SlideShare a Scribd company logo

Security Incident Response and Forensics on AWS

Amazon Web Services
Amazon Web Services

To find out more about training on AWS, visit: https://www.qa.com/amazon AWS Pop-up Loft | London April 19, 2016

Technology
1 of 22
Download to read offline
AWS Pop-up Loft London
Dave Walker Specialist Solutions Architect, Security and Compliance 19/04/16 Incident Response and Forensics on AWS
Agenda • "Expect to be Hacked" • "Be Prepared" (and "Playing the SIRS Game") • "That looks Weird..." • Initial Response Actions • "Decisions, Decisions..." • Preserving Evidence, by Service • Analysis • Conclusions
“Be Prepared” • Be Contactable by AWS • Build an Incident Response Handbook • Train your People • Know who to Contact, about What and When • CloudFormation Everything • Maintain “Intellectual Property Holding” • Templates, golden AMIs, Database snapshots
“If it Moves, Log It” • CloudTrail • Config • CloudWatch Logs • VPC Flow Logs • ELB logs • API Endpoint Logs • Redshift Logs • …
Identification • Plenty of logging sources, what to do with them: Level 1: Log • Primarily for ‘look back’ analysis. Level 2: Alarm • Basic monitoring based in triggers Level 3: Aggregate, analyze and learn • Monitor, ingest, analyze and derive • AWS as a source of event data
Identification – Level 1: Log Resource stack Actors AWS CloudTrail Amazon S3 Captures all API interaction AWS CloudWatch Monitors AWS & application AWS Config Actions on Captures resource changes
Identification – Level 2: Alarm Resource stack Actors AWS CloudTrail Amazon S3 monitors Captures all API interaction AWS CloudWatch Monitors AWS & application AWS Config Actions on Captures resource changes alarm initiates AWS Config rules Admin alarm
Identification – Level 3: Aggregate Resource stack Actors AWS CloudTrail Amazon S3 monitors Captures all API interaction AWS CloudWatch Monitors AWS & application AWS Config Actions on Captures resource changes alarm initiates AWS Config rules Admin alarm Aggregate/analyze Admin
CloudWatch Logs • What works well • Simple to set up : http://docs.aws.amazon.com/awscloudtrail/latest/userguide/use -cloudformation-template-to-create-cloudwatch-alarms.html • Limitations • Only match terms, phrases, or values in log events. • No complex matches or regular expressions
CloudWatch Logs • "ConsoleSignInAnomalyMetricFilter": { • "Type": "AWS::Logs::MetricFilter", • "Properties": { • "LogGroupName": { "Ref" : "LogGroupName" }, • "FilterPattern": "{ ($.eventName = ConsoleLogin) && ($.sourceIPAddress != 55.55.*) }", • "MetricTransformations": [ • { • "MetricNamespace": "CloudTrailMetrics", • "MetricName": "ConsoleSignInAnomalyCount", • "MetricValue": "1" • } • ] • } • },
Config Rules • What works well • Pre-packaged rules • Easy to create new rules • “Config is essentially a CMDB” • Limitations • Currently subset of EC2, EBS, VPC, CloudTrail, IAM
“Please, SIRS” • An Exercise with AWS • Injection of Events into Logs • You choose What and When • Ask your Account Manager
Initial Response Actions • Get the Right People Involved • AWS • Auditors, Regulators • Forensic Investigators (QIRAs, CESG-recommended firms)? • Police?
“Decisions, Decisions…” • “Manage and Mitigate” or “Pursue and Prosecute”? • First closes open doors, but destroys evidence • Second (in traditional environments) is a lot more hassle • Why not do both?
“Decisions, Decisions…” • Replicate • Repair • Redirect • Ringfence
Preserving Evidence, by Service Infrastructure services Container services Abstracted services Configuration plus operation Configuration  Source: “AWS Security Best Practices,” Nov 2013, p7
Best practices: EC2 & VPC • Create forensic subnets in all VPCs • All routes black-holed; all traffic stays within • Create “isolate” security groups to seal off potentially compromised hosts • Configure all AMIs to automatically mount ENIs when signalled by events
Best practices: EC2 & VPC… • Configure investigation hosts • All forensics tools installed and ready to go • Protect with deny-all SGs on forensics subnet • Set up write blockers, eg https://github.com/msuhanov/Linux- write-blocker • Additional VM help available from AWS on request
Analysis • EIR - Mandiant - EnCase - FTK - GRR • Network - Wireshark - Moloch • Memory Capture - Fastdump - FTK Imager - LiME (see Re:Invent, “Incident Response in the Cloud”)
Subnet 10.1.1.0/24 Analysis Virtual router Web server 10.1.1.60 Internet gateway Workstation 10.1.1.101 Change security group to “Isolate” Attach Elastic Network Interface with security group “forensics-target” Elastic Network Interface 10.1.201.60 Security group: “Forensics-target” (forensics target security group) Attach Elastic Network Interface with security group “forensics-target” Completely isolated subnet 10.1.201.0/24 Elastic Network Interface 10.1.201.101 Security group: “Forensics-source” (forensics source security group) Attach Elastic Network Interface with security group “forensics-source” Attach Elastic Network Interface with security group “forensics-source”
Conclusion • Many best practices are free; the rest are cheap • Configure IAM thoughtfully • Set up alarms; “snapshot” frequently • Use rich data emitted by “cloud container” for greater visibility and control • Use programmable infrastructure to automate detection (and potentially mitigation) • Always get the right people involved, at the outset • …and that includes AWS

