SlideShare uma empresa Scribd logo

Digital Forensics and Incident Response in The Cloud Part 3

Velocidex Enterprises
Velocidex Enterprises

Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.

Tecnologia
1 de 63
Baixar para ler offline
Digital Forensics and Incident Response in the Cloud Dr. Michael Cohen Velocidex Innovations. https://www.velocidex.com/
Part 2: End point DFIR agents
Containers and Docker
Containers are essentially lightweight virtual machines. Docker is a system for building and managing containers. What are containers?
What containers are and why might you use them?
So we deployed our containers and VMs - are we done?
Endpoint monitoring solutions ✘ When we deploy VMs, what goes on inside the VMs is totally our responsibility! ✗ Google does not know what is running inside the VM! ✗ If our app stack is vulnerable we will get owned! ✗ Patching and good configuration is still important. ✘ VMs may be secure at day 1 but someone has to maintain them...
Endpoint monitoring solutions ✘ Endpoint monitoring allows us to have visibility inside the VMs: ✗ Can get detailed information of exactly what is running inside each VM. ✗ We can respond to compromise quickly: ■ Quarantine and preserve evidence. ■ Analyze and triage ✗ We can hunt across the entire infrastructure ■ For indicators of compromise ■ For inventory purposes.
Lots of endpoint monitoring tools
Velocidex and Velociraptor ✘ At Velocidex we specialize in packaging and distributing tools for cloud deployments. ✘ Velociraptor is a very thin endpoint client which is compatible with GRR. ✗ We also package GRR for cloud deployment ✗ We include Facebook’s OSQuery In one convenient package!
Let’s design our cloud deployment Cloud SQL DatabaseCloud SQL Proxy GRR Server Velociraptor ClientsVelociraptor ClientsVelociraptor Clients VM contains 2 containers Admin UI Usually SSL
Differences between this Workshop and Reality ✘ We will use a static IP and HTTP ✘ In reality you should always use SSL for the admin UI - Let’s encrypt is easy! ✗ GRR implements its own encryption so client connections can happen over http. ✘ In practice you should use a DNS name for front end ✗ Makes it easier to move clients between servers. ✗ You can configure multiple endpoints for clients.
Reserve a static IP address
Create a Kubernetes cluster What is this Kubernetes you speak of? What is a cluster?
Upload the docker container to your project’s registry.
Creating cloud mysql instance
Enabling the cloud SQL API.
Create a service account for SQL access
SQL Connector service account ✘ The service account must have the Cloud SQL client so it can connect to the cloud SQL instance. ✘ We must also have the private key so the SQL proxy can log in as that service account
Generate new keys and configuration for GRR 1. Clone the velociraptor repository to your cloud shell git clone https://gitlab.com/velocidex/velociraptor_server.git 2. Now install the needed python packages sudo apt-get install python-yaml python-cryptography 3. Run the configuration script to generate the server configuration python velociraptor/scripts/configure.py my_server_config.yaml my_client_config.yaml --mysql_location localhost:3306 Note that GRR will talk to the proxy on localhost.
Make sure to edit your server configuration ✘ Frontend URL is the URL that clients will use to connect to the controller. ✗ Normally this will be a DNS name but we will use the static IP address now.
Configure kubectrl to access our project
Hide secrets in Kubernetes We generally do not want to store secrets in configuration files. Therefore we need to push the secret to the kubernetes server. 1. The service account credentials allow the SQL proxy to connect to cloud SQL service: kubectl create secret generic cloudsql-instance-credentials --from-file=credentials.json= Velocidex-205204-423e5d3047cf.json 2. The GRR config file contains keys to control the GRR/Velociraptor clients as well as the password for the GRR admin user: kubectl create secret generic grr-config --from-file=grr-config=my_server_config.yaml kubectl create secret generic grr-admin-password --from-literal=password=passw0rd
