We will walk you through a hypothetical incident response managed on AWS. Learn how to apply existing best practices as well as how to leverage the unique security visibility, control, and automation that AWS provides. We will cover how to setup your AWS environment to prevent a security event and how to build a cloud-specific incident response plan so that your organization is prepared before a security event occurs. This session also covers specific environment recovery steps available on AWS. Learn More: https://aws.amazon.com/government-education/
2. Johns Hopkins Applied Physics Laboratory
Technically skilled
and operationally
oriented
Objective and
independent
DoD
NASA
Critical contributions
to critical challenges
DHS
IC
Division of Johns
Hopkins University
University Affiliated
Research Center
3. What APL Missions Require
Reliable and elastic infrastructure
Scalable computing and storage - Medical image processing, Big-
data analysis, Machine Learning
… With agility! (noun, “ability to move quickly and easily”)
Pre-configured and boot-strapped machine images, scripting,
templates to build cloud infrastructure via automation
… While maintaining security and governance
Multi-factor authentication, security groups, access controls, data
encryption, secure monitoring, notifications, incident response
… And compliance to laws and regulations for sensitive data
FOUO/CUI (DoD) commercial and AWS GovCloud (US), HIPAA
(Medical)
4. APL Cloud Team
IT team works closely with
APL Mission Areas to provide
cloud computing services
Designs and architects
Network and Security
enterprise wide
Creates the structure for
Security Monitoring and
Incident Response
5. IR-4 “Incident Handling”
Comparing Incident Response Contexts
IR-9 “Information Spillage Response”
Life’s a Breach! Clean-up On Aisle 9!
[intention: usually inadvertent]
Identification: Always Notified
Eradication: Fairly standard Wipe
(data sanitization) DoD processes
Follow-Up: Lots of official paperwork
[intention: usually malicious]
Identification: Difficult detection /
evasive tactics, exploits
Eradication: Can be difficult to
locate all footholds; incomplete
Follow-up: Lots of lessons learned
6. Incident Response Approach
Preparation Identification Containment Investigation
EradicationRecoveryFollow-Up
* Applies to all types of IR, including IR-4 (breaches) and IR-9 (spills)
7. Preparation Identification Containment Investigation Eradication Recovery Follow-Up
Train Incident Handlers for responding to cloud specific events
Ensure logging is enabled
Amazon VPC Flow Logs, AWS Cloud Trail, AWS Config, Amazon SNS notifications
OS logs from Amazon EC2 instances
Use AWS Management Console, or when possible use Automation (see below)
Collect and aggregate the logs centrally for correlation and analysis
E.g., Amazon CloudWatch, Amazon Elasticsearch Service, or third-party integrations
(Splunk for AWS)
Use AWS KMS to encrypt sensitive data at rest
Consider multiple AWS accounts for isolation
8. Multi-Account Isolation: AWS Organizations
Enforces “separation of duties” principle
Limits the blast radius in the event of compromise
Organize accounts along business lines or mission areas, and
projects
Create sub-accounts OU’s aligned to Department/Project
Use of overarching Service Control Policies (SCP) to control sub accounts
with restrictive policies
9. AWS Organizations: Example Layout
OU’s,
projects SCP’s
Business Project A
Business Sector 1
Business Sector 2
Project A
Project B
Project C
Business Sector 3
Business Sector 4
Business Sector 5
Business Sector 6
10. Usually notified about which user
accounts and systems have data that
need “cleaning up”
Can use Data Loss Prevention (DLP)
Open up spillage case with AWS
Business Support for cross validation
Use behavioral based rules for
detection and searching
Amazon CloudWatch Rules
SIEM tools, e.g., Splunk for AWS, or
Amazon Elasticsearch Service
(Kibana visualizations)
IR-4 “Incident Handling” IR-9 “Information Spillage Response”
Preparation Identification Containment Investigation Eradication Recovery Follow-Up
Also known as “Detection”
12. IR-4 “Incident Handling”
Multiple use-cases for live-box and
dead-box isolation and forensics
Investigation complex: Correlation,
threat intelligence, timeline analysis
Beyond the scope of this presentation
IR-9 “Information Spillage Response”
Closer to live-box forensics
Investigation easier: Usually limited to
known users and host machines
Isolation using Security Group
Via Console or Automation for speed (see
example below)
Containment / Isolation:
Save the current Security Group of the host or instance
Isolate host using restrictive ingress and egress Security Group rules
