(SEC404) Incident Response in the Cloud | AWS re:Invent 2014

6,408 views

Published on

You've employed the practices outlined for incident detection, but what do you do when you detect an incident in the cloud? This session walks you through a hypothetical incident response on AWS. Learn to leverage the unique capabilities of the AWS environment when you respond to an incident, which in many ways is similar to how you respond to incidents in your own infrastructure. This session also covers specific environment recovery steps available on AWS.

Published in: Technology

(SEC404) Incident Response in the Cloud | AWS re:Invent 2014

  1. 1. Configuration Amazon S3 Amazon EC2 Amazon VPC IAM Amazon RDS Elastic Beanstalk Security Group VPC Subnet Amazon S3 Bucket Groups, Users, Credentials Applications Amazon RDS DB Instances Objects Instances Internet Gateways Customer AWS Traditional IR This Talk
  2. 2. Its Here AndHere AndHere AndHere
  3. 3. https://s3.amazonaws.com/reinvent2014- sec402/SecConfig.py
  4. 4. https://s3.amazonaws.com/reinvent2014- sec402/SecConfig.py
  5. 5. "accessKeyId": "AKIAJLMGEGEAYMFNTH2Q",
  6. 6. "accessKeyId": "AKIAJLMGEGEAYMFNTH2Q", "accessKeyId": "ASIAJNH65GHCSCYCGEUQ",
  7. 7. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html#SG_Changing_Group_Membership
  8. 8. beetle@forensics:~$ ping intern PING intern (54.173.32.252) 56(84) bytes of data. 64 bytes from 54.173.32.252: icmp_seq=1 ttl=63 time=1.34 ms 64 bytes from 54.173.32.252: icmp_seq=2 ttl=63 time=1.10 ms 64 bytes from 54.173.32.252: icmp_seq=3 ttl=63 time=1.30 ms 64 bytes from 54.173.32.252: icmp_seq=4 ttl=63 time=1.50 ms 64 bytes from 54.173.32.252: icmp_seq=5 ttl=63 time=1.25 ms ^C ---54.173.32.252 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rttmin/avg/max/mdev= 1.108/1.302/1.500/0.135 ms
  9. 9. beetle@forensics:~/tools$ uname-a Linux ip-172-30-4-4 3.13.0-36-generic #63-Ubuntu SMP WedSep 3 21:30:07 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux beetle@forensics:~/tools$ scp-i beetle-demo-1.pem ./lime* ubuntu@intern:/tmp lime-3.13.0-36-generic.ko 100% 9896 9.7KB/s 00:00 beetle@forensics:~/tools$ ssh-i beetle-demo-1.pem ubuntu@intern WelcometoUbuntu14.04.1 LTS (GNU/Linux 3.13.0-36-generic x86_64) ... ubuntu@intern:~$ cd /tmp ubuntu@intern:/tmp$ ls lime-3.13.0-36-generic.ko ubuntu@intern:/tmp$ sudo insmod lime*.ko "path=tcp:4444 format=lime"
  10. 10. beetle@forensics:~/volatility$ ncintern 4444 > intern_memory.lime
  11. 11. beetle@forensics:~$ zip internUbuntu14.zip module.dwarf /boot/System.map-`uname-r` adding: module.dwarf(deflated 90%) adding: boot/System.map-3.13.0-36-generic (deflated 79%) beetle@forensics:~$ cpinternUbuntu14.zip ~/volatility beetle@forensics:~$ cd volatility beetle@forensics:~/volatility$ python vol.py--info | grepLinux Volatile Systems Volatility Framework 2.2 LinuxinternUbuntu14x64 -A Profile for Linux internUbuntu14 x64
  12. 12. beetle@forensics:~/volatility$ python vol.py-f ~/intern_memory.lime --profile=LinuxinternUbuntu14x64 linux_pstree| more Volatile Systems Volatility Framework 2.2 Name PidUid init 1 149534510806724 .dhclient598 149534603226500 .rsyslogd787 149534603906244 .getty912 149533581563780 .sshd953 149534583307268 ..sshd1191 149534598143556 ...sshd1244 149534511131844 ....bash 1245 149534510056196 .....sudo1262 149534509945412 ......insmod1263 149534512334340 .cron 957 149534593742340
  13. 13. beetle@forensics:~/volatility$ python vol.py-f ~/target_memory.lime --profile=LinuxinternUbuntu14x64 linux_bash–H 0x6fd618 -P | more Volatile Systems Volatility Framework 2.2 Command Time Command --------------------------- #1415809185 sudoapt-getupdate #1415809185 sudoapt-get upgrade #1415809185 sudoshutdown -r now #1415809192 cd /tmp #1415809194 ls #1415809258 sudoinsmodlime*.ko"path=tcp:4444 format=lime"
  14. 14. beetle@forensics:~/volatility$ python vol.py-f ~/target_memory.lime --profile=LinuxinternUbuntu14x64 linux_ifconfig Volatile Systems Volatility Framework 2.2 Interface IP Address MAC Address PromiscousMode --------------------------------------------------------------------- lo 127.0.0.1 00:00:00:00:00:00 False eth0 172.30.4.75 00:00:00:00:00:00 False
  15. 15. beetle@forensics:~/volatility$ python vol.py-f ~/target_memory.lime --profile=LinuxinternUbuntu14x64 linux_check_modules Volatile Systems Volatility Framework 2.2 Module Name -----------
  16. 16. https://aws.amazon.com/support
  17. 17. http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
  18. 18. http://blogs.aws.amazon.com/security/ https://aws.amazon.com/securityaws-security@amazon.com
  19. 19. http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMGettingStarted.html http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.html http://docs.aws.amazon.com/AmazonS3/latest/UG/ManagingBucketLogging.html • http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html http://docs.aws.amazon.com/AmazonS3/latest/dev/MultiFactorAuthenticationDelete.html
  20. 20. http://www.youtube.com/user/AmazonWebServices
  21. 21. http://www.sans.org/reading-room/whitepapers/incident http://www.first.org/resources/guideshttp://www.cert.org/incident-management/publications/
  22. 22. Please give us your feedback on this session. Complete session evaluations and earn re:Invent swag. http://bit.ly/awsevals

×