Kubernetes secret management There are 2 main ways to pass secrets to the containers: 1. Via environment variables 2. Via a mounted filesystem. We will do both here.
apiVersion: v1 kind: Pod metadata: name: velociraptor-server spec: containers: - image: asia.gcr.io/velocidex-205204/velociraptor name: grr env: - name: ADMIN_PASSWORD valueFrom: secretKeyRef: name: grr-admin-password key: password - name: GRR_CONFIG valueFrom: secretKeyRef: name: grr-config key: grr-config - name: cloudsql-proxy image: gcr.io/cloudsql-docker/gce-proxy:1.11 command: ["/cloud_sql_proxy", "-instances=valid-broker-180316:australia-southeast1:mysql=tcp:3306", "-credential_file=/secrets/cloudsql/credentials.json"] volumeMounts: - name: cloudsql-instance-credentials mountPath: /secrets/cloudsql readOnly: true volumes: - name: cloudsql-instance-credentials secret: secretName: cloudsql-instance-credentials GRR Container Cloud SQL Proxy Container
Launch the pod The full deployment file is included in the files directory. Make a deployment from the pod file: kubectl create -f deployment.yaml Watch the pod coming up in the “Workload” section of the console.
To be able to connect to the pod we need to expose it with a load balancer apiVersion: v1 kind: Service metadata: name: server labels: app: velociraptor spec: type: LoadBalancer loadBalancerIP: "35.189.2.35" ports: - port: 80 name: adminui targetPort: 8000 - port: 8080 name: control targetPort: 8080 selector: app: velociraptor
Check our installation ✘ Ensure that we can connect to the frontend properly using the static IP address we reserved earlier
Check our installation - Make sure we can log in.
Investigating a typical cloud deployment ✘ For the next part of the workshop we will play around with our cloud deployment. ✘ Imagine we need to respond to a compromise in such a setup: ✗ What evidence do we look for? ✗ How do we preserve it? ✗ What could have happened?
The Kubernetes cluster The cluster is just a bunch of VMs running docker Get a shell on a VM
Lets forensically analyze one of the VMs. ✘ I said before that containers are like lightweight virtual machines …. I kind of lied ….
VM vs Containers - what are the difference?
VM vs Containers - what are the difference?
Processes in Docker Docker containers are not really VMs. Containerized processes are just regular processes. More similar to chroot prison.
Docker layered filesystem ✘ Docker uses a layered filesystem model. ✘ Each layer introduces changes (add/delete) to the previous layer. ✘ The files we see in the container are the union of all the files in each layer.
Ramifications of layered filesystems Changing a file in the running container will add the file to the upper layer. Changing a file in a lower layer will make the change visible to all users.
Docker cheat sheet # docker ps | less -S # docker inspect b5884a6b6e9c |less -S
Docker Cheat Sheet # docker exec -i -t <container_id> /bin/bash
Exercises Can you figure out what changes Velociraptor makes to the running container? Can you explain these changes? Is it possible for attackers to change lower level layers? What does this mean for forensic acquisition?
What challenges would we have to respond to this instance?
Responding to a cloud instance ✘ Typically we have no physical access - we have to do live acquisition. ✘ Typically we must do it from within the VM itself. Provider Physical Machine Cluster VM Containers
More Challenges ✘ Typically container host has limited disk space so we need to stream the data off the instance as we image.
Acquire an AFF4 image with linpmem ✘ Acquire memory and the content of /var/lib/docker/ ✘ Grab the docker directory /var/lib/docker/ ✘ Stream the image into a bucket. All the tools you need are in the files share.
Create a cloud bucket to accept the evidence.
We need to create a service account to authenticate 1. Service account is an automated way to authenticate 2. What are the risks for evidence collection SA? 3. How can we carefully manage the risks? a. Can limit access to only be allowed to write to evidence bucket - remember we will be using these credentials on potentially compromised hosts. b. We can either give access to the project or the specific bucket.
