(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
Report
Amazon Web ServicesFollow
Nov. 19, 2014•0 likes•12,157 views
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
Nov. 19, 2014•0 likes•12,157 views
Download to read offline
Report
Technology
You've employed the practices outlined for incident detection, but what do you do when you detect an incident in the cloud? This session walks you through a hypothetical incident response on AWS. Learn to leverage the unique capabilities of the AWS environment when you respond to an incident, which in many ways is similar to how you respond to incidents in your own infrastructure. This session also covers specific environment recovery steps available on AWS.
Amazon Web ServicesFollow
Recommended
Building a Hyper Secure VPC on AWS with PuppetTim Nolet
(SEC301) Strategies for Protecting Data Using Encryption in AWSAmazon Web Services
Moving the needle on cloud security - AWS Summit AtlantaChris Farris
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...Amazon Web Services
Cloud Security At Netflix, October 2013Jay Zarfoss
(SEC401) Encryption Key Storage with AWS KMS at OktaAmazon Web Services
More Related Content
What's hot
February 2016 Webinar Series - Best Practices for IoT Security in the CloudAmazon Web Services
Zero to Sixty: AWS OpsWorks (DMG202) | AWS re:Invent 2013Amazon Web Services
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013Amazon Web Services
AWS Re:Invent - Securing HIPAA Compliant Apps in AWSControl Group
What's (nearly) new | AWS Security RoadshowAmazon Web Services
AWS Elastic Beanstalk under the Hood (DMG301) | AWS re:Invent 2013Amazon Web Services
Similar to (SEC404) Incident Response in the Cloud | AWS re:Invent 2014
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...QCloudMentor
Continuous Delivery: The Next FrontierCarlos Sanchez
My First Big Data ApplicationAmazon Web Services
Build, migrate and deploy apps for any environment with project Hammr , OW2co...OW2
Spraykatz installation & basic usageSylvain Cortes
Automating Container Deployments on Virtualization with Ansible: OpenShift on...Laurent Domb
More from Amazon Web Services
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
Costruire Applicazioni Moderne con AWSAmazon Web Services
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
Open banking as a serviceAmazon Web Services
Recently uploaded
Accelerating Data Science through Feature Platform, Transformers and GenAIFeatureByte
Connecting the Dots: Early Insights from Customer Journey Mapping with Graphs...Neo4j
Webinar : L&H Insurance in the 21st Century: Navigating Antimicrobial Resista...The Digital Insurer
Product Research PresentationDeahJadeArellano
WaveTech Investor PresentationDan Spottsville
Recommendation Modeling with Impression Data at NetflixJiangwei Pan
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
- 6. Configuration Amazon S3 Amazon EC2 Amazon VPC IAM Amazon RDS Elastic Beanstalk Security Group VPC Subnet Amazon S3 Bucket Groups, Users, Credentials Applications Amazon RDS DB Instances Objects Instances Internet Gateways Customer AWS Traditional IR This Talk
- 12. Its Here AndHere AndHere AndHere
- 29. "accessKeyId": "AKIAJLMGEGEAYMFNTH2Q", "accessKeyId": "ASIAJNH65GHCSCYCGEUQ",
- 43. beetle@forensics:~$ ping intern PING intern (54.173.32.252) 56(84) bytes of data. 64 bytes from 54.173.32.252: icmp_seq=1 ttl=63 time=1.34 ms 64 bytes from 54.173.32.252: icmp_seq=2 ttl=63 time=1.10 ms 64 bytes from 54.173.32.252: icmp_seq=3 ttl=63 time=1.30 ms 64 bytes from 54.173.32.252: icmp_seq=4 ttl=63 time=1.50 ms 64 bytes from 54.173.32.252: icmp_seq=5 ttl=63 time=1.25 ms ^C ---54.173.32.252 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rttmin/avg/max/mdev= 1.108/1.302/1.500/0.135 ms
- 44. beetle@forensics:~/tools$ uname-a Linux ip-172-30-4-4 3.13.0-36-generic #63-Ubuntu SMP WedSep 3 21:30:07 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux beetle@forensics:~/tools$ scp-i beetle-demo-1.pem ./lime* ubuntu@intern:/tmp lime-3.13.0-36-generic.ko 100% 9896 9.7KB/s 00:00 beetle@forensics:~/tools$ ssh-i beetle-demo-1.pem ubuntu@intern WelcometoUbuntu14.04.1 LTS (GNU/Linux 3.13.0-36-generic x86_64) ... ubuntu@intern:~$ cd /tmp ubuntu@intern:/tmp$ ls lime-3.13.0-36-generic.ko ubuntu@intern:/tmp$ sudo insmod lime*.ko "path=tcp:4444 format=lime"
- 45. beetle@forensics:~/volatility$ ncintern 4444 > intern_memory.lime
- 46. beetle@forensics:~$ zip internUbuntu14.zip module.dwarf /boot/System.map-`uname-r` adding: module.dwarf(deflated 90%) adding: boot/System.map-3.13.0-36-generic (deflated 79%) beetle@forensics:~$ cpinternUbuntu14.zip ~/volatility beetle@forensics:~$ cd volatility beetle@forensics:~/volatility$ python vol.py--info | grepLinux Volatile Systems Volatility Framework 2.2 LinuxinternUbuntu14x64 -A Profile for Linux internUbuntu14 x64
- 47. beetle@forensics:~/volatility$ python vol.py-f ~/intern_memory.lime --profile=LinuxinternUbuntu14x64 linux_pstree| more Volatile Systems Volatility Framework 2.2 Name PidUid init 1 149534510806724 .dhclient598 149534603226500 .rsyslogd787 149534603906244 .getty912 149533581563780 .sshd953 149534583307268 ..sshd1191 149534598143556 ...sshd1244 149534511131844 ....bash 1245 149534510056196 .....sudo1262 149534509945412 ......insmod1263 149534512334340 .cron 957 149534593742340
- 48. beetle@forensics:~/volatility$ python vol.py-f ~/target_memory.lime --profile=LinuxinternUbuntu14x64 linux_bash–H 0x6fd618 -P | more Volatile Systems Volatility Framework 2.2 Command Time Command --------------------------- #1415809185 sudoapt-getupdate #1415809185 sudoapt-get upgrade #1415809185 sudoshutdown -r now #1415809192 cd /tmp #1415809194 ls #1415809258 sudoinsmodlime*.ko"path=tcp:4444 format=lime"
- 49. beetle@forensics:~/volatility$ python vol.py-f ~/target_memory.lime --profile=LinuxinternUbuntu14x64 linux_ifconfig Volatile Systems Volatility Framework 2.2 Interface IP Address MAC Address PromiscousMode --------------------------------------------------------------------- lo 127.0.0.1 00:00:00:00:00:00 False eth0 172.30.4.75 00:00:00:00:00:00 False
- 50. beetle@forensics:~/volatility$ python vol.py-f ~/target_memory.lime --profile=LinuxinternUbuntu14x64 linux_check_modules Volatile Systems Volatility Framework 2.2 Module Name -----------
- 58. http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMGettingStarted.html http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.html http://docs.aws.amazon.com/AmazonS3/latest/UG/ManagingBucketLogging.html • http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html http://docs.aws.amazon.com/AmazonS3/latest/dev/MultiFactorAuthenticationDelete.html
- 62. Please give us your feedback on this session. Complete session evaluations and earn re:Invent swag. http://bit.ly/awsevals