Leveraging Amazon EC2 F1 Instances for Development and Red Teaming in DARPA’s First-Ever Bug Bounty Program

Leveraging Amazon EC2 F1 Instances for Development and Red Teaming in DARPA’s First-Ever Bug Bounty Program

This past year, Effectual’s Modernization Engineers partnered with specialized R&D firm Galois to support the launch of DARPA’s first public bug bounty program – Finding Exploits to Thwart Tampering (FETT). The project represents a highly unique use case showcasing Effectual’s application expertise, and was approved this week to be featured on the AWS Partner Network (APN) Blog.

Authored by Effectual Cloud Architect Kurt Hopfer, the blog will reach both AWS customers and technologists interested in learning how to solve complex technical challenges and accelerate innovation using AWS services.

Read the full post on the AWS APN Blog

In 2017, the Defense Advanced Research Projects Agency (DARPA) engaged research and development firm Galois Galois to lead the BESSPIN project (Balancing Evaluation of System Security Properties with Industrial Needs) as part of its System Security Integrated through Hardware and Firmware (SSITH) program.

The objective was to develop tools and techniques to measure the effectiveness of SSITH hardware security architectures, as well as to establish a set of “baseline” Government Furnished Equipment (GFE) systems-on-chip (SoCs) without hardware security enhancements.

While Galois’s initial work on BESSPIN was carried out entirely using on-premises FPGA resources, the pain points of scaling out to a secure, widely-available bug bounty program soon emerged.

It was clear that researchers needed to be able to stress test SSITH hardware platforms without having to acquire their own dedicated hardware and infrastructure. Galois leveraged Amazon EC2 F1 instances to scale infrastructure, increase efficiencies, and accelerate FPGA development.

Learn more –> 

 

FISMA Moderate Requirements met with AWS Infrastructure

FISMA Moderate Requirements met with AWS Infrastructure

Effectual led a Federal Government client in their journey from on-premises infrastructure to a secure cloud environment in AWS.

The Challenge

This Federal Government customer required a move from its on-premises infrastructure to a centralized cloud environment. This move was predicated on the requirement for increased security, flexibility in provisioning infrastructure, and a refresh of technology. The new AWS infrastructure must also be assessed at a FISMA Moderate level for production.

The Solution

Our team led the discovery, architecture, and implementation of an agency’s new infrastructure. We designed a multi-region, international architecture that allowed end users to quickly access virtual desktops at regions closest to those users. The centralized management and region-based architecture allowed devices to move outside the boundary, the virtual desktops infrastructure scaled as users joined around the world, and the agency was able to provision lower cost technology, such as thin clients, to achieve a refresh.

The Benefits

Increased Security

Our team supported the agency in its ATO efforts by provisioning compliant infrastructure and services in alignment with FISMA Moderate controls, then produced documentation supporting the architecture, allowing the agency to get a full ATO.

Privisioning Infrastructure

Our AWS-based architecture and deployment supported configuration of infrastructure to meet minimum workloads, which then scaled as users came online. Additionally, multiple user desktops could be provisioned on a single server, cutting down on associated costs.

Network Efficiency

The agency’s network needed to be overhauled as a result of security concerns. With the AWS backbone and multi-region architecture, users experienced a decrease in latency and the zero-trust model improved network security.

Satellite Imagery Analysis Simplified with Serverless Infrastructure

Satellite Imagery Analysis Simplified with Serverless Infrastructure

Effectual worked with a Federal Government customer to provide a mission critical solution that simplified its Land Satellite sensor processing software of the Earth’s land surface.

The images provide uninterrupted data to help land managers and policymakers make informed decisions about our natural resources and the environment.

The Challenge

A Federal Government customer looked to us to migrate its on-premises infrastructure to a Serverless infrastructure in AWS to ensure cost optimization, availability, and application performance while logging satellite images.

The Solution

Our team implemented AWS Lambda, AWS Batch, Kubernetes, and Amazon EKS. This ensured the client’s ability to collect satellite images that would be used to help scientists track land change due to climate, urbanization, drought, wildfire, and biomass changes.

The Benefits

Cost Optimization

We implemented AWS Lambda to run code without servers. By implementing Serverless infrastructure the client was able to reduce cost by 80%.