Creating service account ✘ Furnish a new key - this will provide a JSON file with credentials. ✘ Note that these credentials ONLY have the ability to upload to the bucket. It is ok to use them on compromised hosts.
Add our tools to the bucket ✘ I typically have: ✗ Linpmem https://github.com/Velocidex/c-aff4/releases ✗ Gcsuploader https://gitlab.com/velocidex/tools/tags/v0.1 You can find these here.
✘ Make sure to store it somewhere executable # /var/run/linpmem_3.0rc2.bin -o - -dd | /var/run/gcsupload -bucket evidence-auscert -name test2.aff4 -project auscert-205300 Reading from stdin... 2018-05-26 09:38:34 I Imaging memory 2018-05-26 09:38:34 I Creating output AFF4 ZipFile. 2018-05-26 09:38:34 I Will write in AFF4 map format. ……………
Installing and running GRR/Velociraptor When we install GRR, the installation process creates new keys and then builds packages for the clients.
Installing GRR/Velociraptor on clients. ✘ GRR clients come as debian packages or RPM ✘ They are typically quite large and contain many files (written in python and contain many DLLs). ✘ You won’t be able to install on unsupported OS’s - e.g. Kubernetes clusters are running Chrome OS.
Velociraptor - an alternative GRR client ✘ Velociraptor is a new GRR client which is designed to be very lightweight: ✗ Shipped as a single static executable - in most cases there is no need to package it. ✗ Very fast ✗ Supports Velocidex Query Language (VQL) queries. ■ More on this later!
Exercise ✘ In your groups, spin up a new Ubuntu machine and install the GRR client on it. ✘ Now try to run velociraptor on the ChromeOS machine. ✗ We will worry about installation later. In each case verify the installation worked by checking in the admin ui.
Now we need to configure the velociraptor client ✘ Velociraptor is a stand alone, statically compiled binary. No dependencies, run anywhere.
Fetch the velociraptor binary. $ wget https://www.velocidex.com/releases/velociraptor_0.1.0-1_amd64.elf --2018-05-26 22:48:08-- https://www.velocidex.com/releases/velociraptor_0.1.0-1_amd64.elf Resolving www.velocidex.com (www.velocidex.com)... 74.125.200.121, 2404:6800:4003:803::2013 Connecting to www.velocidex.com (www.velocidex.com)|74.125.200.121|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [application/octet-stream] Saving to: ‘velociraptor_0.1.0-1_amd64.elf’ velociraptor_0.1.0-1_amd64.elf 2018-05-26 22:48:13 (3.67 MB/s) - ‘velociraptor_0.1.0-1_amd64.elf’ saved [8090192] Upload the client config to the bucket. $ ./gcsupload -bucket evidence-auscert -project auscert-205300 -source my_client_config.yaml -name client.yaml Upload the binary to the bucket. $ ./gcsupload -bucket evidence-auscert -project auscert-205300 -source velociraptor_0.1.0-1_amd64.elf -name velociraptor Prepare the binaries for install
Test the client locally. ✘ When the client starts for the first time: ✗ It generates a new unique ID and keys ✗ Write the keys to the writeback location. ✗ Communicates with the server (get 406) ✗ Enrols and the server will interrogate it.
How can we install it on all the VMs in the project?
What are the issues in using the previous reference?
Very simple install script. #!/bin/bash BINARY_DIR=/var/lib/google/v mkdir -p $BINARY_DIR curl -o /etc/client.yaml https://storage.googleapis.com/evidence-auscert/client.yaml.1 curl -o $BINARY_DIR/v https://storage.googleapis.com/evidence-auscert/velociraptor_0.1.0-1_amd64.elf chmod +x $BINARY_DIR/v nohup $BINARY_DIR/v client /etc/client.yaml > /tmp/v.log & sleep 2 rm -f $BINARY_DIR/v exec 0>&- # close stdin exec 1>&- # close stdout exec 2>&- # close stderr exit 0 ✘ Make sure to install the script at the project level! ✗ Hint: gcloud compute project-info add-metadata
Test and make sure the install works. ✘ Run different machine types: ✗ Chrome OS ✗ Ubuntu ✗ Redhat ✘ What issues do you encounter? ✗ Hint: GCS buckets set caching for public objects!
THANKS! Any questions? You can find me at ✘ mike@velocidex.com ✘ scudette@gmail.com

