Data Sources
Cloud Trail Logs
API and Audit Server Logs
Retain account activity related to actions across your AWS infrastructure
Contain information on API requests made to your EKS cluster
VPC Flow Logs
Authenticator Logs
NetFlow log data of network traffic in your VPC
Contain information on authentication requests performed on your cluster via the IAM/Kubernetes Role
Guard Duty
Kubernetes Node
AWS threat detection service that monitors for malicious activity across your account
(Amazon Linux 2) - Forensic DD Image
2. whoami
James Campbell
CEO & Co-Founder, Cado Security
Previously:
Director of Cyber Incident Response Service at PwC
Assistant Director of Operations, Australian Signals Directorate
Allan Carchrie
Digital Forensics Solutions Engineer, Cado Security
Previously:
Cyber Threat Detection and Response Analyst at PwC
Royal Air Force Cyberspace Communications Specialist
Combined: 30+ years experience helping organizations fight sophisticated cyber espionage and criminal campaigns
3. Agenda
● Cloud DFIR - a quick recap
● The value of memory forensics
● Memory DFIR in Cado Response
● Memory forensics and Kubernetes
● Key Takeaways
4. Buff Your Cloud Game
SANS DFIR - July 2021
Not a prereq, but…
make sure you go watch:
https://www.cadosecurity.com/its-time-to-buff-your-cloud-game/
6. Data Sources
Cloud Trail Logs
Retain account activity related to actions across your
AWS infrastructure
VPC Flow Logs
NetFlow log data of network traffic in your VPC
Guard Duty
AWS threat detection service that monitors for
malicious activity across your account
API and Audit Server Logs
Contain information on API requests made to your EKS
cluster
Authenticator Logs
Contain information on authentication requests
performed on your cluster via the IAM/Kubernetes Role
Kubernetes Node
(Amazon Linux 2) - Forensic DD Image
7. Value of Combined Analysis
Cloud Logs Host Information ALL
Combined
Excessive Privilege Use
Vulnerable K8 API
Unauthorized SSH key
AWS console Access
Malicious App/Container
Execution
Root Cause
8. The Value of Memory Forensics
● Provides visibility of run-time information
● Enables identification of rouge processes & code injection
● Delivers context to timeline activity to know when activity started
● Adds complexity & risk - so beware
9. Value of Combined Analysis
Cloud Logs Host
Information
Memory
Information*
ALL
Combined
Excessive Privilege Use
Vulnerable K8 API
Unauthorized SSH Key
AWS Console Access
Malicious App/Container
Execution
Root Cause
Bash History
Network Communications
Running Processes at Time
of Capture
14. Key
Takeaways
● Kubernetes forensics - can it be
done? Yep!
● Get familiar with your data
sources. The more you include, the
better your investigation will be.
● Set up automation where
possible. You must be quick, or you
might lose your chance.
● Download our free community
tools!
15. Cado Response
Free 14-day trial
Receive unlimited access to
the Cado Response Platform
for 14 days.
www.cadosecurity.com/free-investigation/