Availability

Our team implemented Kubernetes to provide automated container orchestration and higher availability across multiple regions. This allowed users – both domestic and abroad – to access satellite photos more efficiently via the web for personal and private use.

Application Performance

We set up serverless storage to compact the client’s satellite imagery retrieval process from 2 weeks to 2 hours.

Service Employees International Union (SEIU) Application Migration

Service Employees International Union (SEIU) Application Migration

When flooding took out the New York data center of the national nonprofit, SEIU, the organization found a need to act on a move to the AWS cloud.

Through third-party and cloud-native tools, we provided the infrastructure, resources, and products necessary to efficiently migrate workloads.

Challenge

The national nonprofit serves branches of the organization with centralized IT based out of its New York offices. When NYC was hit by Hurricane Sandy in 2012, it led to flooding of the organization’s data center, housed in the basement of the building. The resulting outage took a week to recover from. The nonprofit needed a cloud-based backup solution to ensure that it could be prepared against future disasters.

Solution

We began with an assessment of the organization’s data center posture, then created a migration plan and proposed architecture to support the nonprofit moving forward in AWS. We configured VPCs, subnets, networking, and configured access policies. We also connected a third-party disaster recovery service to ensure consistent synching of information between on-premises and cloud servers.

The Benefits

Piece of Mind

After going without its critical IT infrastructure for a week, the nonprofit had confidence its cloud infrastructure would be highly available.

Data Replication

The AWS infrastructure included VPN connectivity to the on-premises network in order to replicate Active Directory and SQL databases to ensure ongoing operations.

VPN Tunneling

In addition to an initial VPN connection, our team configured remote VPN connectivity from field offices in seven east coast cities to ensure all users could access the environment in the event of a failure.

GenomeNext DevOps Process

GenomeNext DevOps Process

GenomeNext is a genomic informatics company dedicated to accelerating the promise and capability of predictive medicine and scientific discovery. It commercializes genomic analysis tools and integrated systems for the evaluation of genetic variation and function.

The advanced informatics and data management solutions are designed to simplify, expedite and enhance genetic analysis workflows. GenomeNext solutions provide the market with genomic data and analysis at an unprecedented combination of performance, quality, cost and scale without requiring the investment in high-performance computing resources and specialized personnel. The proprietary platforms address a broad range of highly interconnected markets, including sequencing, genotyping, gene expression, and molecular diagnostics. GenomeNext customers include leading genomic research centers, academic institutions, government laboratories, and clinical research organizations, as well as pharmaceutical, biotechnology, agrigenomics, and consumer genomics companies.

The Challenge

GenomeNext needed a more efficient way to develop and deploy application changes to its Amazon Web Services Genomics Cloud Platform while maintaining high level of security and compliance.

The Solution

We worked with GenomeNext to design efficient development and agile management process, setup internal DevOps software and AWS infrastructure components, mapped processes to appropriate security and compliance controls, integrated third party DevOps tools with the GenomeNext Cloud platform, implemented development life cycle environments (Dev, QA, and Prod) on AWS, monitored and reduced AWS costs, and architecture high availability and disaster recovery. Our solution enhanced GenomeNext’s ability to quickly and securely roll out application development and infrastructure changes with minimal to zero downtime through the use of tools such as AWS Elastic Load Balancing, AWS CloudWatch, AWS CloudFormation, and AWS CodeDeploy.

The Benefits

Automation

GenomeNext recognized the advantages of DevOps automation by a significant increase in deployment frequencies, a dramatic decrease in deployment failures, immediate recovery of failed deployments, and reduction in the time required for changes.

Disaster Recovery

By combining AWS and DevOps, GenomeNext can automate the deployment of an exact copy of its Production solution within minutes into any AWS region, allowing it to meet its recovery time objectives.

Cost Savings

GenomeNext realized cost saving utilizing DevOps and AWS. Cost saving came in terms of maintaining a small staff, increased quality of products, reduction deployment complexity, and faster time to market.

Supporting the Delivery of Early Warning Signs for Earthquakes

Supporting the Delivery of Early Warning Signs for Earthquakes

Effectual delivered a mission-critical solution to a Federal Government Client that ensured the delivery of early warning alert notifications for earthquakes and other natural disasters over multiple geographical locations to save lives.