Recomendados

Docker Forensics
Docker ForensicsDocker Forensics
Docker ForensicsJoel Lathrop
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersSam Bowne
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Microsoft Cloud Services Architecture
Microsoft Cloud Services ArchitectureMicrosoft Cloud Services Architecture
Microsoft Cloud Services ArchitectureDavid Chou
 
vSAN architecture components
vSAN architecture componentsvSAN architecture components
vSAN architecture componentsDavid Pasek
 
Fluentd 101
Fluentd 101Fluentd 101
Fluentd 101SATOSHI TAGOMORI
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration TestingMohammed Adam
 

Recomendados

Docker Forensics
Docker ForensicsDocker Forensics
Docker ForensicsJoel Lathrop
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersSam Bowne
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Microsoft Cloud Services Architecture
Microsoft Cloud Services ArchitectureMicrosoft Cloud Services Architecture
Microsoft Cloud Services ArchitectureDavid Chou
 
vSAN architecture components
vSAN architecture componentsvSAN architecture components
vSAN architecture componentsDavid Pasek
 
Fluentd 101
Fluentd 101Fluentd 101
Fluentd 101SATOSHI TAGOMORI
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration TestingMohammed Adam
 
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...Severalnines
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP CodingNarudom Roongsiriwong, CISSP
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRobert Grupe, CSSLP CISSP PE PMP
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application FirewallChandrapal Badshah
 
Prometheus design and philosophy
Prometheus design and philosophy Prometheus design and philosophy
Prometheus design and philosophy Docker, Inc.
 
VMware Advance Troubleshooting Workshop - Day 4
VMware Advance Troubleshooting Workshop - Day 4VMware Advance Troubleshooting Workshop - Day 4
VMware Advance Troubleshooting Workshop - Day 4Vepsun Technologies
 
Openstack in 10 mins
Openstack in 10 minsOpenstack in 10 mins
Openstack in 10 minsDawood M.S
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
Building Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBuilding Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBoni Yeamin
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 
Grep - A powerful search utility
Grep - A powerful search utilityGrep - A powerful search utility
Grep - A powerful search utilityNirajan Pant
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityJean-Paul Azar
 
Virtualization using VMWare Workstation
Virtualization using VMWare WorkstationVirtualization using VMWare Workstation
Virtualization using VMWare WorkstationHitesh Gupta
 
Black Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBlack Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBrian Baskin
 
Attack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaAttack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaPrajal Kulkarni
 
Real time analytics with Netty, Storm, Kafka
Real time analytics with Netty, Storm, KafkaReal time analytics with Netty, Storm, Kafka
Real time analytics with Netty, Storm, KafkaTrieu Nguyen
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesSreenivas Makam
 

Mais conteúdo relacionado

Mais procurados

MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...Severalnines
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Prometheus design and philosophy
Prometheus design and philosophy Prometheus design and philosophy
Prometheus design and philosophy Docker, Inc.
 
VMware Advance Troubleshooting Workshop - Day 4
VMware Advance Troubleshooting Workshop - Day 4VMware Advance Troubleshooting Workshop - Day 4
VMware Advance Troubleshooting Workshop - Day 4Vepsun Technologies
 
Openstack in 10 mins
Openstack in 10 minsOpenstack in 10 mins
Openstack in 10 minsDawood M.S
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
Building Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBuilding Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBoni Yeamin
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 
Grep - A powerful search utility
Grep - A powerful search utilityGrep - A powerful search utility
Grep - A powerful search utilityNirajan Pant
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityJean-Paul Azar
 
Virtualization using VMWare Workstation
Virtualization using VMWare WorkstationVirtualization using VMWare Workstation
Virtualization using VMWare WorkstationHitesh Gupta
 
Black Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBlack Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBrian Baskin
 
Attack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaAttack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaPrajal Kulkarni
 
Real time analytics with Netty, Storm, Kafka
Real time analytics with Netty, Storm, KafkaReal time analytics with Netty, Storm, Kafka
Real time analytics with Netty, Storm, KafkaTrieu Nguyen
 

Mais procurados (20)

MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Prometheus design and philosophy
Prometheus design and philosophy Prometheus design and philosophy
Prometheus design and philosophy
 
VMware Advance Troubleshooting Workshop - Day 4
VMware Advance Troubleshooting Workshop - Day 4VMware Advance Troubleshooting Workshop - Day 4
VMware Advance Troubleshooting Workshop - Day 4
 
Openstack in 10 mins
Openstack in 10 minsOpenstack in 10 mins
Openstack in 10 mins
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
 
Building Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBuilding Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorization
 
Grep - A powerful search utility
Grep - A powerful search utilityGrep - A powerful search utility
Grep - A powerful search utility
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka Security
 