Recommended

(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Grabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/RackspaceGrabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/RackspaceJP Bourget
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodYurii Bilyk
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response SimulationsAmazon Web Services
 
Crypto Options in AWS
Crypto Options in AWSCrypto Options in AWS
Crypto Options in AWSAmazon Web Services
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSAmazon Web Services
 
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...Amazon Web Services
 

Recommended

(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Grabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/RackspaceGrabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/RackspaceJP Bourget
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodYurii Bilyk
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response SimulationsAmazon Web Services
 
Crypto Options in AWS
Crypto Options in AWSCrypto Options in AWS
Crypto Options in AWSAmazon Web Services
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSAmazon Web Services
 
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...Amazon Web Services
 
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013Amazon Web Services
 
How to Fast Track your AppExchange App
How to Fast Track your AppExchange AppHow to Fast Track your AppExchange App
How to Fast Track your AppExchange AppCodeScience
 
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014Amazon Web Services
 
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014Amazon Web Services
 
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...Amazon Web Services
 
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...Amazon Web Services
 
Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Amazon Web Services
 
Splunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWSSplunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWSAmazon Web Services
 
Escape From Amazon: Tips/Techniques for Reducing AWS Dependencies
Escape From Amazon: Tips/Techniques for Reducing AWS DependenciesEscape From Amazon: Tips/Techniques for Reducing AWS Dependencies
Escape From Amazon: Tips/Techniques for Reducing AWS DependenciesSoam Acharya
 
AWS December 2015 Webinar Series - Introducing Amazon Inspector
AWS December 2015 Webinar Series - Introducing Amazon InspectorAWS December 2015 Webinar Series - Introducing Amazon Inspector
AWS December 2015 Webinar Series - Introducing Amazon InspectorAmazon Web Services
 
12 best practices for virtualizing active directory DCs
12 best practices for virtualizing active directory DCs12 best practices for virtualizing active directory DCs
12 best practices for virtualizing active directory DCsVeeam Software
 
Enhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSEnhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSAmazon Web Services
 
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMRAmazon Web Services
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsIgor Beliaiev
 
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014Amazon Web Services
 
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...Amazon Web Services
 
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWSAWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWSAmazon Web Services
 
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...Amazon Web Services
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”Amazon Web Services
 
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPASecurity & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPAAmazon Web Services
 
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 

More Related Content

Viewers also liked

Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013Amazon Web Services
 
How to Fast Track your AppExchange App
How to Fast Track your AppExchange AppHow to Fast Track your AppExchange App
How to Fast Track your AppExchange AppCodeScience
 
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014Amazon Web Services
 
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014Amazon Web Services
 
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...Amazon Web Services
 
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...Amazon Web Services
 
Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Amazon Web Services
 
Splunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWSSplunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWSAmazon Web Services
 
Escape From Amazon: Tips/Techniques for Reducing AWS Dependencies
Escape From Amazon: Tips/Techniques for Reducing AWS DependenciesEscape From Amazon: Tips/Techniques for Reducing AWS Dependencies
Escape From Amazon: Tips/Techniques for Reducing AWS DependenciesSoam Acharya
 
