SlideShare a Scribd company logo

Cloud and Kubernetes Memory Forensics webinar.pdf

Christopher Doman
Christopher Doman

Data Sources Cloud Trail Logs API and Audit Server Logs Retain account activity related to actions across your AWS infrastructure Contain information on API requests made to your EKS cluster VPC Flow Logs Authenticator Logs NetFlow log data of network traffic in your VPC Contain information on authentication requests performed on your cluster via the IAM/Kubernetes Role Guard Duty Kubernetes Node AWS threat detection service that monitors for malicious activity across your account (Amazon Linux 2) - Forensic DD Image

Technology
1 of 17
Download to read offline
Cloud and Kubernetes Memory Forensics
whoami James Campbell CEO & Co-Founder, Cado Security Previously: Director of Cyber Incident Response Service at PwC Assistant Director of Operations, Australian Signals Directorate Allan Carchrie Digital Forensics Solutions Engineer, Cado Security Previously: Cyber Threat Detection and Response Analyst at PwC Royal Air Force Cyberspace Communications Specialist Combined: 30+ years experience helping organizations fight sophisticated cyber espionage and criminal campaigns
Agenda ● Cloud DFIR - a quick recap ● The value of memory forensics ● Memory DFIR in Cado Response ● Memory forensics and Kubernetes ● Key Takeaways
Buff Your Cloud Game SANS DFIR - July 2021 Not a prereq, but… make sure you go watch: https://www.cadosecurity.com/its-time-to-buff-your-cloud-game/
The Crime Scene AWS VPC EKS Cluster Node Node Node AWS Cloud Watch AWS Guard Duty Cado Response AWS Environment
Data Sources Cloud Trail Logs Retain account activity related to actions across your AWS infrastructure VPC Flow Logs NetFlow log data of network traffic in your VPC Guard Duty AWS threat detection service that monitors for malicious activity across your account API and Audit Server Logs Contain information on API requests made to your EKS cluster Authenticator Logs Contain information on authentication requests performed on your cluster via the IAM/Kubernetes Role Kubernetes Node (Amazon Linux 2) - Forensic DD Image
Value of Combined Analysis Cloud Logs Host Information ALL Combined Excessive Privilege Use Vulnerable K8 API Unauthorized SSH key AWS console Access Malicious App/Container Execution Root Cause
The Value of Memory Forensics ● Provides visibility of run-time information ● Enables identification of rouge processes & code injection ● Delivers context to timeline activity to know when activity started ● Adds complexity & risk - so beware
Value of Combined Analysis Cloud Logs Host Information Memory Information* ALL Combined Excessive Privilege Use Vulnerable K8 API Unauthorized SSH Key AWS Console Access Malicious App/Container Execution Root Cause Bash History Network Communications Running Processes at Time of Capture
Suspicious network connections from the Kubernetes node: Suspicious running processes in the Kubernetes node:
Process tree format: containerd-shim process:
Process and command line arguments: Extracting the file system structure from memory:
Hidden ncat: Sourced from github:
Key Takeaways ● Kubernetes forensics - can it be done? Yep! ● Get familiar with your data sources. The more you include, the better your investigation will be. ● Set up automation where possible. You must be quick, or you might lose your chance. ● Download our free community tools!
Cado Response Free 14-day trial Receive unlimited access to the Cado Response Platform for 14 days. www.cadosecurity.com/free-investigation/
Q&A
Know Your Cloud with Cado. WWW.CADOSECURITY.COM

Recommended

Case Studies A Kubernetes DFIR investigation.pdf
Case Studies A Kubernetes DFIR investigation.pdfCase Studies A Kubernetes DFIR investigation.pdf
Case Studies A Kubernetes DFIR investigation.pdf
Christopher Doman
 
A New Perspective on Resource-Level Cloud Forensics
A New Perspective on Resource-Level Cloud ForensicsA New Perspective on Resource-Level Cloud Forensics
A New Perspective on Resource-Level Cloud Forensics
Christopher Doman
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for Scale
Chris Farris
 
Lacework slides from AWS Meetups
Lacework slides from AWS MeetupsLacework slides from AWS Meetups
Lacework slides from AWS Meetups
John Varghese
 
Containerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaContainerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS Lambda
Ryan Cuprak
 
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdfThe Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
Christopher Doman
 