Virtualization using VMWare Workstation
Virtualization using VMWare WorkstationVirtualization using VMWare Workstation
Virtualization using VMWare Workstation
 
Black Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBlack Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware Analysis
 
Attack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaAttack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and Kibana
 
Real time analytics with Netty, Storm, Kafka
Real time analytics with Netty, Storm, KafkaReal time analytics with Netty, Storm, Kafka
Real time analytics with Netty, Storm, Kafka
 

Semelhante a Digital Forensics and Incident Response in The Cloud Part 3

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesSreenivas Makam
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned RightScale
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
ContainerDayVietnam2016: Dockerize a small business
ContainerDayVietnam2016: Dockerize a small businessContainerDayVietnam2016: Dockerize a small business
ContainerDayVietnam2016: Dockerize a small businessDocker-Hanoi
 
Cloud Run - the rise of serverless and containerization
Cloud Run - the rise of serverless and containerizationCloud Run - the rise of serverless and containerization
Cloud Run - the rise of serverless and containerizationMárton Kodok
 
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...Patrick Chanezon
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Ricardo Amaro
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Ricardo Amaro
 
DCEU 18: Developing with Docker Containers
DCEU 18: Developing with Docker ContainersDCEU 18: Developing with Docker Containers
DCEU 18: Developing with Docker ContainersDocker, Inc.
 
Hands on Docker - Launch your own LEMP or LAMP stack - SunshinePHP
Hands on Docker - Launch your own LEMP or LAMP stack - SunshinePHPHands on Docker - Launch your own LEMP or LAMP stack - SunshinePHP
Hands on Docker - Launch your own LEMP or LAMP stack - SunshinePHPDana Luther
 
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE Platforms
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE PlatformsFIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE Platforms
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE PlatformsFIWARE
 
Using Docker For Development
Using Docker For DevelopmentUsing Docker For Development
Using Docker For DevelopmentLaura Frank Tacho
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations CenterJimmy Mesta
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesQAware GmbH
 
CloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingCloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingShapeBlue
 
Docker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platformsDocker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platformsFederico Michele Facca
 

Semelhante a Digital Forensics and Incident Response in The Cloud Part 3 (20)

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting Techniques
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 
ContainerDayVietnam2016: Dockerize a small business
ContainerDayVietnam2016: Dockerize a small businessContainerDayVietnam2016: Dockerize a small business
ContainerDayVietnam2016: Dockerize a small business
 
Cloud Run - the rise of serverless and containerization
Cloud Run - the rise of serverless and containerizationCloud Run - the rise of serverless and containerization
Cloud Run - the rise of serverless and containerization
 
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
 
DCEU 18: Developing with Docker Containers
DCEU 18: Developing with Docker ContainersDCEU 18: Developing with Docker Containers
DCEU 18: Developing with Docker Containers
 
Hands on Docker - Launch your own LEMP or LAMP stack - SunshinePHP
Hands on Docker - Launch your own LEMP or LAMP stack - SunshinePHPHands on Docker - Launch your own LEMP or LAMP stack - SunshinePHP
Hands on Docker - Launch your own LEMP or LAMP stack - SunshinePHP
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE Platforms
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE PlatformsFIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE Platforms
FIWARE Tech Summit - Docker Swarm Secrets for Creating Great FIWARE Platforms
 
Using Docker For Development
Using Docker For DevelopmentUsing Docker For Development
Using Docker For Development
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
 
CloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingCloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and Troubleshooting
 
Docker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platformsDocker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platforms
 

Mais de Velocidex Enterprises

Crikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopCrikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopVelocidex Enterprises
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 

Mais de Velocidex Enterprises (6)

Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
 
Crikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopCrikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor Workshop
 
RSA APJ Velociraptor Lab
RSA APJ Velociraptor LabRSA APJ Velociraptor Lab
RSA APJ Velociraptor Lab
 
Nzitf Velociraptor Workshop
Nzitf Velociraptor WorkshopNzitf Velociraptor Workshop
Nzitf Velociraptor Workshop
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 

Último

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Último (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

