O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Incident Response: Preparing and Simulating Threat Response

420 visualizações

Publicada em

Once you have built and deployed security infrastructure and automated key aspects of security operations you should validate your work through an Incident Response simulation. In this session we discuss the best way to protect your logs; how and why to develop automated IR capabilities via AWS tooling (e.g. Lambda); the importance of testing existing forensics tools to ensure efficacy in cloud environment; and ways to test your plan early and often.

  • Seja o primeiro a comentar

Incident Response: Preparing and Simulating Threat Response

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cloud Adoption Framework: Security Perspective Eric Rose, Senior AWS Security Consultant Incident Response: Preparing and Simulating Threat Response
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved What to expect from this session • Cornerstones of a robust AWS Incident Response plan • Tools and techniques for automating incident responses • Tips for drilling Incident Response scenarios
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Indicators of Compromise • CloudTrail • Billing • AWS Service Logs (e.g. S3 Bucket Logs) • VPC Flow Logs • Operating System Logs • Database Logs • Application Logs
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Intrusion Detection within AWS – Common Customer Questions “What should we be looking for using AWS CloudTrail?” • Authorization failures • Attempts to disable CloudTrail • Activity in an inactive region • Console or API activity from an anomalous IP geography.
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Example CloudTrail event "Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2017-03-24T21:11:59Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateUser", "awsRegion": "us-east-1", "sourceIPAddress": ”55.55.55.55", "userAgent": "aws-cli/1.3.2 Python/2.7.5 Windows/7", "requestParameters": { "userName": "Bob" }, "responseElements": { "user": { "createDate": "Mar 24, 2017 9:11:59 PM", "userName": "Bob", "arn": "arn:aws:iam::123456789012:user/Bob", "path": "/", "userId": "EXAMPLEUSERID" } ....
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Intrusion Detection within AWS – Common Customer Questions “What should we look for in our AWS billing?” • Unexplained billing spikes. • Unexplained data transfer charges. • Billing in previously unused AWS Regions. • Billing for previously unused AWS services. • Enable Billing Alerts using CloudWatch to help detect anomalous usage patterns.
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Intrusion Detection within AWS – Common Customer Questions “What logs should I be collecting?” • All of the logs….
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Intrusion Detection within AWS – Common Customer Questions “Am I missing anything?” • Use Trusted Advisor to get an overall picture of your security within AWS. • Use AWS Inspector to scan your EC2 instances for specific vulnerabilities and overall security posture. • CloudWatch Events can alert on specific API calls, use in combination with Lambda to automate detective and responsive security controls. – Example: Use CloudWatch Events and AWS Lambda to alert and prevent CloudTrail from being turned off.
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Incident Response in AWS
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved What are the goals for Incident Response? • Establish Control • Determine impact • Recover as needed • Investigate the root cause • Improve Lets take a look at an example….
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Incident Response Example - Your access key went to exciting destinations Its Here And Here And Here And Here
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved The Situation… We have detected that an access key and secret key was used to make a “DescribeInstances” API call from an unknown IP range, location, or after hours…
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Typical Response - Remove the key from the Internet! • Take down the page it was posted on • DMCA Notice • Remove it from search engine caches This approach does not work. Let’s focus on our IR goals…
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Incident Response Example– Establish Control • The blast radius will be limited by following IAM best practices, operating a “Well-Architected” workload, and having followed the intrusion detection prerequisites. • In this example, the attacker has only limited access to a single access key and secret key (since we followed our best practices). What are our first steps? – Revoke access rather than deleting the key; or – Apply a “No Access” IAM policy to the user
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Incident Response Example – Determine Impact If we believe we have established control, further investigation is needed to determine the impact of the event. What are our next steps? • Investigate the API calls made by that key based on CloudTrail Logs. • Did they create new users? Policies? Roles? If so, return back to the Establish Control step. • Use the script from Sec402 to help figure out which user the Access Key belongs to https://s3.amazonaws.com/reinvent2014- sec402/SecConfig.py
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Incident Response Example – Recover as Needed Once we have established control and determined the scope of the impact, we can start to recover as needed. In this case, it would include the following: • Provision new credentials for authorized usage; • Deploy credentials to the impacted system or user; and • Validate proper operation using new credentials.
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Incident Response Example – Investigate the Root Cause • Ask Why (at least 5 times) to help get you to the root cause. • Use the logs that you have been collecting in your S3 bucket to aid the investigation. Those logs should include, but are not limited to: – CloudTrail Logs – ELB Logs – VPC Flow Logs – Systems Logs – Console Logs – Application Logs
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Incident Response Example – Improve • Apply knowledge from investigating the root cause to improve: – Internal Communication between your teams. – Communication to AWS, if needed. – Update your IR runbooks/playbooks to include any additional information learned from the experience.
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Incident Response – Fun Facts • Your ability to detect, respond, and recover in the cloud can be enhanced by using the cloud. • Automation is key. Attacks happen in microseconds and your responsive capabilities need to be just as fast. • It is better to create (and test!) BEFORE you need it. • Gameday simulations will provide valuable confidence and lessons learned to improve your Incident Response process.
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Intrusion Detection and Incident Response – AWS services to help protect the Cloud • CloudTrail – Web service that records AWS API calls for your account and delivers log files to you. • CloudWatch – Monitoring service for AWS cloud resources. • CloudWatch Events – Near real-time stream of system events that describe changes in AWS resources. • Lambda – Runs code without provisioning or managing servers. • Inspector – Automated security assessment service. • Trusted Advisor – Resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment.
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved CloudTrail events • A record in JSON format that contains information about requests for resources in your account. • Describes which service was accessed, what action was performed, and any parameters for the action. • Helps you determine who made the request. • The event data is enclosed in a Records array. • http://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail- events-to-cloudwatch-logs.html
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Building a “Lambda Responder” CloudTrail S3 SNS
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Demo
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Simulating Incidents
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved When should I contact AWS Security? If you are planning Security Incident Response Simulation (SIRS): • Obtain permission to perform penetration testing/scanning. • Confirm the SIRS does not violate the Acceptable Use Policy. https://aws.amazon.com/aup/
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Engage support
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Customer AWS Support – Escalations In situations where an escalation is required, customers can follow a pre-defined escalation path: • Contact their Technical Account Manager • Submit a Support Case – AWS Support has it’s own internal escalation path which includes a path to AWS Security, if needed.
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Engaging human support Cloud support engineer (CSE) Technical account manager (TAM) Subject matter experts (SME) You Relationship POC Available with enterprise support Available with support
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Go here… https://aws.amazon.com/contact-us/
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved Thank you!

×