Recommended

Case Studies A Kubernetes DFIR investigation.pdf
Case Studies A Kubernetes DFIR investigation.pdfCase Studies A Kubernetes DFIR investigation.pdf
Case Studies A Kubernetes DFIR investigation.pdf
Christopher Doman
 
A New Perspective on Resource-Level Cloud Forensics
A New Perspective on Resource-Level Cloud ForensicsA New Perspective on Resource-Level Cloud Forensics
A New Perspective on Resource-Level Cloud Forensics
Christopher Doman
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for Scale
Chris Farris
 
Lacework slides from AWS Meetups
Lacework slides from AWS MeetupsLacework slides from AWS Meetups
Lacework slides from AWS Meetups
John Varghese
 
Containerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaContainerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS Lambda
Ryan Cuprak
 
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdfThe Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
Christopher Doman
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
JacksonMorgan9
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
PolarSeven Pty Ltd
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
Ashnikbiz
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloud
Priyanka Aash
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
Valdez Ladd MBA, CISSP, CISA,
 
Keepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCPKeepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCP
Keepler Data Tech
 
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko
Kuberton
 
Lessons learned while going serverless in production
Lessons learned while going serverless in productionLessons learned while going serverless in production
Lessons learned while going serverless in production
Mohamed Labouardy
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
Amazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Evident.io
 
Platform Engineering with the CDK
Platform Engineering with the CDKPlatform Engineering with the CDK
Platform Engineering with the CDK
Sander Knape
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
Puma Security, LLC
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Amazon Web Services
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
Lessons learned while going serverless in production
Lessons learned while going serverless in productionLessons learned while going serverless in production
Lessons learned while going serverless in production
Mohamed Labouardy
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
Cybera Inc.
 
AWS re:Invent 2016: Deploying Scalable SAP Hybris Clusters using Docker (CON312)
AWS re:Invent 2016: Deploying Scalable SAP Hybris Clusters using Docker (CON312)AWS re:Invent 2016: Deploying Scalable SAP Hybris Clusters using Docker (CON312)
AWS re:Invent 2016: Deploying Scalable SAP Hybris Clusters using Docker (CON312)
Amazon Web Services
 
New Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLNew Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQL
confluent
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 
Stups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSStups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWS
Jan Löffler
 
Five Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response AutomationFive Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response Automation
Christopher Doman
 
Azure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfAzure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdf
Christopher Doman
 

More Related Content

Similar to Cloud and Kubernetes Memory Forensics webinar.pdf

Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Evident.io
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Amazon Web Services
 
New Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLNew Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQL
confluent
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 

Similar to Cloud and Kubernetes Memory Forensics webinar.pdf (20)

AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloud
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
 
Keepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCPKeepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCP
 
Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko Security threats with Kubernetes - Igor Khoroshchenko
Security threats with Kubernetes - Igor Khoroshchenko
 
Lessons learned while going serverless in production
Lessons learned while going serverless in productionLessons learned while going serverless in production
Lessons learned while going serverless in production
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Platform Engineering with the CDK
Platform Engineering with the CDKPlatform Engineering with the CDK
Platform Engineering with the CDK
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Lessons learned while going serverless in production
Lessons learned while going serverless in productionLessons learned while going serverless in production
Lessons learned while going serverless in production
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
 
AWS re:Invent 2016: Deploying Scalable SAP Hybris Clusters using Docker (CON312)
AWS re:Invent 2016: Deploying Scalable SAP Hybris Clusters using Docker (CON312)AWS re:Invent 2016: Deploying Scalable SAP Hybris Clusters using Docker (CON312)
AWS re:Invent 2016: Deploying Scalable SAP Hybris Clusters using Docker (CON312)
 
New Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLNew Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQL
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
Stups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWSStups.io - an Open Source Cloud Framework for AWS
Stups.io - an Open Source Cloud Framework for AWS
 

More from Christopher Doman

Five Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response AutomationFive Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response Automation
Christopher Doman
 
EKS Forensics & Incident Response.pdf
EKS Forensics & Incident Response.pdfEKS Forensics & Incident Response.pdf
EKS Forensics & Incident Response.pdf
Christopher Doman
 
AWS IAM Forensics & Incident Response
AWS IAM Forensics & Incident ResponseAWS IAM Forensics & Incident Response
AWS IAM Forensics & Incident Response
Christopher Doman
 
