O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Incident Response - Finding a Needle in a Stack of Needles

159 visualizações

Publicada em

by Nathan Case, Sr. Consultant, AWS

Events are precursor to incidents, but how do you decide if an event is harmful? Tuning the signal to noise means that every event needs to be inspected and its impact calculated in as short amount of time as possible to stop bad things from happening. In this session, we will dive deep into a few event types to do advanced analysis in pursuit of deciding if it is a security incident, and how to resolve it by the time the alert hits your inbox.

  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Incident Response - Finding a Needle in a Stack of Needles

  1. 1. Incident Response on AWS A practical look
  2. 2. WHAT SHOULD I LOOK FOR? AKA IF YOU WERE A HACKER…
  3. 3. Changes in Configuration or Behavior Configuration Security Group rules NACL Bucket Policy Behavior Login attempts New credentials Unusual access patterns
  4. 4. IR Principles • Establish Goals • Respond using the cloud • Know what you have and what you need • Do things that scale • Use redeployment mechanisms • Iteratively automate the mundane • Learn and improve your process
  5. 5. IR Principles • Establish Goals • Respond using the cloud • Know what you have and what you need • Do things that scale • Use redeployment mechanisms • Iteratively automate the mundane • Learn and improve your process
  6. 6. APPLYING WHAT WE KNOW
  7. 7. The high-level playbook CloudWatch EventAdversary Your environment Responder
  8. 8. “IF SOMEONE TURNS CLOUDTRAIL OFF, TURN IT BACK ON.” Security Objective
  9. 9. cloudtrail:StopLogging Incident: CloudTrail gets turned off Adversary API Call
  10. 10. CloudWatch Events event { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "cloudtrail.amazonaws.com" ], "eventName": [ "StopLogging" ] } } Incident: CloudTrail gets turned off Adversary CloudWatch Event API Call
  11. 11. Incident: CloudTrail gets turned off Adversary ResponderCloudWatch Event API Call cloudtrail.start_logging
  12. 12. “I ONLY WANT APPROVED MANAGED POLICIES ATTACHED TO IAM USERS.” Security Objective
  13. 13. Adversary iam.attach_user_policy( UserName='Bill', PolicyArn='arn:aws:iam::aws:policy/PowerUserAccess' ) IAM
  14. 14. CloudWatch Events event Adversary { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "iam.amazonaws.com" ], "eventName": [ "AttachGroupPolicy”, "AttachRolePolicy", "AttachUserPolicy" ] } }
  15. 15. Adversary Responder iam.detach_user_policy
  16. 16. “DO NOT ALLOW INLINE IAM POLICIES.” Security Objective
  17. 17. Adversary iam.put_user_policy( UserName='Bill', PolicyName='AdministratorAccess', PolicyDocument=adminpolicy ) IAM adminpolicy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }
  18. 18. CloudWatch Events event Adversary { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "iam.amazonaws.com" ], "eventName": [ ”PutGroupPolicy", ”PutRolePolicy", ”PutUserPolicy" ] } }
  19. 19. Adversary Responder iam.delete_user_policy
  20. 20. “ONLY ALLOW EC2 INSTANCES LAUNCHED FROM APPROVED AMIS AND WITH APPROPRIATE SUBNETS AND SECURITY GROUPS.” Security Objective
  21. 21. ImageId=ami-f9dd458a SubnetId=subnet-a8aa4ef0 SecurityGroups=[ GroupId=sg-45533823 ] EC2
  22. 22. CloudWatch Events event { "detail-type": [ "EC2 Instance State-change Notification" ], "detail": { "state": [ "pending" ] }, "source": [ "aws.ec2" ] }
  23. 23. Responder # check if the AMI is approved # check if AMI is used in correct subnet # check if AMI was launched with approved security group
  24. 24. { "ami": "ami-0d77397e", "region": "eu-west-1", "security_groups": [ "sg-cc9a3aaa" ], "subnets": [ "subnet-ac3d7cda", "subnet-2f9c1677" ] }, { "ami": "ami-f9dd458a", "region": "eu-west-1", "security_groups": [ "sg-ee9a3a88" ], "subnets": [ "subnet-ad3d7cdb", "subnet-2e9c1676" ] } DynamoDB
  25. 25. { 'Time': int(time.time()), 'Source': 'auto.responder.level1', 'Resources': [ str(instance_id) ], 'DetailType': 'activeResponse', 'Detail': { 'instance': instance_id, 'actionsRequested': 'instanceTermination' } } Event DynamoDB
  26. 26. CloudWatch Event { "detail-type": [ "activeResponse" ], "source": [ "auto.responder.level1" ] }
  27. 27. L2 responder ec2.terminate_instances
  28. 28. ON-INSTANCE
  29. 29. Shortest Route to Lambda CloudWatch EventEC2 CloudWatch Logs Lambda
  30. 30. On-instance…now what? CloudWatch EventEC2 CloudWatch Logs Lambda ?
  31. 31. Introducing Amazon EC2 Systems Manager A set of capabilities that enable automated configuration and ongoing management of systems at scale, across all your Windows and Linux workloads, running in Amazon EC2 or on-premises
  32. 32. Systems Manager Capabilities Run Command Maintenance Windows Inventory State Manager Parameter Store Patch Manager Automation Configuration, Administration Update and Track Shared Capabilities
  33. 33. Automation EC2 Systems Manager • Simplified automation solution • Perfect for AMI updates, instance deployment & config • Pro-active event notifications • AWS optimized (EC2 Run Command, AWS Lambda, AWS CloudTrail, IAM, and Amazon CloudWatch integrations)
  34. 34. Automation – Getting Started 1. Create an automation document 2. Run automation 3. Monitor your automation
  35. 35. Automate Using Extensible Framework • Generic framework to convert manual and repetitive tasks into automated steps • Use predefined automation tasks or create custom automation • Safely perform management operations at scale using delegated administration Automation document Run the automation Role and permissioninput
  36. 36. On-instance…now what? CloudWatch EventEC2 CloudWatch Logs Lambda ?
  37. 37. Automate! CloudWatch EventEC2 CloudWatch Logs Lambda Run Command
  38. 38. Go forth and respond! • Understand what normal looks like • Express your security objectives in a clear way • Know where to find the right information • Have a plan • Practice
  39. 39. Incident Response on AWS Any questions?

×