AWS December 2015 Webinar Series - Introducing Amazon Inspector
AWS December 2015 Webinar Series - Introducing Amazon InspectorAWS December 2015 Webinar Series - Introducing Amazon Inspector
AWS December 2015 Webinar Series - Introducing Amazon InspectorAmazon Web Services
 
12 best practices for virtualizing active directory DCs
12 best practices for virtualizing active directory DCs12 best practices for virtualizing active directory DCs
12 best practices for virtualizing active directory DCsVeeam Software
 
Enhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSEnhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSAmazon Web Services
 
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMRAmazon Web Services
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsIgor Beliaiev
 
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014Amazon Web Services
 
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...Amazon Web Services
 
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWSAWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWSAmazon Web Services
 
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...Amazon Web Services
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”Amazon Web Services
 
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPASecurity & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPAAmazon Web Services
 

Viewers also liked (20)

Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013
Intrusion Detection in the Cloud (SEC402) | AWS re:Invent 2013
 
How to Fast Track your AppExchange App
How to Fast Track your AppExchange AppHow to Fast Track your AppExchange App
How to Fast Track your AppExchange App
 
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014
(BAC202) Introducing AWS Solutions for Backup and Archiving | AWS re:Invent 2014
 
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
 
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
(SEC314) Customer Perspectives on Implementing Security Controls with AWS | A...
 
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
 
Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301
 
Splunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWSSplunk Live - Security Best Practices for AWS
Splunk Live - Security Best Practices for AWS
 
Escape From Amazon: Tips/Techniques for Reducing AWS Dependencies
Escape From Amazon: Tips/Techniques for Reducing AWS DependenciesEscape From Amazon: Tips/Techniques for Reducing AWS Dependencies
Escape From Amazon: Tips/Techniques for Reducing AWS Dependencies
 
AWS December 2015 Webinar Series - Introducing Amazon Inspector
AWS December 2015 Webinar Series - Introducing Amazon InspectorAWS December 2015 Webinar Series - Introducing Amazon Inspector
AWS December 2015 Webinar Series - Introducing Amazon Inspector
 
12 best practices for virtualizing active directory DCs
12 best practices for virtualizing active directory DCs12 best practices for virtualizing active directory DCs
12 best practices for virtualizing active directory DCs
 
Enhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSEnhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWS
 
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
(SEC403) Diving into AWS CloudTrail Events w/ Apache Spark on EMR
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and Results
 
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014
(SEC313) Updating Security Operations for the Cloud | AWS re:Invent 2014
 
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...
[AWS Days Microsoft-LA 2015]: Software Licensing Considerations for Enterpris...
 
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWSAWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
AWS Webcast - Implementing Windows and SQL Server for High Availability on AWS
 
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...
AWS Partner Webcast - Step by Step Plan to Update and Migrate Microsoft Wind...
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”
 
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPASecurity & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Security Incident Response and Forensics on AWS

