SlideShare uma empresa Scribd logo

OWASP Atlanta 2018: Forensics as a Service

•Transferir como PPTX, PDF•
•
Toni de la Fuente
Toni de la Fuente

Cloud Forensics as a Service

Tecnologia
1 de 33
Toni de la Fuente (@ToniBlyx :: blyx.com) Lead Security Operations / Senior Cloud Security Architect Digital Forensics as a Service: DFIR in the Cloud
Prowler / phpRADmin / Alfresco BART / Docs
Once upon a time… • Digital Forensics IN and OF the Cloud • Generic Challenges • Attacks • Incident Response • Hardening Security IN the Cloud!
AWS Region Amazon RDS MySQL Master Internet gateway Availability Zone 1 Availability Zone 2 Public subnet Public subnet NAT gateway EC2 Bastion 10.0.128.5 NAT gateway EC2 Bastion 10.0.144.5 Alfresco One Auto Scaling Group Elastic Load Balancing Amazon RDS MySQL Slave S3 for Shared Content Store 10.0.0.0/16 10.0.128.0/20 10.0.144.0/20 10.0.0.0/19 10.0.32.0/19 Alfresco Index Auto Scaling Group Private SubnetPrivate Subnet Alfresco Server Alfresco Server Alfresco ServerAlfresco Server Index Server Index Server Index Server Index Server * Immutable infrastructure
Generic Forensics Challenges
Disadvantages and Challenges Cloud Forensics and Operations Ubiquity Enumeration Legal jurisdiction Elasticity Preservation of evidence Data integrity Data persistence (replication) Chain of custody Evidence integrity Multi-tenancy Data attribution Chain of custody Abstract Determine the best evidence Preservation and visualization of evidence Quantity of data and Big Data Systems that cannot be investigated or managed in a traditional manner Knowledge Trained staff Continuous evolution and new features almost daily Providers Service level agreement / service level objectives Relationship client-provider / transparency
Service Level Objectives to Guarantee with Provider IaaS PaaS SaaS Provider’s network logs Web server logs Web server logs DNS providers logs Application server logs Application server logs Virtual machine hypervisor logs Tenant operating system logs Database logs Host logs Host access logs Host access logs API logs Virtualization platform logs Virtualization platform logs Management portal logs Management portal logs Management portal logs Packet capture logs Packet capture logs Packet capture logs Billing records Billing records Billing records
Traditional vs Cloud Forensics Processes Traditional Forensics Cloud Forensics Identification Identification of an event or incident Multiple tools Few tools Preservation Securitization and assessment of the scene Yes No Documentation of the scene Yes No Evidence collection: origin of the evidence Physical hardware Virtual hardware Evidence collection: location of the evidence Crime scene Provider’s data center Marking, packaging and transport Physical Digital through the Internet or physical media Acquisition / Extraction Acquisition time Slow Fast RAM acquisition Yes Dependant Hash Slow Fast Erased data recovery Possible Difficult Metadata acquisition Yes Yes Time stamp Precise Complex Installation (action) of forensic software Expensive Cheap Configuration and availability of forensic software Expensive Cheap Transport Yes No Analysis Analysis Slow Fast (potentially) Presentation Documentation of evidence Acquired evidence Data from many sources Declaration Common Difficult to explain to a judge
Storage Options Type AWS Azure GCP Objects S3 Object Storage • Buckets • 5TB max per object • Encryption In-flight and at-rest Azure Storage • Blob storage • 500TB limit per storage account • Encryption In-flight and at-rest Google Cloud Storage • Buckets • 5TB max per object • Encryption In-flight and at-rest SAN / Block EBS (Volumes) • Volume size: 1GB to 16TB (in 1GB increments) • Magnetic, SSD • Encryption available • Snapshots Azure Virtual Disks • Page blobs • Volume size: 32GB to 4TB • Standard (Magnetic), SSD premium • Snapshots • Encryption available Google Block Storage • Volume size: 1GB to 10TB • Magnetic, SSD • Snapshots • Encryption by default NAS Shared Storage (NFS4.0/4.2) • EFS File Storage (SMB3.0) Single Node File Server + Others Archive Glacier Azure Backup Google Cloud Storage Nearline Migration Import Export / Snowball Import Export Third Party Solution (Iron Mountain, etc.) CDN AWS CloudFront (CDN) Azure CDN Google Cloud CDN * Ephemeral, DBs, Queues, Caching and Storage GW not included
Common Attacks
Common incidents • Top 3: EC2, IAM, S3 – Access Keys compromise – Information leaks through misconfigured services or DNS – Phishing attacks – Compromised resources – Poisoned AMI – Application running in a role – Infection through 3rd party services – Hybrid attacks – Subdomain takeovers – Bitcoin mining – Did I say MISCONFIGURATIONS? • Other services (RDS, ES, Redshift) • What about targeted attacks?
S3 Leaks • Time Warner (BroadSoft) • Verizon • Auto Lender • U.S. Voters • And many others! https://github.com/nagwww /s3-leaks • Amazon Macie: Machine Learning, discover and classify sensitive data in AWS. PII or intellectual property.
Where to find AWS Access Keys… • UserData, CloudFormation, Metadata Server • Code: Github or other source code repositories, versions, commit history* • Public EBS volumes • Public AMIs • Public S3 buckets • Workstation or Server ~/.aws/credentials or C:UsersUSERNAME.awscredentials • Containers • Dev Tools: Vagrant images, Packer files, Bamboo, Jenkins… • Vim swap files • Service Providers (Slack bots, DataDog, CloudHealth, Okta, OneLogin, etc.) • Google… *See truffleHog from dxa4481 in Github
Some fun with Social Engineering… Change default Spotlight shortcut and don´t trust USBs!
Incident Response
• Notifications from AWS • Access activity (IAM) • Billing activity (Budget alerts) new cloud IDS! • API Logs • CloudWatch Events/Alarms • Service Specific Events • Dashboards • CloudWatch • Personal Health • Cost Explorer • Other • Third party (dedicated tools) • NIDS (Snort, Suricata, etc.) • HIDS (Wazuh/OSSEC, Osquery, rkhunter, Auditd) • ELK Incident Indicators https://cloudonaut.io/aws-monitoring-primer/
Cloud Incident Handling Workflow Instance Compromise Start Forensic Workstation Live or Dead Attach the Tools Volume Apply Isolation SG Credential Compromise Check new resources created Disable Keys Make API log report if enabled If found Isolate them Create a report Attach the Evidence Collection Volume Isolate it? Log in to the instance Perform Evidence Acquisition Take snapshot to all volumes Stop it Make Volumes to Snapshots Attach Volumes to Forensic Workstation Attach the Evidence Collection Volume Log in to the Forensic Workstation Analyze / Further Investigation Incident Live Dead Create Support Case with Provider Revoke Access Revoke Sessions Outside Info Acquisition (instance profile,endpo ints,metadat a, etc)_ Perform Timeline Pre-built Volatiliy frofile Pre-built LiME krnl mod RAM Acquisition Yes NIC Network Scan Create Internal Case Separate Network with Internet Access to Scan CAINE / SIFT / DEFT / FCCU / HELIX3 / FIRE Windows_Life_Response Sysinternals Nirsoft FTK Imager Autopsy Sleuthkit Trigger a Network Capture / VPC Logs TAG Resources under investigation * Hashing comparison-gold image, carving, cloud-init, search malware, IOC, etc
Assets Acquisition Specific to AWS Perform Evidence Acquisition AWS Infrastructure Logs: CloudTrail and VPC FlowLogs AWS Service Logs: S3 Logs, RDS Logs, Lambda, API Gateway, Route53, CloudFront, etc. Host Based Logs (volume snapshot) Messages/System, security, audit, applications, etc. Additional data from AWS view: instance profile, endpoints, syslogs, screen, metadata, etc More Outside: Limits, check resources creation from given date (all regions)
Digital Forensics as a Service? How to be Prepared • DFaaS: capabilities we can use from a cloud vendor to perform tasks related to Digital Forensics • Multi Account Strategy • Dedicated Account for Forensics • Dedicated Account for Security Operations • Acquisition tools ready to use • Live Data • Acquire data, what data?
• CIS Benchmark security assessment tool (52 checks + 20 additional) • New “forensics-ready” group of checks: • Checks if you are collecting all what you may need in case of an incident • Forensics as a Service helper • CloudTrail, S3, Config, VPCFlowlog, Macie, GuardDuty, CloudFront, ES, Lambda, ELB/ALB, Route53, Redshift and more • https://github.com/Alfresco/prowler
<DEMO> Prowler, specific group check for AWS forensics readiness
IRDF Automation Tools
Digital Forensics as a Service: Tools/Challenges • Userland / Process Memory Acquisition • AWS System Manager (ssm) • aws_ir, Margaritashotgun (LiME) • Volatility and Rekall automation • ECFS: extended core file snapshot format • Containers • Analysis process • IOC • Something like LibVMI: VM introspection would help (Volatility integration) • Storage Acquisition and Processing • Depends on the Storage used • Easier for EBS Snapshots  Volumes • DFTimewolf (Grr) • Multiple Account Tools, Resources and Vendors • We don’t capture just one resource! • Enterprise grade • Processing collected data • Turbinia • Plaso • Laika BOSS • BinaryAlert • Analyze data • Timeline with ALL ACQUIRED DATA? • Timesketch • EVERYTHING? Room to improve here! • Multiple data formats • Multiple sources • Correlation
Threat Response Tools • Incident Response Tool for AWS • http://threatresponse.cloud/ • Compromised AWS API credentials (Access Keys) • Mitigate compromise: Lock • Compromised EC2 instance • Mitigate compromise • Isolation • Collect evidence • Memory acquisition • Plugins • gather_host (metadata, screen, console) • tag_host • examineracl_host • get_memory • isolate_host • stop_host
<DEMO> ThreatResponse: aws_ir, margaritashotgun • Instance compromise https://youtu.be/-dnljYRMMsU
SANS Reading Room: DF Analysis of an EC2 Instance Kudos! Ken Hartman https://www.kennethghartman.com
Hardening
Instance / Network / Provider • Put all what you need in your well known AMI (gold image): • Hardening applied / Tested (Packer/Vagrant) • CIS Benchmark! • No configuration or access needed • Local tools • Osquery / Wazuh-OSSEC / rkhunter / grr • Update rules / serverless • local configuration (SELinux/AppArmour) • AuditD • Collect telemetry host network data (Snort/Suricata) • Collect everything your provider allows you • Networking • APIs / Accesses (AWS API Call Limit) • Red Team / Third party pentesting*
Auditing, Assessment and Hardening Tools • AWS • Amazon GuardDuty • Amazon Macie • AWS Trusted Advisor • AWS CloudTrail • Amazon Inspector • AWS Organizations • AWS Config Rules • Alfresco: Prowler • Wazuh (wodle) • Nccgroup: Scout2 • Netflix: SecurityMonkey • Capital One: CloudCustodian • AWS CIS Benchmark Python code and Lambda functions • CloudSploit • Widdix Hardening Templates • Awslimitchecker • Git Secrets (AWS) • Azure • Security Center • OMS Security & Compliance • Azure logs Analitics • Windows Defender • Azure Op Insights • MWR Azurite • AzSDK • AzureStackTools • GCP • Spotify: gcp-audit • SecurityMonkey • ALL: • Analytics (ELK, Splunk, etc)
Takeaways This presentation and some bits already available at: https://github.com/toniblyx/
Thanks! Special Thanks to: Ismael Valenzuela @aboutsecurity Andrew K. @andrewkrug & ThreatResponse.cloud Team Alex Maestretti @maestretti Lorenzo Martinez @lawwait LĂłrien Domenech @loriendr Open Source Community improving Prowler!
Questions? toni@blyx.com - @ToniBlyx
References • Cloud Security Alliance, Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing, June 2013 • Dr. Keyun Ruan University College Dublin, Designing a Forensic-enabling Cloud Ecosystem, 2013 • International Standard ISO/IEC 27037, Information technology — Security techniques — Guidelines for identification, collection, acquisition, and preservation of digital evidence, October 2012 • Josiah Dykstra, Digital Forensics for IaaS Cloud Computing, June 2012 • Keyun Ruan, Ibrahim Baggili (PhD), Prof Joe Carthy, Prof Tahar Kechadi University College Dublin, Zayed University, Survey on Cloud forensics and critical criteria for Cloud forensic capability: A preliminary analysis • Keyun Ruan, Joe Carthy, Tahar Kechadi and Mark Crosbie, Cloud Forensics • Keyun Ruan, University College Dublin, Cloud Forensics: challenges & opportunitiess, 2010 • NIST Cloud Computing Forensic Science Working Group Information Technology Laboratory, NIST Cloud Computing Forensic Science Challenges, June 2014 • Peter Mell Timothy Grance, NIST Special Publication 800-145, The NIST Definition of Cloud Computing, September 2011 • Report From the First Digital Forensic Research Workshop (DFRWS), A Road Map for Digital Forensic Research, August 2001 • Forensics-as-a-Service (FaaS): Computer Forensic Workflow Management and Processing Using Cloud. Yuanfeng Wen, Xiaoxi Man, Khoa Le and Weidong Shi • http://static1.squarespace.com/static/5417f7f9e4b0b77770545590/t/56f3c598906340a7f6e78dbd/1458816415654/AWS_Cloud_and_Security.pdf • https://www.blackhat.com/docs/us-16/materials/us-16-Amiga-Account-Jumping-Post-Infection-Persistency-And-Lateral-Movement-In-AWS-wp.pdf • https://alestic.com/2015/10/aws-iam-readonly-too-permissive/ • Backdooring an AWS account • Exploring an AWS account post-compromise • Disrupting AWS logging • AWS IAM "ReadOnlyAccess" Managed Policy is Too Permissive (For Us) • Access Keys will kill you before you kill the password • Account Jumping Post Infection Persistency and Lateral Movement in AWS • Disrupt CloudTrail and pwning automation tools • RSA 2017 talk: Cloud Security Automate or Die, same tittle as mine but a bit different approach • RSA 2017 talk: Securing Serverless applications in the Cloud • RSA 2017 talk: DevSecOps on the Offense: Automating Amazon Web Services Account Takeover • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/when-a-web-application-ssrf-causes-the-cloud-to-rain-credentials-and-more/ • https://www.sans.org/reading-room/whitepapers/cloud/digital-forensic-analysis-amazon-linux-ec2-instances-38235

Recomendados

Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Toni de la Fuente
 
SANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a ServiceSANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a Service
Toni de la Fuente
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
Toni de la Fuente
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
Toni de la Fuente
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
Abhishek Mallick
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security
DataWorks Summit/Hadoop Summit
 

Recomendados

Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Toni de la Fuente
 
SANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a ServiceSANS Cloud Security Summit 2018: Forensics as a Service
SANS Cloud Security Summit 2018: Forensics as a Service
Toni de la Fuente
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
Toni de la Fuente
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
Toni de la Fuente
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
Abhishek Mallick
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security
DataWorks Summit/Hadoop Summit
 
Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012
Toni de la Fuente
 
Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption
Cloudera, Inc.
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview
Hortonworks
 
Transparent Encryption in HDFS
Transparent Encryption in HDFSTransparent Encryption in HDFS
Transparent Encryption in HDFS
DataWorks Summit
 
Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest Apocalypse
Beau Bullock
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWS
Teri Radichel
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
Sriharsha Chintalapani
 
Apache Ranger
Apache RangerApache Ranger
Apache Ranger
Rommel Garcia
 
Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018
Duncan Wannamaker
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
Vinay Shukla
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
Shivaji Dutta
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
Container Security
Container SecurityContainer Security
Container Security
Amazon Web Services
 
Global Software Development powered by Perforce
Global Software Development powered by PerforceGlobal Software Development powered by Perforce
Global Software Development powered by Perforce
Perforce
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
Carlos Martinez Cagnazzo
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Redis Labs
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
POSSCON
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dw
Cloud Security Alliance, UK chapter
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
Deploy360 Programme (Internet Society)
 
Organizing open stack-meetup-in-china
Organizing open stack-meetup-in-chinaOrganizing open stack-meetup-in-china
Organizing open stack-meetup-in-china
Guangya Liu
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
Docker, Inc.
 

Mais conteĂşdo relacionado

Mais procurados

Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest Apocalypse
Beau Bullock
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Redis Labs
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
Deploy360 Programme (Internet Society)
 

Mais procurados (20)

Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012
 
Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview
 
Transparent Encryption in HDFS
Transparent Encryption in HDFSTransparent Encryption in HDFS
Transparent Encryption in HDFS
 
Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest Apocalypse
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWS
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
Apache Ranger
Apache RangerApache Ranger
Apache Ranger
 
Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Container Security
Container SecurityContainer Security
Container Security
 
Global Software Development powered by Perforce
Global Software Development powered by PerforceGlobal Software Development powered by Perforce
Global Software Development powered by Perforce
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dw
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
Organizing open stack-meetup-in-china
Organizing open stack-meetup-in-chinaOrganizing open stack-meetup-in-china
Organizing open stack-meetup-in-china
 

Semelhante a OWASP Atlanta 2018: Forensics as a Service

Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
Docker, Inc.
 
Cloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for PartnersCloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for Partners
Amazon Web Services
 
Cloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for PartnersCloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for Partners
Amazon Web Services
 
Case Studies A Kubernetes DFIR investigation.pdf
Case Studies A Kubernetes DFIR investigation.pdfCase Studies A Kubernetes DFIR investigation.pdf
Case Studies A Kubernetes DFIR investigation.pdf
Christopher Doman
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
Salesforce Engineering
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 

Semelhante a OWASP Atlanta 2018: Forensics as a Service (20)

Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
 
Cloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for PartnersCloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for Partners
 
Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Cloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for PartnersCloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for Partners
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
 
Securing your content and media workflows on AWS
Securing your content and media workflows on AWSSecuring your content and media workflows on AWS
Securing your content and media workflows on AWS
 
AWS Tips for LAUNCHing Your Infrastructure in the Cloud
AWS Tips for LAUNCHing Your Infrastructure in the CloudAWS Tips for LAUNCHing Your Infrastructure in the Cloud
AWS Tips for LAUNCHing Your Infrastructure in the Cloud
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
Case Studies A Kubernetes DFIR investigation.pdf
Case Studies A Kubernetes DFIR investigation.pdfCase Studies A Kubernetes DFIR investigation.pdf
Case Studies A Kubernetes DFIR investigation.pdf
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloud
 
SIEM.pdf
SIEM.pdfSIEM.pdf
SIEM.pdf
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
NVS_Sentinel
NVS_SentinelNVS_Sentinel
NVS_Sentinel
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
 

Mais de Toni de la Fuente

Monitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/IcingaMonitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/Icinga
Toni de la Fuente
 
Alfresco Day Madrid - Jeff Potts - Community
Alfresco Day Madrid - Jeff Potts - CommunityAlfresco Day Madrid - Jeff Potts - Community
Alfresco Day Madrid - Jeff Potts - Community
Toni de la Fuente
 
Alfresco Day Madrid - Jeff Potts - Activiti
Alfresco Day Madrid - Jeff Potts - ActivitiAlfresco Day Madrid - Jeff Potts - Activiti
Alfresco Day Madrid - Jeff Potts - Activiti
Toni de la Fuente
 
Alfresco Day Madrid - Partner - VASS
Alfresco Day Madrid - Partner - VASSAlfresco Day Madrid - Partner - VASS
Alfresco Day Madrid - Partner - VASS
Toni de la Fuente
 
Alfresco Day Madrid - Partner - IN2
Alfresco Day Madrid - Partner - IN2Alfresco Day Madrid - Partner - IN2
Alfresco Day Madrid - Partner - IN2
Toni de la Fuente
 
Alfresco Day Madrid - Partner - CSC
Alfresco Day Madrid - Partner - CSCAlfresco Day Madrid - Partner - CSC
Alfresco Day Madrid - Partner - CSC
Toni de la Fuente
 

Mais de Toni de la Fuente (20)

Alfresco DevCon 2018: From Zero to Hero Backing up Alfresco
Alfresco DevCon 2018: From Zero to Hero Backing up AlfrescoAlfresco DevCon 2018: From Zero to Hero Backing up Alfresco
Alfresco DevCon 2018: From Zero to Hero Backing up Alfresco
 
From zero to hero Backing up alfresco
From zero to hero Backing up alfrescoFrom zero to hero Backing up alfresco
From zero to hero Backing up alfresco
 
Seguridad en Internet para todos los públicos
Seguridad en Internet para todos los públicosSeguridad en Internet para todos los públicos
Seguridad en Internet para todos los públicos
 
Storage and Alfresco
Storage and AlfrescoStorage and Alfresco
Storage and Alfresco
 
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYAlfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLY
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices Guide
 
Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014
 
Alfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperAlfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White Paper
 
Alfresco One (Enterprise) vs Alfresco Community 2014
Alfresco One (Enterprise) vs Alfresco Community 2014Alfresco One (Enterprise) vs Alfresco Community 2014
Alfresco One (Enterprise) vs Alfresco Community 2014
 
Alfresco Backup and Recovery Tool: a real world backup solution for Alfresco
Alfresco Backup and Recovery Tool: a real world backup solution for AlfrescoAlfresco Backup and Recovery Tool: a real world backup solution for Alfresco
Alfresco Backup and Recovery Tool: a real world backup solution for Alfresco
 
Comparativa entre Alfresco Enterprise vs Community
Comparativa entre Alfresco Enterprise vs Community Comparativa entre Alfresco Enterprise vs Community
Comparativa entre Alfresco Enterprise vs Community
 
Monitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/IcingaMonitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/Icinga
 
Nuevo Alfresco Records Management 2.0
Nuevo Alfresco Records Management 2.0Nuevo Alfresco Records Management 2.0
Nuevo Alfresco Records Management 2.0
 
Consejos de seguridad con Alfresco
Consejos de seguridad con AlfrescoConsejos de seguridad con Alfresco
Consejos de seguridad con Alfresco
 
Alfresco y SOLR, presentaciĂłn en espaĂąol
Alfresco y SOLR, presentaciĂłn en espaĂąolAlfresco y SOLR, presentaciĂłn en espaĂąol
Alfresco y SOLR, presentaciĂłn en espaĂąol
 
Alfresco Day Madrid - Jeff Potts - Community
Alfresco Day Madrid - Jeff Potts - CommunityAlfresco Day Madrid - Jeff Potts - Community
Alfresco Day Madrid - Jeff Potts - Community
 
Alfresco Day Madrid - Jeff Potts - Activiti
Alfresco Day Madrid - Jeff Potts - ActivitiAlfresco Day Madrid - Jeff Potts - Activiti
Alfresco Day Madrid - Jeff Potts - Activiti
 
Alfresco Day Madrid - Partner - VASS
Alfresco Day Madrid - Partner - VASSAlfresco Day Madrid - Partner - VASS
Alfresco Day Madrid - Partner - VASS
 
Alfresco Day Madrid - Partner - IN2
Alfresco Day Madrid - Partner - IN2Alfresco Day Madrid - Partner - IN2
Alfresco Day Madrid - Partner - IN2
 
Alfresco Day Madrid - Partner - CSC
Alfresco Day Madrid - Partner - CSCAlfresco Day Madrid - Partner - CSC
Alfresco Day Madrid - Partner - CSC
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

OWASP Atlanta 2018: Forensics as a Service

  • 1. Toni de la Fuente (@ToniBlyx :: blyx.com) Lead Security Operations / Senior Cloud Security Architect Digital Forensics as a Service: DFIR in the Cloud
  • 2. Prowler / phpRADmin / Alfresco BART / Docs
  • 3. Once upon a time… • Digital Forensics IN and OF the Cloud • Generic Challenges • Attacks • Incident Response • Hardening Security IN the Cloud!
  • 4. AWS Region Amazon RDS MySQL Master Internet gateway Availability Zone 1 Availability Zone 2 Public subnet Public subnet NAT gateway EC2 Bastion 10.0.128.5 NAT gateway EC2 Bastion 10.0.144.5 Alfresco One Auto Scaling Group Elastic Load Balancing Amazon RDS MySQL Slave S3 for Shared Content Store 10.0.0.0/16 10.0.128.0/20 10.0.144.0/20 10.0.0.0/19 10.0.32.0/19 Alfresco Index Auto Scaling Group Private SubnetPrivate Subnet Alfresco Server Alfresco Server Alfresco ServerAlfresco Server Index Server Index Server Index Server Index Server * Immutable infrastructure
  • 6. Disadvantages and Challenges Cloud Forensics and Operations Ubiquity Enumeration Legal jurisdiction Elasticity Preservation of evidence Data integrity Data persistence (replication) Chain of custody Evidence integrity Multi-tenancy Data attribution Chain of custody Abstract Determine the best evidence Preservation and visualization of evidence Quantity of data and Big Data Systems that cannot be investigated or managed in a traditional manner Knowledge Trained staff Continuous evolution and new features almost daily Providers Service level agreement / service level objectives Relationship client-provider / transparency
  • 7. Service Level Objectives to Guarantee with Provider IaaS PaaS SaaS Provider’s network logs Web server logs Web server logs DNS providers logs Application server logs Application server logs Virtual machine hypervisor logs Tenant operating system logs Database logs Host logs Host access logs Host access logs API logs Virtualization platform logs Virtualization platform logs Management portal logs Management portal logs Management portal logs Packet capture logs Packet capture logs Packet capture logs Billing records Billing records Billing records
  • 8. Traditional vs Cloud Forensics Processes Traditional Forensics Cloud Forensics Identification Identification of an event or incident Multiple tools Few tools Preservation Securitization and assessment of the scene Yes No Documentation of the scene Yes No Evidence collection: origin of the evidence Physical hardware Virtual hardware Evidence collection: location of the evidence Crime scene Provider’s data center Marking, packaging and transport Physical Digital through the Internet or physical media Acquisition / Extraction Acquisition time Slow Fast RAM acquisition Yes Dependant Hash Slow Fast Erased data recovery Possible Difficult Metadata acquisition Yes Yes Time stamp Precise Complex Installation (action) of forensic software Expensive Cheap Configuration and availability of forensic software Expensive Cheap Transport Yes No Analysis Analysis Slow Fast (potentially) Presentation Documentation of evidence Acquired evidence Data from many sources Declaration Common Difficult to explain to a judge
  • 9. Storage Options Type AWS Azure GCP Objects S3 Object Storage • Buckets • 5TB max per object • Encryption In-flight and at-rest Azure Storage • Blob storage • 500TB limit per storage account • Encryption In-flight and at-rest Google Cloud Storage • Buckets • 5TB max per object • Encryption In-flight and at-rest SAN / Block EBS (Volumes) • Volume size: 1GB to 16TB (in 1GB increments) • Magnetic, SSD • Encryption available • Snapshots Azure Virtual Disks • Page blobs • Volume size: 32GB to 4TB • Standard (Magnetic), SSD premium • Snapshots • Encryption available Google Block Storage • Volume size: 1GB to 10TB • Magnetic, SSD • Snapshots • Encryption by default NAS Shared Storage (NFS4.0/4.2) • EFS File Storage (SMB3.0) Single Node File Server + Others Archive Glacier Azure Backup Google Cloud Storage Nearline Migration Import Export / Snowball Import Export Third Party Solution (Iron Mountain, etc.) CDN AWS CloudFront (CDN) Azure CDN Google Cloud CDN * Ephemeral, DBs, Queues, Caching and Storage GW not included
  • 11. Common incidents • Top 3: EC2, IAM, S3 – Access Keys compromise – Information leaks through misconfigured services or DNS – Phishing attacks – Compromised resources – Poisoned AMI – Application running in a role – Infection through 3rd party services – Hybrid attacks – Subdomain takeovers – Bitcoin mining – Did I say MISCONFIGURATIONS? • Other services (RDS, ES, Redshift) • What about targeted attacks?
  • 12. S3 Leaks • Time Warner (BroadSoft) • Verizon • Auto Lender • U.S. Voters • And many others! https://github.com/nagwww /s3-leaks • Amazon Macie: Machine Learning, discover and classify sensitive data in AWS. PII or intellectual property.
  • 13. Where to find AWS Access Keys… • UserData, CloudFormation, Metadata Server • Code: Github or other source code repositories, versions, commit history* • Public EBS volumes • Public AMIs • Public S3 buckets • Workstation or Server ~/.aws/credentials or C:UsersUSERNAME.awscredentials • Containers • Dev Tools: Vagrant images, Packer files, Bamboo, Jenkins… • Vim swap files • Service Providers (Slack bots, DataDog, CloudHealth, Okta, OneLogin, etc.) • Google… *See truffleHog from dxa4481 in Github
  • 14. Some fun with Social Engineering… Change default Spotlight shortcut and don´t trust USBs!
  • 16. • Notifications from AWS • Access activity (IAM) • Billing activity (Budget alerts) new cloud IDS! • API Logs • CloudWatch Events/Alarms • Service Specific Events • Dashboards • CloudWatch • Personal Health • Cost Explorer • Other • Third party (dedicated tools) • NIDS (Snort, Suricata, etc.) • HIDS (Wazuh/OSSEC, Osquery, rkhunter, Auditd) • ELK Incident Indicators https://cloudonaut.io/aws-monitoring-primer/
  • 17. Cloud Incident Handling Workflow Instance Compromise Start Forensic Workstation Live or Dead Attach the Tools Volume Apply Isolation SG Credential Compromise Check new resources created Disable Keys Make API log report if enabled If found Isolate them Create a report Attach the Evidence Collection Volume Isolate it? Log in to the instance Perform Evidence Acquisition Take snapshot to all volumes Stop it Make Volumes to Snapshots Attach Volumes to Forensic Workstation Attach the Evidence Collection Volume Log in to the Forensic Workstation Analyze / Further Investigation Incident Live Dead Create Support Case with Provider Revoke Access Revoke Sessions Outside Info Acquisition (instance profile,endpo ints,metadat a, etc)_ Perform Timeline Pre-built Volatiliy frofile Pre-built LiME krnl mod RAM Acquisition Yes NIC Network Scan Create Internal Case Separate Network with Internet Access to Scan CAINE / SIFT / DEFT / FCCU / HELIX3 / FIRE Windows_Life_Response Sysinternals Nirsoft FTK Imager Autopsy Sleuthkit Trigger a Network Capture / VPC Logs TAG Resources under investigation * Hashing comparison-gold image, carving, cloud-init, search malware, IOC, etc
  • 18. Assets Acquisition Specific to AWS Perform Evidence Acquisition AWS Infrastructure Logs: CloudTrail and VPC FlowLogs AWS Service Logs: S3 Logs, RDS Logs, Lambda, API Gateway, Route53, CloudFront, etc. Host Based Logs (volume snapshot) Messages/System, security, audit, applications, etc. Additional data from AWS view: instance profile, endpoints, syslogs, screen, metadata, etc More Outside: Limits, check resources creation from given date (all regions)
  • 19. Digital Forensics as a Service? How to be Prepared • DFaaS: capabilities we can use from a cloud vendor to perform tasks related to Digital Forensics • Multi Account Strategy • Dedicated Account for Forensics • Dedicated Account for Security Operations • Acquisition tools ready to use • Live Data • Acquire data, what data?
  • 20. • CIS Benchmark security assessment tool (52 checks + 20 additional) • New “forensics-ready” group of checks: • Checks if you are collecting all what you may need in case of an incident • Forensics as a Service helper • CloudTrail, S3, Config, VPCFlowlog, Macie, GuardDuty, CloudFront, ES, Lambda, ELB/ALB, Route53, Redshift and more • https://github.com/Alfresco/prowler
  • 21. <DEMO> Prowler, specific group check for AWS forensics readiness
  • 23. Digital Forensics as a Service: Tools/Challenges • Userland / Process Memory Acquisition • AWS System Manager (ssm) • aws_ir, Margaritashotgun (LiME) • Volatility and Rekall automation • ECFS: extended core file snapshot format • Containers • Analysis process • IOC • Something like LibVMI: VM introspection would help (Volatility integration) • Storage Acquisition and Processing • Depends on the Storage used • Easier for EBS Snapshots  Volumes • DFTimewolf (Grr) • Multiple Account Tools, Resources and Vendors • We don’t capture just one resource! • Enterprise grade • Processing collected data • Turbinia • Plaso • Laika BOSS • BinaryAlert • Analyze data • Timeline with ALL ACQUIRED DATA? • Timesketch • EVERYTHING? Room to improve here! • Multiple data formats • Multiple sources • Correlation
  • 24. Threat Response Tools • Incident Response Tool for AWS • http://threatresponse.cloud/ • Compromised AWS API credentials (Access Keys) • Mitigate compromise: Lock • Compromised EC2 instance • Mitigate compromise • Isolation • Collect evidence • Memory acquisition • Plugins • gather_host (metadata, screen, console) • tag_host • examineracl_host • get_memory • isolate_host • stop_host
  • 25. <DEMO> ThreatResponse: aws_ir, margaritashotgun • Instance compromise https://youtu.be/-dnljYRMMsU
  • 26. SANS Reading Room: DF Analysis of an EC2 Instance Kudos! Ken Hartman https://www.kennethghartman.com
  • 28. Instance / Network / Provider • Put all what you need in your well known AMI (gold image): • Hardening applied / Tested (Packer/Vagrant) • CIS Benchmark! • No configuration or access needed • Local tools • Osquery / Wazuh-OSSEC / rkhunter / grr • Update rules / serverless • local configuration (SELinux/AppArmour) • AuditD • Collect telemetry host network data (Snort/Suricata) • Collect everything your provider allows you • Networking • APIs / Accesses (AWS API Call Limit) • Red Team / Third party pentesting*
  • 29. Auditing, Assessment and Hardening Tools • AWS • Amazon GuardDuty • Amazon Macie • AWS Trusted Advisor • AWS CloudTrail • Amazon Inspector • AWS Organizations • AWS Config Rules • Alfresco: Prowler • Wazuh (wodle) • Nccgroup: Scout2 • Netflix: SecurityMonkey • Capital One: CloudCustodian • AWS CIS Benchmark Python code and Lambda functions • CloudSploit • Widdix Hardening Templates • Awslimitchecker • Git Secrets (AWS) • Azure • Security Center • OMS Security & Compliance • Azure logs Analitics • Windows Defender • Azure Op Insights • MWR Azurite • AzSDK • AzureStackTools • GCP • Spotify: gcp-audit • SecurityMonkey • ALL: • Analytics (ELK, Splunk, etc)
  • 30. Takeaways This presentation and some bits already available at: https://github.com/toniblyx/
  • 31. Thanks! Special Thanks to: Ismael Valenzuela @aboutsecurity Andrew K. @andrewkrug & ThreatResponse.cloud Team Alex Maestretti @maestretti Lorenzo Martinez @lawwait LĂłrien Domenech @loriendr Open Source Community improving Prowler!
  • 33. References • Cloud Security Alliance, Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing, June 2013 • Dr. Keyun Ruan University College Dublin, Designing a Forensic-enabling Cloud Ecosystem, 2013 • International Standard ISO/IEC 27037, Information technology — Security techniques — Guidelines for identification, collection, acquisition, and preservation of digital evidence, October 2012 • Josiah Dykstra, Digital Forensics for IaaS Cloud Computing, June 2012 • Keyun Ruan, Ibrahim Baggili (PhD), Prof Joe Carthy, Prof Tahar Kechadi University College Dublin, Zayed University, Survey on Cloud forensics and critical criteria for Cloud forensic capability: A preliminary analysis • Keyun Ruan, Joe Carthy, Tahar Kechadi and Mark Crosbie, Cloud Forensics • Keyun Ruan, University College Dublin, Cloud Forensics: challenges & opportunitiess, 2010 • NIST Cloud Computing Forensic Science Working Group Information Technology Laboratory, NIST Cloud Computing Forensic Science Challenges, June 2014 • Peter Mell Timothy Grance, NIST Special Publication 800-145, The NIST Definition of Cloud Computing, September 2011 • Report From the First Digital Forensic Research Workshop (DFRWS), A Road Map for Digital Forensic Research, August 2001 • Forensics-as-a-Service (FaaS): Computer Forensic Workflow Management and Processing Using Cloud. Yuanfeng Wen, Xiaoxi Man, Khoa Le and Weidong Shi • http://static1.squarespace.com/static/5417f7f9e4b0b77770545590/t/56f3c598906340a7f6e78dbd/1458816415654/AWS_Cloud_and_Security.pdf • https://www.blackhat.com/docs/us-16/materials/us-16-Amiga-Account-Jumping-Post-Infection-Persistency-And-Lateral-Movement-In-AWS-wp.pdf • https://alestic.com/2015/10/aws-iam-readonly-too-permissive/ • Backdooring an AWS account • Exploring an AWS account post-compromise • Disrupting AWS logging • AWS IAM "ReadOnlyAccess" Managed Policy is Too Permissive (For Us) • Access Keys will kill you before you kill the password • Account Jumping Post Infection Persistency and Lateral Movement in AWS • Disrupt CloudTrail and pwning automation tools • RSA 2017 talk: Cloud Security Automate or Die, same tittle as mine but a bit different approach • RSA 2017 talk: Securing Serverless applications in the Cloud • RSA 2017 talk: DevSecOps on the Offense: Automating Amazon Web Services Account Takeover • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/when-a-web-application-ssrf-causes-the-cloud-to-rain-credentials-and-more/ • https://www.sans.org/reading-room/whitepapers/cloud/digital-forensic-analysis-amazon-linux-ec2-instances-38235

Notas do Editor

  1. Contents: Dealing with Incidents AWS specifics Attacks Incident Response Assessment and Hardening
  2. PCI-DSS compliance other for NIST, etc. Kinda Immutable infrastructure / instances (bastion) Logging externally, config management, monitoring Blue-green upgrades Canary upgrades
  3. x1.32xlarge = $13.338 hourly 1952.0 GB RAM 128 vCPUs 3840.0 GB (2 * 1920.0 GB SSD) 25 Gigabit Network
  4. Amazon Macie
  5. Bamboo, Jenkins…
  6. https://gist.github.com/toniblyx/d2cae4f4b4cb74524dc1f7b198d024c2 How to prevent this hack?? Change spotlight keys shortcut and don´t trust USBs!
  7. https://cloudonaut.io/aws-monitoring-primer/
  8. Assess other systems running in the same VPC Was the instance running in a role? Do we have flow logs we can grab and archive for the incident? Do we need to do live response? Do we need to preserve a snapshot for offline forensics?
  9. Many companies like Netflix, Google, Facebook, AirBnB or Adobe are working in cloud forensics automation
  10. Low hanging fruit
  11. Guardduty (CloudTrail, VPCFlowLogs and DNS queries) git-secrets (git hooks) AZURE: Azure logs Analitics (https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/log-analytics/log-analytics-overview.md) AZURE: Azurite (https://github.com/mwrlabs/Azurite) AzSDK (https://github.com/azsdk/azsdk-docs) AzureStack (https://github.com/Azure/AzureStack-Tools)