Lambda Forensics & Incident Response.pdf
Lambda Forensics & Incident Response.pdfLambda Forensics & Incident Response.pdf
Lambda Forensics & Incident Response.pdf
Christopher Doman
 
Cloud Security Fundamentals for Forensics and Incident Response.pdf
Cloud Security Fundamentals for Forensics and Incident Response.pdfCloud Security Fundamentals for Forensics and Incident Response.pdf
Cloud Security Fundamentals for Forensics and Incident Response.pdf
Christopher Doman
 
AWS Detective Forensics & Incident Response.pdf
AWS Detective Forensics & Incident Response.pdfAWS Detective Forensics & Incident Response.pdf
AWS Detective Forensics & Incident Response.pdf
Christopher Doman
 
Google Cloud Forensics & Incident Response
Google Cloud Forensics & Incident ResponseGoogle Cloud Forensics & Incident Response
Google Cloud Forensics & Incident Response
Christopher Doman
 
GKE Forensics & Incident Response.pdf
GKE Forensics & Incident Response.pdfGKE Forensics & Incident Response.pdf
GKE Forensics & Incident Response.pdf
Christopher Doman
 
Kubernetes Docker Forensics & Incident Response.pdf
Kubernetes Docker Forensics & Incident Response.pdfKubernetes Docker Forensics & Incident Response.pdf
Kubernetes Docker Forensics & Incident Response.pdf
Christopher Doman
 
Case Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdf
Case Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdfCase Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdf
Case Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdf
Christopher Doman
 
EC2 Forensics & Incident Response.pdf
EC2 Forensics & Incident Response.pdfEC2 Forensics & Incident Response.pdf
EC2 Forensics & Incident Response.pdf
Christopher Doman
 
ECS Forensics & Incident Response
ECS Forensics & Incident ResponseECS Forensics & Incident Response
ECS Forensics & Incident Response
Christopher Doman
 

More from Christopher Doman (20)

Five Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response AutomationFive Reasons Why You Need Cloud Investigation & Response Automation
Five Reasons Why You Need Cloud Investigation & Response Automation
 
Azure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdfAzure Incident Response Cheat Sheet.pdf
Azure Incident Response Cheat Sheet.pdf
 
AWS Incident Response Cheat Sheet.pdf
AWS Incident Response Cheat Sheet.pdfAWS Incident Response Cheat Sheet.pdf
AWS Incident Response Cheat Sheet.pdf
 
Cloud Forensics Tools
Cloud Forensics ToolsCloud Forensics Tools
Cloud Forensics Tools
 
Cloud Forensics and Incident Response Training.pdf
Cloud Forensics and Incident Response Training.pdfCloud Forensics and Incident Response Training.pdf
Cloud Forensics and Incident Response Training.pdf
 
AWS Guard Duty Forensics & Incident Response.pdf
AWS Guard Duty Forensics & Incident Response.pdfAWS Guard Duty Forensics & Incident Response.pdf
AWS Guard Duty Forensics & Incident Response.pdf
 
EKS Forensics & Incident Response.pdf
EKS Forensics & Incident Response.pdfEKS Forensics & Incident Response.pdf
EKS Forensics & Incident Response.pdf
 
AWS IAM Forensics & Incident Response
AWS IAM Forensics & Incident ResponseAWS IAM Forensics & Incident Response
AWS IAM Forensics & Incident Response
 
AWS Forensics & Incident Response
AWS Forensics & Incident ResponseAWS Forensics & Incident Response
AWS Forensics & Incident Response
 
Lambda Forensics & Incident Response.pdf
Lambda Forensics & Incident Response.pdfLambda Forensics & Incident Response.pdf
Lambda Forensics & Incident Response.pdf
 
Case Studies Denonia - Lambda DFIR.pdf
Case Studies Denonia - Lambda DFIR.pdfCase Studies Denonia - Lambda DFIR.pdf
Case Studies Denonia - Lambda DFIR.pdf
 
Cloud Security Fundamentals for Forensics and Incident Response.pdf
Cloud Security Fundamentals for Forensics and Incident Response.pdfCloud Security Fundamentals for Forensics and Incident Response.pdf
Cloud Security Fundamentals for Forensics and Incident Response.pdf
 
AWS Detective Forensics & Incident Response.pdf
AWS Detective Forensics & Incident Response.pdfAWS Detective Forensics & Incident Response.pdf
AWS Detective Forensics & Incident Response.pdf
 