This could not have been done without a Cloud-based solution to ensure a resilient system.

The Challenge

This Federal Government customer required a move from its on-premises infrastructure to a centralized Cloud environment. The client looked to our team to handle high availability architecture and fault tolerance to meet workloads over multiple geographical locations quickly after a natural disaster. The solution required improved resilience and redundancy capabilities, application performance, and control monitoring.

The Solution

Our team built out a highly available and scalable infrastructure to meet demand in the wake of a disaster. We utilized the customer’s containerized solution and created a pipeline leveraging a GitLab Runner in Amazon Web Services (AWS) to manipulate and manage the AWS Elastic Kubernetes Service (EKS) deployments. This ensured the client’s ability to deliver early warnings for natural disasters through their application.

The Benefits

Resilience

Our team configured Amazon CloudWatch metrics to identify a surge in traffic in the event of a disaster. This fully integrated AWS service is built with more resilience. Kubernetes was implemented to provide automated container orchestration and higher availability to reach across multiple regions.

Application Performance

We created a proprietary AWS-hosted Git solution to do all the linking, testing, and delivery to code. Our solution increased the rate at which the client released updates to the solution by 90%.

Control Monitoring

We deployed a GitLab Runner in conjunction with GitLab Continuous Integration to ensure all applications were provisioned through a pipeline. These necessary changes led to extreme version control and expediting developer updates.

Predictive Analytics: Volcanic Activity Analyzed Through Moving Magma

Predictive Analytics: Volcanic Activity Analyzed Through Moving Magma

Effectual delivered a mission-critical solution to a federal government client that ensured their sensor processing software was able to predict volcanic activity through moving magma.

This information is used to help scientists forecast seismic activity over multiple geographical locations. This could not have been done without a Cloud-based solution to ensure a resilient system.

The Challenge

Our customer required a move from its on-premises infrastructure to a centralized Cloud environment in AWS. They looked to our team to handle high availability architecture and fault tolerance to meet workloads over many geographical locations quickly after a natural disaster.

The Solution

We provided a highly available and scalable infrastructure that ensured efficiency in wake of volcanos and other natural disasters. This sensor processing solution ensured predictive analytics, resilience, and scalability.

The Benefits

Predictive Analytics

We worked with the customer to create a solution that ensured the user could collect volcano data to analyze and utilize for machine learning to better predict when volcanoes erupt.

Resilience

Our team configured Amazon CloudWatch metrics to identify a surge in traffic in the event of a disaster. Kubernetes was implemented to provide automated container orchestration and higher availability to reach across multiple regions.

Scalability

We configured EC2 instances that ensure adequate capacity to meet traffic demands and compute capacity. Our team automated launch configurations to allow the client to quickly launch and/or scale application servers in target environments in the future.

Bird Conservation Science Enabled by Automated Monitoring and Analysis of Migration Patterns

Bird Conservation Science Enabled by Automated Monitoring and Analysis of Migration Patterns

Effectual led a Federal Government client in need of automation, reliability, and efficiency for their bird identification website.

The customer supports the collection, archiving, management and dissemination of information from banded and marked birds in North America. This information is used to monitor the status and trends of resident and migratory bird populations.

The Challenge

This Federal Government customer required a move from its on-premises infrastructure to a centralized cloud environment. The client looked to our team to redesign their website, creating a system that would produce automated checks to save time and manual effort when registering banded and checked birds into the database.

The Solution

Our team assisted the customer in creating a system that would require minimal effort to keep up and running for years. This system saved time and manual effort through the implementation of Amazon Elastic Compute Cloud (Amazon EC2) to automate cron jobs for repetitive tasks to push all submitted web surveys from bird hunters and enthusiasts to the on-premises database. When banded birds were checked in, the system would be able to ensure the identification was correct, eliminating the need to manually check that information.

The Benefits

Automation

We utilized Amazon EC2 to automate database syncing. This allowed the bird banding lab to be more efficient when a bird was reported on their website. The client no longer needed to manually log and input the bird species. AWS CloudFormation was implemented to reduce manual work while developing an environment, ensuring productivity when debugging issues.

