We will walk you through a hypothetical incident response managed on AWS. Learn how to apply existing best practices as well as how to leverage the unique security visibility, control, and automation that AWS provides. We will cover how to setup your AWS environment to prevent a security event and how to build a cloud-specific incident response plan so that your organization is prepared before a security event occurs. This session also covers specific environment recovery steps available on AWS. Learn More: https://aws.amazon.com/government-education/

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Incident Response in the Cloud
APL Incident and Spillage Response
Conrad Fernandes AWS CSA-A, CISSP, GCFA
Johns Hopkins - Applied Physics Laboratory
June 13, 2017

2. Johns Hopkins Applied Physics Laboratory
 Technically skilled
and operationally
oriented
 Objective and
independent
 DoD
 NASA
 Critical contributions
to critical challenges
 DHS
 IC
 Division of Johns
Hopkins University
 University Affiliated
Research Center

3. What APL Missions Require
Reliable and elastic infrastructure
Scalable computing and storage - Medical image processing, Big-
data analysis, Machine Learning
… With agility! (noun, “ability to move quickly and easily”)
Pre-configured and boot-strapped machine images, scripting,
templates to build cloud infrastructure via automation
… While maintaining security and governance
Multi-factor authentication, security groups, access controls, data
encryption, secure monitoring, notifications, incident response
… And compliance to laws and regulations for sensitive data
FOUO/CUI (DoD) commercial and AWS GovCloud (US), HIPAA
(Medical)

4. APL Cloud Team
 IT team works closely with
APL Mission Areas to provide
cloud computing services
 Designs and architects
Network and Security
enterprise wide
 Creates the structure for
Security Monitoring and
Incident Response

5. IR-4 “Incident Handling”
Comparing Incident Response Contexts
IR-9 “Information Spillage Response”
Life’s a Breach! Clean-up On Aisle 9!
 [intention: usually inadvertent]
 Identification: Always Notified
 Eradication: Fairly standard Wipe
(data sanitization) DoD processes
 Follow-Up: Lots of official paperwork
 [intention: usually malicious]
 Identification: Difficult detection /
evasive tactics, exploits
 Eradication: Can be difficult to
locate all footholds; incomplete
 Follow-up: Lots of lessons learned

6. Incident Response Approach
Preparation Identification Containment Investigation
EradicationRecoveryFollow-Up
* Applies to all types of IR, including IR-4 (breaches) and IR-9 (spills)

7. Preparation Identification Containment Investigation Eradication Recovery Follow-Up
 Train Incident Handlers for responding to cloud specific events
 Ensure logging is enabled
 Amazon VPC Flow Logs, AWS Cloud Trail, AWS Config, Amazon SNS notifications
 OS logs from Amazon EC2 instances
 Use AWS Management Console, or when possible use Automation (see below)
 Collect and aggregate the logs centrally for correlation and analysis
 E.g., Amazon CloudWatch, Amazon Elasticsearch Service, or third-party integrations
(Splunk for AWS)
 Use AWS KMS to encrypt sensitive data at rest
 Consider multiple AWS accounts for isolation

8. Multi-Account Isolation: AWS Organizations
 Enforces “separation of duties” principle
 Limits the blast radius in the event of compromise
 Organize accounts along business lines or mission areas, and
projects
 Create sub-accounts OU’s aligned to Department/Project
 Use of overarching Service Control Policies (SCP) to control sub accounts
with restrictive policies

9. AWS Organizations: Example Layout
OU’s,
projects SCP’s
Business Project A
Business Sector 1
Business Sector 2
Project A
Project B
Project C
Business Sector 3
Business Sector 4
Business Sector 5
Business Sector 6

10.  Usually notified about which user
accounts and systems have data that
need “cleaning up”
 Can use Data Loss Prevention (DLP)
 Open up spillage case with AWS
Business Support for cross validation
 Use behavioral based rules for
detection and searching
 Amazon CloudWatch Rules
 SIEM tools, e.g., Splunk for AWS, or
Amazon Elasticsearch Service
(Kibana visualizations)
IR-4 “Incident Handling” IR-9 “Information Spillage Response”
Preparation Identification Containment Investigation Eradication Recovery Follow-Up
Also known as “Detection”

11. Identification: Example using Splunk for AWS

12. IR-4 “Incident Handling”
 Multiple use-cases for live-box and
dead-box isolation and forensics
 Investigation complex: Correlation,
threat intelligence, timeline analysis
 Beyond the scope of this presentation
IR-9 “Information Spillage Response”
 Closer to live-box forensics
 Investigation easier: Usually limited to
known users and host machines
 Isolation using Security Group
 Via Console or Automation for speed (see
example below)
Containment / Isolation:
 Save the current Security Group of the host or instance
 Isolate host using restrictive ingress and egress Security Group rules
CLI> aws ec2 modify-instance-attribute --instance-id <instance-id>
--groups "<Isolation-SG>"
 Isolation-SG : Only SSH (22) or RDP (3389) ingress rules with IR enclave as source. No egress
Preparation Identification Containment Investigation Eradication Recovery Follow-Up

13. Investigation: Example using SIEM / Splunk for AWS

14. IR-9 “Information Spillage Response”
 Secure-wipe files. Response times faster via automation (see example below)
 After secure wipe, delete any KMS data keys for extra precaution
First, copy DoD approved sanitization tools to affected EC2 hosts
# scp –i “host-private-key” bcwipe.exe ec2-user@TargetHost.compute-
1.amazonaws.com:[/root_drive/home/]
Next, remote connect SSH (port 22) or RDP (3389) to the host to perform sanitization actions
# ssh -i “host-private-key” bcwipe.exe ec2-user@TargetHost.compute-
1.amazonaws.com
Once on target host, wipe file and slack space IAW U.S. DoD 5220-22M
TargetHost# bcwipe <file(s)> [including slack and free space]
Preparation Identification Containment Investigation Eradication Recovery Follow-Up

15. Recovery
 Restore network access to original state (prior to Isolation)
Restore previous Security Group ingress, egress rules
CLI> aws ec2 modify-instance-attribute --instance-id <instance-id>
--groups "<ORIGINAL-SG>"
Preparation Identification Containment Investigation Eradication Recovery Follow-Up
Follow-up
 Verify deletion of data keys (if KMS used)
 Cross-validate with Amazon Support / Case #
 Report spillage findings and response actions
 In accordance with DoD 5220 or appropriate authorities

16. Takeaways
 Understand the differences between IR-4 (threat based) and IR-9 (spills)
and plan the handling and response accordingly
 Use a phased approach for IR: Create well-defined steps and operational
procedures, including training for the response teams
 Preparation step is critical
 Use AWS Organizations to separate projects/functions and limit the blast radius
 Enable all critical logging mechanisms (EC2 OS, AWS CloudTrail, VPC FlowLogs)
 Create detection rules in AWS Cloudwatch, Elasticsearch or third-party SIEM
 Use AWS CLI or SDKs especially for quick “Containment”, e.g., using pre-
defined restrictive security groups

17. Thank you!
Conrad Fernandes AWS CSA-A, CISSP, GCFA
Johns Hopkins - Applied Physics Laboratory