack Patterns to Know

SQL Injection:
  Input: ' OR '1'='1   -> alters SQL query logic
  Defence: parameterised queries, never concatenate user input into SQL

XSS (Cross-Site Scripting):
  Attacker injects <script> into page, runs in victim's browser
  Defence: sanitise output, Content Security Policy headers

SSRF (Server-Side Request Forgery):
  App fetches a URL on behalf of user
  Attacker: "Fetch http://169.254.169.254/latest/meta-data/" (EC2 metadata)
  Defence: IMDSv2 (requires token header), block SSRF in WAF

Path Traversal:
  Input: ../../../../etc/passwd
  Defence: validate and sanitise file paths, use absolute paths

Privilege Escalation:
  Gaining higher permissions than intended
  AWS context: IAM role with iam:PassRole can escalate to any role they can pass

---

Mental Model

Security tools are like a doctor's diagnostic equipment:
  Wireshark/tcpdump = stethoscope (listen to what's happening)
  nmap              = X-ray (see what's exposed)
  GuardDuty         = continuous health monitor (alert on anomalies)
  WAF               = immune system (block known pathogens)
  Inspector         = regular health check (find vulnerabilities before attackers do)

The attacker's job: find one way in
The defender's job: close all the ways in

Understanding attack tools makes you a better defender.
You can't build good security controls without knowing what you're defending against.

---

Self-Quiz

1. What does GuardDuty analyse and what kind of threats does it detect?
2. What's the difference between GuardDuty and Inspector?
3. What does AWS WAF protect against that a Security Group cannot?
4. What is an SSRF attack and how does IMDSv2 mitigate it?
5. What does Pi-hole block and at what layer?
6. How does Tor anonymise traffic — what's the "onion" metaphor?
7. What is a CVE and where would you find a list of CVEs affecting your EC2 instances?
8. What's the difference between WAF and Shield?