Efficiency

We used GitLab Continuous Integration in conjunction with GitLab Continuous Deployment to check code for errors, expediting developer changes.

Reliability

Our team implemented Amazon CloudWatch Events for serverless workflow to trigger Lambda functions. Without having to provision or manage, the client was able to keep the same server running by keeping it warm with a CloudWatch Event. This reduced response times from 3 seconds to a couple hundred milliseconds.

Ensuring Least Privilege Access: Implementing an Active Directory Federation Service

Ensuring Least Privilege Access: Implementing an Active Directory Federation Service

Effectual led the implementation of an enterprise grade Active Directory Federation Service (ADFS) for a large Federal Government client.

Effectual enabled reliable and secure cyberspace capability by providing a highly innovative network architecture, engineering, integration, and simulation services with unrivaled expertise and commitment.

The Challenge

The client looked to our team to move its highly disparate environment into a highly collaborative one. By implementing Federated Access to the Amazon Web Services environment, this ensured least privilege access to client users.

The Solution

We worked with the client to setup an AWS Identity and Access Management (IAM), federated sign-in through Active Directory (AD), and Active Directory Federation Services (ADFS). This ensured least privilege access to client users.

The Benefits

Reliability

Our team enabled reliable collaborative connectivity to a cadre of remote workers that needed access to the system while utilizing the ADFS PIV card solution.

Increased Security

We were able to meet all security requirements by using a federated solution, allowing the client to set permissions and access levels across different systems. The Federated solution also improved auditing management of credentials.

Efficiency

We implemented AWS CloudFormation to create a template to use when multiple accounts register in the system. This led to an increase in efficiency and ensures consistent configurations overtime.

Real-time logging of Tsunami Data Aids in Disaster Response

Real-time logging of Tsunami Data Aids in Disaster Response

Effectual worked with a federal government customer to provide information for local land-use and emergency response planning to avoid development in hazardous zones and to plan evacuation routes to communities along low-lying coastlines vulnerable to tsunamis.

The Challenge

The customer looked to our team to quickly and effectively move their public-facing web applications and internal applications to the AWS cloud to ensure resiliency, availability, and real time logging of tsunamis.

The Solution

We implemented a solution comprised of Amazon CloudWatch, AWS CloudTrail, Alarms, and Serverless Storage. This ensured the clients ability to collect data to help scientists understand tsunamis through their application to develop how to most effectively improve preparedness and response to tsunamis.

The Benefits

Resiliency
We implemented Amazon CloudWatch to schedule data collection that self-triggers when a tsunami is detected.

Availability
By implementing AWS CloudTrail the client was able to easily access tsunami data to help scientists understand the sources of local tsunamis so that the impacts of future events may be mitigated.

Real Time Logging
Our team set up serverless storage to collect data from these seismic networks to process key components in the impact of tsunamis.

Serverless Infrastructure Enables Data Access Related to Environmental Issues

Serverless Infrastructure Enables Data Access Related to Environmental Issues

The Challenge

This Federal Government customer looked to our team to migrate its on-premises infrastructure to a serverless infrastructure on AWS. The client was in need of a centralized data catalog, management solution for users, and data access for environmental issues.

The Solution

We supported the client with a serverless solution that consisted of Amazon API Gateway, Amazon Cognito User Pools, AWS Lambda, and AWS Step Functions. This ensured the customer’s ability to make high-volume, complex data accessible to stakeholders, policymakers, and managers to facilitate data-driven conversations about environmental issues in a secure setting.

The Benefits

Application Performance

Our team implemented API Gateway to handle the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls to process any surge of traffic on its website.

User Identification

Wey implemented AWS Cognito User Pools for control over user authentication and user access for the website. This allowed for secure token handling and management of authenticated users from all identity providers.

Cost Optimization

We implemented Lambda functions to run code in a serverless environment and process its large data sets related to environmental issues. The client was able to reduce cost by 80%.

TNTP Application Migration

TNTP Application Migration

TNTP’s mission is to end the injustice of educational inequality by providing excellent teachers to the students who need them most and by advancing policies and practices that ensure effective teaching in every classroom.

Challenge

In the wake of a flooding, TNTP looked to Effectual to quickly and effectively move their public-facing web applications and internal applications to the AWS cloud for better cost, scalability, disaster recovery capabilities, and better application performance.

Solution

Effectual worked with TNTP to define a migration strategy, set up the infrastructure in accordance with best practices and to take advantage of the full feature set of cloud, and provided scripts to automate future updates and deployments. Effectual introduced TNTP to the Infrastructure as Code model so that they could version control the state of their infrastructure through the use of AWS CloudFormation templates and take advantage of AWS’ built-in resource dependency definitions to perform rolling updates with minimal downtime or system impact.

The Benefits

Cost Efficiency

TNTP experienced lower costs for running their workloads in the cloud compared to on-premise IT hardware and maintenance costs. Effectual assisted TNTP to utilize cloud purchasing options and offerings to meet TNTP’s technical requirements while remaining cost-efficient.

Scalability

The use of the AWS cloud provided capabilities for flexible infrastructure to allow accommodation of various sizes of workloads. The infrastructure used AWS Auto Scaling capabilities along with custom settings in AWS CloudWatch to automatically scale to accommodate larger workloads while retaining transparency of the scaling activities to the end user.

Disaster Recovery

Failover capabilities and strategies such as the use of AWS Elastic Load Balancing within AWS were implemented to protect the system, maximize uptime, and minimizes data loss in the event of a disaster. Notifications, alarms, and safeguards were put in place to ensure immediate notification of any abnormal behavior.

Applications Rearchitected in AWS to Automate Security Triggers

Applications Rearchitected in AWS to Automate Security Triggers

Effectual led a Federal Government client in their journey from on-premises to AWS by extending their data center into the cloud and rearchitecting their applications.

Effectual provided guidance in the following areas

  • Implementing Automation for the client.
  • Creating a new AWS infrastructure and environment.
  • Updating and retooling current applications.
  • Building the solution as a receiver and retooling specific applications to function in the new environment.
  • Interpreting and providing additional information and understanding of features that are new and being developed as it pertains to their issues.

Our Team Leveraged the following technologies

  • AWS CloudFormation templates were created for DevOps
  • Organizations and AWS Config for management of the system
  • AWS CloudTrail and Amazon CloudWatch were utilized for automating security recommendations
  • Amazon CloudWatch was programmed to alert the client if changes were made in their system. The response would trigger the system to return to original configurations and alert security to these changes.
  • AWS infrastructure resources, EC2 instances and RDS database infrastructures
 

The Benefits

Migration to the Cloud

We rebuilt client applications in the AWS Cloud to connect to their on-premises data. This made their applications more accessible by all and created a working hybrid environment for their data.

Security Improvements

We deployed AWS infrastructure services, including Amazon CloudWatch to monitor resources and trigger responses to changes in the environment.

Management of Resources

The services in AWS monitor both on-premises and AWS cloud environments. The time to build components in the environment was significantly reduced and instances were saved as a template for repeatability.

FISMA Compliance Requirements Met for Self-Service Cloud Solution

FISMA Compliance Requirements Met for Self-Service Cloud Solution

Effectual enabled a Federal Government customer to set up a self-service cloud solution which is secure, compliant, and automated to scale up and down as necessary.

Customer Needs

The Customer wanted to scale out compliant accounts to meet security concerns such as accessing only approved services, protecting centrally managed resources, and ensuring logging and change activity was being captured. The overall issue was ability to consistently provision AWS accounts in a scalable fashion and manage them over time, keeping them up-to-date with newly approved AWS Services. The goal was to provide secure and compliant cloud hosting options while setting up a customer self-service solution.

Our Approach

We assisted the client in creating their entire environment from Infrastructure as Code while implementing a strict change control processes via GitLab. Custom pipelines were created based off the CI/CD framework for structured code. Overall the entire process was automated, eliminating the scalability issue of provisioning accounts. Our resources worked directly alongside the agency resources to document and achieve a FISMA Moderate ATO.

The Benefits

Scalability

The customer was able to quickly provision accounts in a consistent method across multiple geographical locations and regions. The entire environment can be deployed in one hour.

Self-Service

We enabled the customer to securely provision their own infrastructure, standardized methodology, and least-privileged architecture. This methodology ensures security in the cloud for the client.