Digital Forensics and Incident Response in The Cloud Part 3

  • 1. Digital Forensics and Incident Response in the Cloud Dr. Michael Cohen Velocidex Innovations. https://www.velocidex.com/
  • 2. Part 2: End point DFIR agents
  • 4. Containers are essentially lightweight virtual machines. Docker is a system for building and managing containers. What are containers?
  • 5. What containers are and why might you use them?
  • 6. So we deployed our containers and VMs - are we done?
  • 7. Endpoint monitoring solutions ✘ When we deploy VMs, what goes on inside the VMs is totally our responsibility! ✗ Google does not know what is running inside the VM! ✗ If our app stack is vulnerable we will get owned! ✗ Patching and good configuration is still important. ✘ VMs may be secure at day 1 but someone has to maintain them...
  • 8. Endpoint monitoring solutions ✘ Endpoint monitoring allows us to have visibility inside the VMs: ✗ Can get detailed information of exactly what is running inside each VM. ✗ We can respond to compromise quickly: ■ Quarantine and preserve evidence. ■ Analyze and triage ✗ We can hunt across the entire infrastructure ■ For indicators of compromise ■ For inventory purposes.
  • 9. Lots of endpoint monitoring tools
  • 10. Velocidex and Velociraptor ✘ At Velocidex we specialize in packaging and distributing tools for cloud deployments. ✘ Velociraptor is a very thin endpoint client which is compatible with GRR. ✗ We also package GRR for cloud deployment ✗ We include Facebook’s OSQuery In one convenient package!
  • 11. Let’s design our cloud deployment Cloud SQL DatabaseCloud SQL Proxy GRR Server Velociraptor ClientsVelociraptor ClientsVelociraptor Clients VM contains 2 containers Admin UI Usually SSL
  • 12. Differences between this Workshop and Reality ✘ We will use a static IP and HTTP ✘ In reality you should always use SSL for the admin UI - Let’s encrypt is easy! ✗ GRR implements its own encryption so client connections can happen over http. ✘ In practice you should use a DNS name for front end ✗ Makes it easier to move clients between servers. ✗ You can configure multiple endpoints for clients.
  • 13. Reserve a static IP address
  • 14. Create a Kubernetes cluster What is this Kubernetes you speak of? What is a cluster?
  • 15.
  • 16. Upload the docker container to your project’s registry.
  • 18. Enabling the cloud SQL API.
  • 19. Create a service account for SQL access
  • 20. SQL Connector service account ✘ The service account must have the Cloud SQL client so it can connect to the cloud SQL instance. ✘ We must also have the private key so the SQL proxy can log in as that service account
  • 21. Generate new keys and configuration for GRR 1. Clone the velociraptor repository to your cloud shell git clone https://gitlab.com/velocidex/velociraptor_server.git 2. Now install the needed python packages sudo apt-get install python-yaml python-cryptography 3. Run the configuration script to generate the server configuration python velociraptor/scripts/configure.py my_server_config.yaml my_client_config.yaml --mysql_location localhost:3306 Note that GRR will talk to the proxy on localhost.
  • 22. Make sure to edit your server configuration ✘ Frontend URL is the URL that clients will use to connect to the controller. ✗ Normally this will be a DNS name but we will use the static IP address now.
  • 23. Configure kubectrl to access our project
  • 24. Hide secrets in Kubernetes We generally do not want to store secrets in configuration files. Therefore we need to push the secret to the kubernetes server. 1. The service account credentials allow the SQL proxy to connect to cloud SQL service: kubectl create secret generic cloudsql-instance-credentials --from-file=credentials.json= Velocidex-205204-423e5d3047cf.json 2. The GRR config file contains keys to control the GRR/Velociraptor clients as well as the password for the GRR admin user: kubectl create secret generic grr-config --from-file=grr-config=my_server_config.yaml kubectl create secret generic grr-admin-password --from-literal=password=passw0rd
  • 25.
  • 26. Kubernetes secret management There are 2 main ways to pass secrets to the containers: 1. Via environment variables 2. Via a mounted filesystem. We will do both here.