Google Cloud Forensics & Incident Response
Google Cloud Forensics & Incident ResponseGoogle Cloud Forensics & Incident Response
Google Cloud Forensics & Incident Response
 
GKE Forensics & Incident Response.pdf
GKE Forensics & Incident Response.pdfGKE Forensics & Incident Response.pdf
GKE Forensics & Incident Response.pdf
 
AWS SSM Forensics and Incident Response
AWS SSM Forensics and Incident ResponseAWS SSM Forensics and Incident Response
AWS SSM Forensics and Incident Response
 
Kubernetes Docker Forensics & Incident Response.pdf
Kubernetes Docker Forensics & Incident Response.pdfKubernetes Docker Forensics & Incident Response.pdf
Kubernetes Docker Forensics & Incident Response.pdf
 
Case Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdf
Case Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdfCase Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdf
Case Studies TeamTNT - AWS & Container Cryptomining Worm DFIR.pdf
 
EC2 Forensics & Incident Response.pdf
EC2 Forensics & Incident Response.pdfEC2 Forensics & Incident Response.pdf
EC2 Forensics & Incident Response.pdf
 
ECS Forensics & Incident Response
ECS Forensics & Incident ResponseECS Forensics & Incident Response
ECS Forensics & Incident Response
 

Recently uploaded

Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
panagenda
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 

Recently uploaded (20)

Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 

Cloud and Kubernetes Memory Forensics webinar.pdf

  • 2. whoami James Campbell CEO & Co-Founder, Cado Security Previously: Director of Cyber Incident Response Service at PwC Assistant Director of Operations, Australian Signals Directorate Allan Carchrie Digital Forensics Solutions Engineer, Cado Security Previously: Cyber Threat Detection and Response Analyst at PwC Royal Air Force Cyberspace Communications Specialist Combined: 30+ years experience helping organizations fight sophisticated cyber espionage and criminal campaigns
  • 3. Agenda ● Cloud DFIR - a quick recap ● The value of memory forensics ● Memory DFIR in Cado Response ● Memory forensics and Kubernetes ● Key Takeaways
  • 4. Buff Your Cloud Game SANS DFIR - July 2021 Not a prereq, but… make sure you go watch: https://www.cadosecurity.com/its-time-to-buff-your-cloud-game/
  • 5. The Crime Scene AWS VPC EKS Cluster Node Node Node AWS Cloud Watch AWS Guard Duty Cado Response AWS Environment
  • 6. Data Sources Cloud Trail Logs Retain account activity related to actions across your AWS infrastructure VPC Flow Logs NetFlow log data of network traffic in your VPC Guard Duty AWS threat detection service that monitors for malicious activity across your account API and Audit Server Logs Contain information on API requests made to your EKS cluster Authenticator Logs Contain information on authentication requests performed on your cluster via the IAM/Kubernetes Role Kubernetes Node (Amazon Linux 2) - Forensic DD Image
  • 7. Value of Combined Analysis Cloud Logs Host Information ALL Combined Excessive Privilege Use Vulnerable K8 API Unauthorized SSH key AWS console Access Malicious App/Container Execution Root Cause
  • 8. The Value of Memory Forensics ● Provides visibility of run-time information ● Enables identification of rouge processes & code injection ● Delivers context to timeline activity to know when activity started ● Adds complexity & risk - so beware
  • 9. Value of Combined Analysis Cloud Logs Host Information Memory Information* ALL Combined Excessive Privilege Use Vulnerable K8 API Unauthorized SSH Key AWS Console Access Malicious App/Container Execution Root Cause Bash History Network Communications Running Processes at Time of Capture
  • 10. Suspicious network connections from the Kubernetes node: Suspicious running processes in the Kubernetes node:
  • 12. Process and command line arguments: Extracting the file system structure from memory:
  • 14. Key Takeaways ● Kubernetes forensics - can it be done? Yep! ● Get familiar with your data sources. The more you include, the better your investigation will be. ● Set up automation where possible. You must be quick, or you might lose your chance. ● Download our free community tools!
  • 15. Cado Response Free 14-day trial Receive unlimited access to the Cado Response Platform for 14 days. www.cadosecurity.com/free-investigation/
  • 16. Q&A
  • 17. Know Your Cloud with Cado. WWW.CADOSECURITY.COM