CLI> aws ec2 modify-instance-attribute --instance-id <instance-id>
--groups "<Isolation-SG>"
Isolation-SG : Only SSH (22) or RDP (3389) ingress rules with IR enclave as source. No egress
Preparation Identification Containment Investigation Eradication Recovery Follow-Up
14. IR-9 “Information Spillage Response”
Secure-wipe files. Response times faster via automation (see example below)
After secure wipe, delete any KMS data keys for extra precaution
First, copy DoD approved sanitization tools to affected EC2 hosts
# scp –i “host-private-key” bcwipe.exe ec2-user@TargetHost.compute-
1.amazonaws.com:[/root_drive/home/]
Next, remote connect SSH (port 22) or RDP (3389) to the host to perform sanitization actions
# ssh -i “host-private-key” bcwipe.exe ec2-user@TargetHost.compute-
1.amazonaws.com
Once on target host, wipe file and slack space IAW U.S. DoD 5220-22M
TargetHost# bcwipe <file(s)> [including slack and free space]
Preparation Identification Containment Investigation Eradication Recovery Follow-Up
15. Recovery
Restore network access to original state (prior to Isolation)
Restore previous Security Group ingress, egress rules
CLI> aws ec2 modify-instance-attribute --instance-id <instance-id>
--groups "<ORIGINAL-SG>"
Preparation Identification Containment Investigation Eradication Recovery Follow-Up
Follow-up
Verify deletion of data keys (if KMS used)
Cross-validate with Amazon Support / Case #
Report spillage findings and response actions
In accordance with DoD 5220 or appropriate authorities
16. Takeaways
Understand the differences between IR-4 (threat based) and IR-9 (spills)
and plan the handling and response accordingly
Use a phased approach for IR: Create well-defined steps and operational
procedures, including training for the response teams
Preparation step is critical
Use AWS Organizations to separate projects/functions and limit the blast radius
Enable all critical logging mechanisms (EC2 OS, AWS CloudTrail, VPC FlowLogs)
Create detection rules in AWS Cloudwatch, Elasticsearch or third-party SIEM
Use AWS CLI or SDKs especially for quick “Containment”, e.g., using pre-
defined restrictive security groups
Use layman terms for general audience understanding!
Small cloud team stood up to research and develop commercial and GovCloud solutions for APL mission needs
We provision networks (VPC), compute (EC2), storage (S3), identity and access management (IAM) controls, and several cloud services
Research and incorporate emerging capabilities, e.g. AWS Orgs {see next}
Work closely with Amazon TAM (mainly, Jim Caggy )
Security Controls practice – we design these up-front
Incident Response practice – our continuous security monitoring, event assessment and incident handling actions
IR-4 and IR-9 are NIST 800-53 (rev4) and FEDRAMP defined
See : FedRAMP-Control-Quick-Guide-Rev4-FINAL-01052015.pdf
https://nvd.nist.gov/800-53/Rev4/control/IR-4
https://nvd.nist.gov/800-53/Rev4/control/IR-9
7-step Methodology applies to all types of IR … IR-4 (regular IH) and IR-9 (Spills Handling)
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Common to all IR … IR-4 and IR-9
For DAR for sensitive data, should be using key management AES 256
Could make it two slides - Make AWS Orgs, then Logging
WHAT
We use the new AWS Orgs to organize workforce usage along business functions and groups
WE’ve split internal and external using multiple accounts – using policies
WHY
Enforces separation of duties principle
Limits the blast radius in the event of compromise
HOW
We organize sub-accounts and OU’s along Department/Project
{can show REDD/Edgefield, REDD/MVOR, AOS/Proj1, AOS/Proj2, …. }
Capture VPC flow logs, cloud trail etc from all accounts
Use of overarching Service Control Policies (SCP) to control sub accounts with restrictive policies
E.g., “Deny” the deletion of cloud trail and other security logs by sub-accounts {Can show example}
IR-9 - usually CISSO notifies
Investigation techniques for threat scenarios rely heavily on custom rules, intelligence and correlation of multiple event types
Almost always necessitates the use of a SIEM tool for deep dives, searches, correlation and time-line analysis
Usually the scope of spills is limited and known (provided by CISSO and the users)
But to be sure, could search Cloud Watch logs or Splunk for AWS or whichever SIEM
Spillage Response post-cleanup report is more straightforward and well defined but has more DoD paperwork and forms to fill
For regular IR / threat based incidents ,
Post-incident report
Threat analysis
Timeline analysis
Threat impact (and any data loss / exfil )
Remediation performed
Lessons Learned to improve protection