Management of Resources

The services in AWS monitor both on-premises and AWS cloud environments. The time to provision new accounts was reduced from a month to one minute. The deployments are now consistent and can be saved for later use.

Disaster Response: UAV Imagery Alerts

Disaster Response: UAV Imagery Alerts

Effectual delivered a mission-critical solution to a client that ensured the delivery of UAV imagery taken from infrastructure towers that were used to alert high risk fire areas of a wildfire and other natural disasters.

The Challenge

Our customer required a move from its on-premises infrastructure to a centralized Cloud environment in AWS. They looked to us to handle high availability architecture and fault tolerance to meet workloads over many geographical locations. We automated common activities such as change requests, monitoring, patch management, security, and backup services, and provided full-lifecycle services to provision, run, and support enterprise infrastructure.

The Solution

We provided a client with Technical Amazon Web Services Infrastructure architecture to deliver a comprehensive, secure, and cost-effective hosting solution for supporting their efforts with Pacific Power. In addition, our team delivered Managed Services for the customer’s AWS environment. This assisted with the client’s ability to deploy drones to inspect the infrastructure of electrical towers and ensure their efficiency in wake of natural disasters.

The Benefits

Resilience

The implementation of Amazon CloudWatch Events for serverless workflow to trigger Lambda functions. Drones are programmed to deploy and inspect electrical towers to ensure that they are performing correctly.

Cost Optimization

We created a proprietary AWS-hosted solution in order for the customer to lower costs by running their workloads in the cloud. Our team assisted the client to utilize cloud purchasing options and offerings to meet their technical requirements while remaining cost-efficient.

Scalability

We configured EC2 instances that ensure adequate capacity to meet traffic demands and compute capacity. The implementation of automated launch configurations to allow the client to quickly launch and/or scale application severs in target environments in the future.

RFD & Associates

RFD & Associates

RFD & Associates, Inc., is an IT Technical Services Company with over 30 years of experience delivering IT solutions to public and private sector clients.

RFD delivers solutions from Mainframe to Mobile and everything inbetween. They have helped hundreds of organizations design, build, purchase and implement optimal technology solutions to achieve business goals. RFD needed help designing and developing a scalable, Amazon Web Services (AWS) cloud hosted, multi-tenant web and mobile friendly application. The proposed solution had a requirement to integrate with external APIs to ensure flexibility for future enhancements and integration with third-party tools. The application was also required to be compliant with Personally Identifiable Information (PII) and the U.S. Health Insurance Portability and Accountability Act (HIPAA) security.

Effectual Provided Guidance in the following areas

  • AWS design and architectural services to include making RFD’s multi-tenant hosting environment PII/HIPAA compliant
  • Provided AWS Training and best practices guidance on how to leverage AWS resources
  • Assisted in helping RFD achieve its defined goals:
    • Identify the challenges presented in third-party hosting of AWS.
    • Evaluate the use of cloud services to meet RFD business and technical requirements.
    • Determine portable containerization services.
    • Evaluate architectural decisions in AWS Commercial and GovCloud Regions.

Our Approach

A four-phased approach was developed to implement an AWS hosted environment for RFD:

  • Phase 1: Discovery, AWS Service Selection, and PII/HIPAA Security Requirements Determination.
  • Phase 2: AWS Foundation Build. Provisioned appropriate environments and access; established AWS accounts
  • Phase 3: AWS Service Build. Provisioned AWS services to include: EC2, Route53, S3, WAF, etc.
  • Phase 4: Process Documentation and Environment Review. Created AWS documentation of resources and provided reports on overall solution, security and cost.

The Benefits

Auto-Scaling

We configured EC2 instances that are PII/HIPAA compliant ensuring adequate capacity to meet traffic demands and compute capacity. In addition, we implemented automated launch configurations to allow RFD to quickly launch and/or scale application severs in target environments in the future.

Security & Compliance

The implementation of AWS Compute, Storage, and PII and HIPAA compliant Database services to ensure the security of sensitive data used in the environment.

Monitoring Services

To maximize the functionality of many services, AWS CloudWatch was configured to help RFD set thresholds/alarms to monitor custom metrics for auto-scaling needs.