  • 2. Dave Walker Specialist Solutions Architect, Security and Compliance 19/04/16 Incident Response and Forensics on AWS
  • 3. Agenda • "Expect to be Hacked" • "Be Prepared" (and "Playing the SIRS Game") • "That looks Weird..." • Initial Response Actions • "Decisions, Decisions..." • Preserving Evidence, by Service • Analysis • Conclusions
  • 4. “Be Prepared” • Be Contactable by AWS • Build an Incident Response Handbook • Train your People • Know who to Contact, about What and When • CloudFormation Everything • Maintain “Intellectual Property Holding” • Templates, golden AMIs, Database snapshots
  • 5. “If it Moves, Log It” • CloudTrail • Config • CloudWatch Logs • VPC Flow Logs • ELB logs • API Endpoint Logs • Redshift Logs • …
  • 6. Identification • Plenty of logging sources, what to do with them: Level 1: Log • Primarily for ‘look back’ analysis. Level 2: Alarm • Basic monitoring based in triggers Level 3: Aggregate, analyze and learn • Monitor, ingest, analyze and derive • AWS as a source of event data
  • 7. Identification – Level 1: Log Resource stack Actors AWS CloudTrail Amazon S3 Captures all API interaction AWS CloudWatch Monitors AWS & application AWS Config Actions on Captures resource changes
  • 8. Identification – Level 2: Alarm Resource stack Actors AWS CloudTrail Amazon S3 monitors Captures all API interaction AWS CloudWatch Monitors AWS & application AWS Config Actions on Captures resource changes alarm initiates AWS Config rules Admin alarm
  • 9. Identification – Level 3: Aggregate Resource stack Actors AWS CloudTrail Amazon S3 monitors Captures all API interaction AWS CloudWatch Monitors AWS & application AWS Config Actions on Captures resource changes alarm initiates AWS Config rules Admin alarm Aggregate/analyze Admin
  • 10. CloudWatch Logs • What works well • Simple to set up : http://docs.aws.amazon.com/awscloudtrail/latest/userguide/use -cloudformation-template-to-create-cloudwatch-alarms.html • Limitations • Only match terms, phrases, or values in log events. • No complex matches or regular expressions
  • 11. CloudWatch Logs • "ConsoleSignInAnomalyMetricFilter": { • "Type": "AWS::Logs::MetricFilter", • "Properties": { • "LogGroupName": { "Ref" : "LogGroupName" }, • "FilterPattern": "{ ($.eventName = ConsoleLogin) && ($.sourceIPAddress != 55.55.*) }", • "MetricTransformations": [ • { • "MetricNamespace": "CloudTrailMetrics", • "MetricName": "ConsoleSignInAnomalyCount", • "MetricValue": "1" • } • ] • } • },
  • 12. Config Rules • What works well • Pre-packaged rules • Easy to create new rules • “Config is essentially a CMDB” • Limitations • Currently subset of EC2, EBS, VPC, CloudTrail, IAM
  • 13. “Please, SIRS” • An Exercise with AWS • Injection of Events into Logs • You choose What and When • Ask your Account Manager
  • 14. Initial Response Actions • Get the Right People Involved • AWS • Auditors, Regulators • Forensic Investigators (QIRAs, CESG-recommended firms)? • Police?
  • 15. “Decisions, Decisions…” • “Manage and Mitigate” or “Pursue and Prosecute”? • First closes open doors, but destroys evidence • Second (in traditional environments) is a lot more hassle • Why not do both?
  • 16. “Decisions, Decisions…” • Replicate • Repair • Redirect • Ringfence
  • 17. Preserving Evidence, by Service Infrastructure services Container services Abstracted services Configuration plus operation Configuration  Source: “AWS Security Best Practices,” Nov 2013, p7
  • 18. Best practices: EC2 & VPC • Create forensic subnets in all VPCs • All routes black-holed; all traffic stays within • Create “isolate” security groups to seal off potentially compromised hosts • Configure all AMIs to automatically mount ENIs when signalled by events
  • 19. Best practices: EC2 & VPC… • Configure investigation hosts • All forensics tools installed and ready to go • Protect with deny-all SGs on forensics subnet • Set up write blockers, eg https://github.com/msuhanov/Linux- write-blocker • Additional VM help available from AWS on request
  • 20. Analysis • EIR - Mandiant - EnCase - FTK - GRR • Network - Wireshark - Moloch • Memory Capture - Fastdump - FTK Imager - LiME (see Re:Invent, “Incident Response in the Cloud”)
  • 21. Subnet 10.1.1.0/24 Analysis Virtual router Web server 10.1.1.60 Internet gateway Workstation 10.1.1.101 Change security group to “Isolate” Attach Elastic Network Interface with security group “forensics-target” Elastic Network Interface 10.1.201.60 Security group: “Forensics-target” (forensics target security group) Attach Elastic Network Interface with security group “forensics-target” Completely isolated subnet 10.1.201.0/24 Elastic Network Interface 10.1.201.101 Security group: “Forensics-source” (forensics source security group) Attach Elastic Network Interface with security group “forensics-source” Attach Elastic Network Interface with security group “forensics-source”
  • 22. Conclusion • Many best practices are free; the rest are cheap • Configure IAM thoughtfully • Set up alarms; “snapshot” frequently • Use rich data emitted by “cloud container” for greater visibility and control • Use programmable infrastructure to automate detection (and potentially mitigation) • Always get the right people involved, at the outset • …and that includes AWS