(SEC316) Harden Your Architecture w/ Security Incident Response Simulations

4,015 views

Published on

Using Security Incident Response Simulations (SIRS--also commonly called IR Game Days) regularly keeps your first responders in practice and ready to engage in real events. SIRS help you identify and close security gaps in your platform, and application layers then validate your ability to respond. In this session, we will share a straightforward method for conducting SIRS. Then AWS enterprise customers will take the stage to share their experience running joint SIRS with AWS on their AWS architectures. Learn about detection, containment, data preservation, security controls, and more.

Published in: Technology

(SEC316) Harden Your Architecture w/ Security Incident Response Simulations

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. October 2015 SEC316 Hardening Your Architecture with Security Incident Response Simulations Armando Leite, AWS Professional Services Jon Miller, AWS Security Technical Program Manager Rob Witoff, Coinbase Director
  2. 2. Here is what you get today… • SIRS: What is it? • Demo • Case study • How to engage AWS • Get your game on
  3. 3. SIRS: What is it? Inspiration- “Nothing gives one person so much advantage over another as to remain always cool and unruffled under all circumstances.” -Thomas Jefferson
  4. 4. Ariana Grande speaks to simulation “Dancing in high heels is kind of tough. I learn the dances without the heels, and then we add them. We just practice, and I get used to it. My feet hurt really badly at the end of the shows, but it’s fun. While it’s happening it’s fun. I feel tall.” Did she get it right? Quote from https://www.brainyquote.com/quotes/quotes/a/arianagran571274.html
  5. 5. Working backward…what customers want? 1. Validate readiness 2. Generate artifacts for accreditation 3. Be agile – Incremental with laser focus 4. Get faster and improve tools 5. Refine escalation and communication 6. Get confident – Learn from and train staff 7. Get comfort with the rare and the creative
  6. 6. Security Incident Response Simulations 1. Find an issue of importance. 2. Find skilled security geeks. 3. Build a realistic model system. 4. Build and test the scenario elements. 5. Invite other security geeks and real people. 6. Run the simulation live. 7. Get better and repeat.
  7. 7. Key simulation elements Scenario Build Process Live event Test
  8. 8. Prevent spoilers
  9. 9. Finish at the end
  10. 10. Demo
  11. 11. SIRS setup Scenario: • Unauthorized modification of content on public facing website. Core participants: • Application engineer • Implementer • Responder Key events/injects: • Inject 1: External-facing website is modified. • Inject 2: Abuse notification received. • Inject 3: Unauthorized resources spun up.
  12. 12. Process under test Establish control Determine impact Recover as needed Investigate root cause Improve
  13. 13. Let the games begin!
  14. 14. Actions taken Gather information about affected instance: aws ec2 describe-instances –filters “Name=ip-address,Values=xx.xx.xx.xx” Deploy “block” security group: aws ec2 modify-instance-attribute –instance-id i-25xxxxfe –groups sg- 27xxxx43 Tag instance to mark it as under investigation: aws ec2 create-tags –resources i-xxxxxxxx –tags Key=Environment, Value=Quarantine:REFERENCE-ID” Create snapshot of volume for forensic analysis: aws ec2 create-snapshot –volume vol-xxxx –description “IR-ResponderName- Date-REFERENCE-ID”
  15. 15. Process under test Establish control Determine impact Recover as needed Investigate root cause Improve
  16. 16. Actions taken Imaging instance memory: LiME - https://github.com/504ensicslabs/lime AWS CodeDeploy:
  17. 17. Postmortem…
  18. 18. Investigation – Check instance access logs 1 2 4 11:01 PM 24 JUN 2015 3
  19. 19. Investigation – Check AWS CloudTrail API logs ?
  20. 20. Investigation – Correlate events match!
  21. 21. Investigation – Blocked successfully
  22. 22. Wrap up simulation Handoff correspondence Capture artifacts, logs, communications
  23. 23. Event retrospective Continue…start...stop.
  24. 24. Game retrospective Continue…start...stop.
  25. 25. Case study
  26. 26. SIRS works in all industries Enterprise Government Startup
  27. 27. Coinbase Scenario • Advanced threat with escalated privileges • Rapid and adversarial • Crypto-ransom Outcome Successful • Rapid response and recovery • Data protection • Root cause investigation • Risk elimination
  28. 28. WHAT I’M ABOUT TO SHOW YOU WAS A CONTAINED SIMULATION. NO CUSTOMER DATA, FUNDS OR SERVICES WERE, OR EVER WILL BE, AT INCREASED RISK.
  29. 29. Observe Orient Decide Act
  30. 30. Observe Orient Decide Act scanning | servers | ssh snapshots | aws
  31. 31. Observe Orient Decide Act scanning | servers | ssh snapshots | aws | ???
  32. 32. Observe Orient Decide Act Team #1 CloudTrail Pipeline
  33. 33. CloudTrail Amazon S3 AWS Lambda Amazon Kinesis → → → →
  34. 34. coinbase.com
  35. 35. Observe Orient Decide Act scanning | servers | ssh snapshots | aws | ???
  36. 36. Observe Orient Decide Act scanning | | | servers ssh snapshots aws
  37. 37. scanning | servers ssh snapshots aws Observe Orient Decide Act
  38. 38. scanning | servers ssh snapshots aws Observe Orient Decide Act team #2 team #3
  39. 39. team #2 team #3
  40. 40. team #2 team #3 snapshot stop d2.8xlarge mount grep
  41. 41. team #2 team #3
  42. 42. team #2 team #3
  43. 43. team #2 team #3
  44. 44. team #2 team #3
  45. 45. team #2 team #3
  46. 46. team #2 team #3
  47. 47. coinbase.com
  48. 48. Thanks, Coinbase!
  49. 49. Engage AWS
  50. 50. When should I engage AWS Support? Engage AWS Support any time an event might be occurring that affects your ideal operational state.
  51. 51. When should I contact AWS Security? If you are planning SIRS: • Obtain permission to perform penetration testing/scanning. • Confirm the SIRS does not violate the AUP.
  52. 52. Engage support
  53. 53. Engaging human support Cloud support engineer (CSE) Technical account manager (TAM) Subject matter experts (SME) You Relationship POC Available with enterprise support Available with support
  54. 54. Go here… https://aws.amazon.com/contact-us/
  55. 55. Get your game on
  56. 56. Is your architecture built for IR? • Real-time monitoring • Logs at the ready • Tagged for escalation • Rapid recovery • Rapid data preservation • Forensic instances • Late binding privileges for responders
  57. 57. Key simulation elements Scenario Build Process Live event Test No worries
  58. 58. Pick a scenario to try and get started 1. Web server application layer issue recovery 2. Log dive for artifacts 3. Data preservation 4. Credential rotation 5. Responding to alerts 6. Some sort of insider threat 7. Business owner and external communications
  59. 59. https://aws.amazon.com/professional-services/
  60. 60. Remember to complete your evaluations!
  61. 61. Thank you! Josh du Lac, Hart Rossman, Don Bailey, Khaja, Graham, AWS Support, AWS Abuse team, EC2 Security team, and many more who helped make these events possible

×