  • 27. apiVersion: v1 kind: Pod metadata: name: velociraptor-server spec: containers: - image: asia.gcr.io/velocidex-205204/velociraptor name: grr env: - name: ADMIN_PASSWORD valueFrom: secretKeyRef: name: grr-admin-password key: password - name: GRR_CONFIG valueFrom: secretKeyRef: name: grr-config key: grr-config - name: cloudsql-proxy image: gcr.io/cloudsql-docker/gce-proxy:1.11 command: ["/cloud_sql_proxy", "-instances=valid-broker-180316:australia-southeast1:mysql=tcp:3306", "-credential_file=/secrets/cloudsql/credentials.json"] volumeMounts: - name: cloudsql-instance-credentials mountPath: /secrets/cloudsql readOnly: true volumes: - name: cloudsql-instance-credentials secret: secretName: cloudsql-instance-credentials GRR Container Cloud SQL Proxy Container
  • 28. Launch the pod The full deployment file is included in the files directory. Make a deployment from the pod file: kubectl create -f deployment.yaml Watch the pod coming up in the “Workload” section of the console.
  • 29. To be able to connect to the pod we need to expose it with a load balancer apiVersion: v1 kind: Service metadata: name: server labels: app: velociraptor spec: type: LoadBalancer loadBalancerIP: "35.189.2.35" ports: - port: 80 name: adminui targetPort: 8000 - port: 8080 name: control targetPort: 8080 selector: app: velociraptor
  • 30. Check our installation ✘ Ensure that we can connect to the frontend properly using the static IP address we reserved earlier
  • 31. Check our installation - Make sure we can log in.
  • 32. Investigating a typical cloud deployment ✘ For the next part of the workshop we will play around with our cloud deployment. ✘ Imagine we need to respond to a compromise in such a setup: ✗ What evidence do we look for? ✗ How do we preserve it? ✗ What could have happened?
  • 33. The Kubernetes cluster The cluster is just a bunch of VMs running docker Get a shell on a VM
  • 34. Lets forensically analyze one of the VMs. ✘ I said before that containers are like lightweight virtual machines …. I kind of lied ….
  • 35. VM vs Containers - what are the difference?
  • 36. VM vs Containers - what are the difference?
  • 37. Processes in Docker Docker containers are not really VMs. Containerized processes are just regular processes. More similar to chroot prison.
  • 38. Docker layered filesystem ✘ Docker uses a layered filesystem model. ✘ Each layer introduces changes (add/delete) to the previous layer. ✘ The files we see in the container are the union of all the files in each layer.
  • 39. Ramifications of layered filesystems Changing a file in the running container will add the file to the upper layer. Changing a file in a lower layer will make the change visible to all users.
  • 40. Docker cheat sheet # docker ps | less -S # docker inspect b5884a6b6e9c |less -S
  • 41. Docker Cheat Sheet # docker exec -i -t <container_id> /bin/bash
  • 42. Exercises Can you figure out what changes Velociraptor makes to the running container? Can you explain these changes? Is it possible for attackers to change lower level layers? What does this mean for forensic acquisition?
  • 43. What challenges would we have to respond to this instance?
  • 44. Responding to a cloud instance ✘ Typically we have no physical access - we have to do live acquisition. ✘ Typically we must do it from within the VM itself. Provider Physical Machine Cluster VM Containers
  • 45. More Challenges ✘ Typically container host has limited disk space so we need to stream the data off the instance as we image.
  • 46. Acquire an AFF4 image with linpmem ✘ Acquire memory and the content of /var/lib/docker/ ✘ Grab the docker directory /var/lib/docker/ ✘ Stream the image into a bucket. All the tools you need are in the files share.
  • 47. Create a cloud bucket to accept the evidence.
  • 48. We need to create a service account to authenticate 1. Service account is an automated way to authenticate 2. What are the risks for evidence collection SA? 3. How can we carefully manage the risks? a. Can limit access to only be allowed to write to evidence bucket - remember we will be using these credentials on potentially compromised hosts. b. We can either give access to the project or the specific bucket.
