Mais conteúdo relacionado Semelhante a Automating Incident Response and Forensics in AWS - AWS Summit Sydney 2018 (20) Mais de Amazon Web Services (20) Automating Incident Response and Forensics in AWS - AWS Summit Sydney 20181. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ben Potter
Security Lead, Well-Architected, Amazon Web Services
Deenadayaalan Thirugnanasambandam
Cloud Architect, Amazon Web Services
Automating Incident Response
And Forensics In AWS
2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What To Expect
Where to Start
The Insider
The Instance
?
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Meet Bob
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bob
Responsibilities:
• Security lead for DevOps team
• Identify security issues
• First level response
• Prevention
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bob’s Interesting Experiences
1st IAM denied attempts
2nd Instance compromised
Going to talk about !
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where To Start
?
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
NIST 800-61 Computer Security Incident
Handling Guide
Preparation
Detection &
Analysis
Containment,
Eradication,
and Recovery
Post-Incident
Activity
http://bit.ly/2pGqOs6
?
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
I’ve used these
https://aws.amazon.com/security/
http://aws.amazon.com/well-architected/
http://bit.ly/2pFqBW4
?
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
I’ve used these
http://bit.ly/2ITNuxF
https://www.sleuthkit.org/
http://bit.ly/2G6oZPY
?
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
All Code From Session
https://github.com/awslabs/aws-security-automation
?
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Well-Architected
• Design Principles
• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Prepare for security events
?
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Honeypot Or Indicators?
Honeypot is a deliberately misconfigured system
Indicators:
• Denies in AWS CloudTrail
• Denies to access Amazon S3 buckets
• Denies in Amazon VPC Flowlogs
• Abnormal behaviour
?
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
This Is What I Put In Place
• Enabled logging and security services
• AWS CloudTrail
• Amazon GuardDuty
• AWS Config
• Amazon VPC Flow Logs
• App & System Logs in Amazon CloudWatch Logs
• Started with most likely scenarios
?
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Insider
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How I’m Going To Detect Trudy
• Notified on access denied attempt
• Who attempted from where?
• What user / role was denied?
• History of the user / role?
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM Access Denied Responder
Lambda:
Publish
Access
Denied
Topic:
Access
Denied
Lambda:
Publish User
Trails
Topic:
Security
Message
Lambda:
Publish IAM
User History
Slack
CloudWatch
Event
AWS
CloudTrail
Lambda:
Publish
Slack
Lambda:
Publish
Chime
Amazon
Chime
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Alert!
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What I Learnt
• Automation is AWSome
• It saved me a lot of time
• IAM users should assume IAM roles with MFA enforced
• How can we improve?
• P4wned ex-employee Trudy … LOL
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Instance
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
EC2 Auto Clean Room Forensics
Topic:
Instance ID
Step Function:
Incident Response
Instance
Isolate
Instance SG2:
Remove
Auto Scaling
(+logic)
Snapshot
Volumes
Record
Metadata
Apply
Tags1: Notify
CloudFormation:
Clean Room
Create
Cleanroom3:
Run Basic
Forensics4:
Generate
Report5: Topic:
Forensics Report
Slack
Topic:
Instance
Incident
Verify
Instance
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Oh No
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank You!
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What We Achieved
• No human interaction needed for isolation & investigation
• I was automatically given basic forensic info
• I have a mechanism to compare
• A security system didn’t break anything
And then?
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lessons I (Bob) Learnt
• Incidents are always badly timed
• Security incidents can cause long term damage
• Prepare for an incident before it’s too late
• Practice through game days
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Always Stay Up To Date
Keep an eye on the security blog…
http://blogs.aws.amazon.com/security
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank You