Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Incident Response - Eyes Everywhere

536 views

Published on

by Nathan Case, Sr. Consultant, AWS

Responding to an incident requires that you’re aware that an incident exists. To be aware that an incident exists, you have to know where to look and what to look for. In this session, you will learn the tools and techniques to take in the breadth of visibility that AWS offers to your environment as well as some ideas on how to inspect events of interest and identify indicators of compromise.

  • Be the first to comment

  • Be the first to like this

Incident Response - Eyes Everywhere

  1. 1. Incident Response Eyes Everywhere
  2. 2. Agenda • Definition of Incident Response • Different types of incidents • Event Management • SIRS AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  3. 3. Goals • Become aware of indicators of security incidents • Classify incident types • Discover sources of information to respond to an incident • Understand incident response workflows • Learn to prepare for incidents AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  4. 4. Definition Incident Response is an organized approach to addressing and managing the aftermath of a security breach or attack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  5. 5. IR Principles • Establish Goals • Respond using the cloud • Know what you have and what you need • Do things that scale • Use redeployment mechanisms • Iteratively automate the mundane • Learn and improve your process AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  6. 6. IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  7. 7. Finding the signal AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0 Incident: deviation from your [security] baseline
  8. 8. Understanding Normal AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  9. 9. Indicators AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0 Logs and Monitors Billing Activity Threat Intelligence AWS Outreach Ad Hoc Contact
  10. 10. Response Time Comparison (example) time get logs analyze correlate trace origin locate remediate event delivered rule matched alert sent correlate check baseline remediate incidentdetected Traditional Datacenter Response AWS Response
  11. 11. Understand Your Attack Surface Infrastructure VPC Resources Connectivity On-instance ... Application Patching Issue Code Insecurity ... Incident Response Domains
  12. 12. Incidents in the Infrastructure Domain AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0 Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Bastion A pp A pp W eb W eb Security groups Route table NACLsInternet Gateway Instance compromise
  13. 13. Infrastructure VPC Resources Connectivity On-instance ... Service IAM S3 buckets Billing ... Application Patching Coding hole ... Understand Your Attack Surface Incident Response Domains
  14. 14. Incidents in the Service Domain AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0 Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Bastion A pp A pp W eb W eb Credentials S3 bucket policies Changes in permissions
  15. 15. Infrastructure VPC Resources Connectivity On-instance ... Service IAM S3 buckets Billing ... Application Patching Coding hole ... Other? Understand Your Attack Surface Incident Response Domains
  16. 16. Types of Incidents Compliance variance Service disruption Unauthorized resources Unauthorized access Privilege escalation Persistence Excessive permissions Information exposure Credentials exposure AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  17. 17. Types of Incidents Compliance variance Service disruption Unauthorized resources Unauthorized access Privilege escalation Persistence Excessive permissions Information exposure Credentials exposure AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  18. 18. INCIDENT MANAGEMENT AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  19. 19. Definition Incident Response is an organized approach to addressing and managing the aftermath of a security breach or attack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  20. 20. IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  21. 21. IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0 Establish control • Can I Log into the console • Can I log into the instance • Can I review/copy logs/Cloudtrail • Can I copy information to a forensics account • Can I rotate credentials • Can I review billing • Can I isolate the instance
  22. 22. IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0 Determine impact • Review logs/CloudTrail/VPC Flow for changes • Reviews Account resources • Review Billing • Review Access Permissions • Review Data Loss and targets
  23. 23. IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0 Recover as needed • Do I remove instances • Do I change security groups • Do I remove user • Do I change credentials • Do I recover security groups
  24. 24. IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0 Investigate root cause • How did this happen? • Why did this happen? • Who did it? • How can we stop it from happening again?
  25. 25. IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0 Improve • Improve our systems and processes • Iterate. Iterate. Iterate. Iterate.
  26. 26. AWS Support Escalation Path • In situations where an escalation is required, customers can follow a pre-defined escalation path: – Submit a Support Case – Technical Account Manager – On-call Operation Manager – Global Enterprise Support Manager – Director of Support Engineering – VP of AWS Support AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  27. 27. Preparation • Keep a pre-configured forensics AMI on hand • Decide on the forensic procedure • Create IAM role for incident responders and for the forensic workstation AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  28. 28. Third Party Tools Response • AWS IR (ThreatResponse) Case Management • Incident Pony (ThreatResponse) Networking • Moloch • Wireshark Enterprise • Mandiant • EnCase • Forensic Tool Kit • Google Rapid Response Memory Capture • Fastdump • FTK Imager • LiME • Margarita Shotgun (ThreatResponse)
  29. 29. SECURITY INCIDENT RESPONSE SIMULATIONS AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  30. 30. What’s a SIRS? • Security Incident Response Simulations (SIRS) are internal events that provide a structured opportunity to practice your incident response plan during a realistic scenario. • SIRS events are fundamentally about being prepared and iteratively improving your response capabilities. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  31. 31. Working back from customers • Customers voice the following reasons why they want to perform SIRS: – Validate readiness – Develop confidence – Learn from and train staff – Generate artifacts for accreditation – Be agile – Incremental improvement with laser focus – Become faster and improve tools – Refine escalation and communication – Develop comfort with the rare and the creative AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  32. 32. Preparing for a simulation 1. Find an issue of importance. 2. Find skilled security geeks. 3. Build a realistic model system. 4. Build and test the scenario elements. 5. Invite other security geeks and real people. 6. Run the simulation live. 7. Get better and repeat. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  33. 33. Key Simulation Elements AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0 Scenario Build Process Test Live Event
  34. 34. When should I contact AWS? • If you are planning SIRS: – Obtain permission to perform penetration testing/scanning. – Confirm the SIRS does not violate the AWS Acceptable Use Policy. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Responsev4.0
  35. 35. AWS Security Partner Solutions
  36. 36. Any Questions?

×