  • 49. Creating service account ✘ Furnish a new key - this will provide a JSON file with credentials. ✘ Note that these credentials ONLY have the ability to upload to the bucket. It is ok to use them on compromised hosts.
  • 50. Add our tools to the bucket ✘ I typically have: ✗ Linpmem https://github.com/Velocidex/c-aff4/releases ✗ Gcsuploader https://gitlab.com/velocidex/tools/tags/v0.1 You can find these here.
  • 51. ✘ Make sure to store it somewhere executable # /var/run/linpmem_3.0rc2.bin -o - -dd | /var/run/gcsupload -bucket evidence-auscert -name test2.aff4 -project auscert-205300 Reading from stdin... 2018-05-26 09:38:34 I Imaging memory 2018-05-26 09:38:34 I Creating output AFF4 ZipFile. 2018-05-26 09:38:34 I Will write in AFF4 map format. ……………
  • 52. Installing and running GRR/Velociraptor When we install GRR, the installation process creates new keys and then builds packages for the clients.
  • 53. Installing GRR/Velociraptor on clients. ✘ GRR clients come as debian packages or RPM ✘ They are typically quite large and contain many files (written in python and contain many DLLs). ✘ You won’t be able to install on unsupported OS’s - e.g. Kubernetes clusters are running Chrome OS.
  • 54. Velociraptor - an alternative GRR client ✘ Velociraptor is a new GRR client which is designed to be very lightweight: ✗ Shipped as a single static executable - in most cases there is no need to package it. ✗ Very fast ✗ Supports Velocidex Query Language (VQL) queries. ■ More on this later!
  • 55. Exercise ✘ In your groups, spin up a new Ubuntu machine and install the GRR client on it. ✘ Now try to run velociraptor on the ChromeOS machine. ✗ We will worry about installation later. In each case verify the installation worked by checking in the admin ui.
  • 56. Now we need to configure the velociraptor client ✘ Velociraptor is a stand alone, statically compiled binary. No dependencies, run anywhere.
  • 57. Fetch the velociraptor binary. $ wget https://www.velocidex.com/releases/velociraptor_0.1.0-1_amd64.elf --2018-05-26 22:48:08-- https://www.velocidex.com/releases/velociraptor_0.1.0-1_amd64.elf Resolving www.velocidex.com (www.velocidex.com)... 74.125.200.121, 2404:6800:4003:803::2013 Connecting to www.velocidex.com (www.velocidex.com)|74.125.200.121|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [application/octet-stream] Saving to: ‘velociraptor_0.1.0-1_amd64.elf’ velociraptor_0.1.0-1_amd64.elf 2018-05-26 22:48:13 (3.67 MB/s) - ‘velociraptor_0.1.0-1_amd64.elf’ saved [8090192] Upload the client config to the bucket. $ ./gcsupload -bucket evidence-auscert -project auscert-205300 -source my_client_config.yaml -name client.yaml Upload the binary to the bucket. $ ./gcsupload -bucket evidence-auscert -project auscert-205300 -source velociraptor_0.1.0-1_amd64.elf -name velociraptor Prepare the binaries for install
  • 58. Test the client locally. ✘ When the client starts for the first time: ✗ It generates a new unique ID and keys ✗ Write the keys to the writeback location. ✗ Communicates with the server (get 406) ✗ Enrols and the server will interrogate it.
  • 59. How can we install it on all the VMs in the project?
  • 60. What are the issues in using the previous reference?
  • 61. Very simple install script. #!/bin/bash BINARY_DIR=/var/lib/google/v mkdir -p $BINARY_DIR curl -o /etc/client.yaml https://storage.googleapis.com/evidence-auscert/client.yaml.1 curl -o $BINARY_DIR/v https://storage.googleapis.com/evidence-auscert/velociraptor_0.1.0-1_amd64.elf chmod +x $BINARY_DIR/v nohup $BINARY_DIR/v client /etc/client.yaml > /tmp/v.log & sleep 2 rm -f $BINARY_DIR/v exec 0>&- # close stdin exec 1>&- # close stdout exec 2>&- # close stderr exit 0 ✘ Make sure to install the script at the project level! ✗ Hint: gcloud compute project-info add-metadata
  • 62. Test and make sure the install works. ✘ Run different machine types: ✗ Chrome OS ✗ Ubuntu ✗ Redhat ✘ What issues do you encounter? ✗ Hint: GCS buckets set caching for public objects!
  • 63. THANKS! Any questions? You can find me at ✘ mike@velocidex.com ✘ scudette@gmail.com