Sebastien Linsolas, Solutions Architect, AWS Come and learn the latest and greatest tricks for automating your incident response and forensics in the cloud. This session focuses on automating your cloud incident response processes covering external and insider threats, triggers, canaries, containment, and data loss prevention. Products & Services: AWS IAM, AWS Lambda, Amazon GuardDuty, AWS Step Functions, Amazon CloudWatch, AWS Cloud Trail, Amazon Macie.

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sebastien Linsolas
Solutions Architect, Amazon Web Services
Automating Incident Response and
Forensics in AWS

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to expect from this session
The challenges with Security Incidents
Where to start?
Use cases
Wrap up

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Incident Varieties
Compliance
Variance
Service
Disruption
Unauthorized
Resources
Unauthorized
Access
Privilege
Escalation
Excessive
Permissions
Information
Exposure
Credentials
Exposure

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why is traditional threat detection so hard?
Skills shortageSignal to noiseLarge datasets

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Humans and Data Don’t Mix

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Response Time Comparison (example)
Time
Get logs
Analyze
Correlate
Trace origin
Locate
Remediate
Incidentdetected
Traditional
Response

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where to Start?

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
NIST 800-61 Computer Security Incident
Handling Guide
Preparation
Detection &
Analysis
Containment,
Eradication,
and Recovery
Post-Incident
Activity
http://bit.ly/2pGqOs6
?

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Well-Architected
• Design Principles
• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Prepare for security events
?

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detect Indicators
Indicators:
• Denies in AWS CloudTrail
• Denies to access Amazon S3 buckets
• Denies in Amazon VPC Flowlogs
• Abnormal behaviour
?

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Wrangling Information Sources
Macie GuardDutyCloudTrail CloudWatch
Events
On-Instance
Logs
VPC Flow
Logs
CloudWatch
Logs
CloudWatch
Alarms
Lambda Function
Amazon S3 Access Logs S3 Bucket

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon
GuardDuty
Intelligent threat detection
and continuous monitoring
to protect your AWS
accounts and workloads
Threat Detection: Machine Learning
Amazon Macie
Machine learning-powered
security service to discover,
classify, and protect sensitive data

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Insider

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How I’m Going To Detect Trudy
• Notified on access denied attempt
• Who attempted from where?
• What user / role was denied?
• History of the user / role?

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM Access Denied Responder
Lambda:
Publish
Access
Denied
Topic:
Access
Denied
Lambda:
Publish User
Trails
Topic:
Security
Message
Lambda:
Publish IAM
User History
Slack
CloudWatch
Event
AWS
CloudTrail
Lambda:
Publish
Slack
Lambda:
Publish
Chime
Amazon
Chime

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Alert!

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What I Learnt
• Automation is AWSome
• It saved me a lot of time
• IAM users should assume IAM roles with MFA enforced
• How can we improve?

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Instance

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure Incident
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Security groups
Route table
NACLs
Internet Gateway
Instance Compromised

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure Incident – Incident Response
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Isolate the Instance

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure Incident – Incident Response
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.48.0/21
Sensitive subnet
10.0.32.0/20
Private subnet
10.0.0.0/19
Public subnet
Take a Snapshot

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure Incident – Offline Analysis
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Bastion
W
eb
W
eb
App
Availability Zone A
10.0.48.0/21
Sensitive subnet
10.0.32.0/20
Private subnet
10.0.0.0/19
Public subnet
App
Availability Zone A
VPC CIDR: 192.168.1.0/24
192.168.1.0/27
Sensitive subnet
Forensics
Create new Instance
Restore the Volume

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EC2 Auto Clean Room Forensics
Topic:
Instance ID
Step Function:
Incident Response
Instance
Isolate
Instance SG2:
Remove
Auto Scaling
(+logic)
Snapshot
Volumes
Record
Metadata
Apply
Tags1: Notify
CloudFormation:
Clean Room
Create
Cleanroom3:
Run Basic
Forensics4:
Generate
Report5: Topic:
Forensics Report
Slack
Topic:
Instance
Incident
Verify
Instance
GuardDuty
Threat
Detection
CloudWatch
Events

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IR Workflow

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Warning

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Response Time Comparison (example)
Time
Get logs
Analyze
Correlate
Trace origin
Locate
Remediate
Event delivered
Rule matched
Alert sent
Correlate
Check baseline
Remediate
Incidentdetected
Traditional
Response
Response

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What We Achieved
• No human interaction needed for isolation & investigation
• I was automatically given basic forensic info
• I have a mechanism to compare
• A security system didn’t break anything
• Shorten the incident duration
And then?

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IR Principles
• Establish goals
• Prepare for an incident before it’s too late
• Know what you have and what you need
• Do things that scale
• Automate
• Learn and improve your process through game days

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
All Code From Session
https://github.com/awslabs/aws-security-automation
?

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
slinsola@amazon.com