SlideShare a Scribd company logo

Resposta a incidentes em ambientes AWS

Clavis Segurança da Informação
Clavis Segurança da Informação

This document provides an overview of responding to incidents in AWS environments. It discusses AWS authentication and authorization, control and data planes, the shared responsibility model, and building an incident response flow. It emphasizes having a services inventory, assessing knowledge gaps, implementing guardrails, threat modeling, structuring response actions, and validating preparations through simulation. The goal is to continuously research, improve detections, train teams, and develop resources to respond to issues across AWS services.

Technology
1 of 32
Download to read offline
Resposta a incidentes em ambientes AWS
$ aws --profile Rodrigo Montoro sts get-caller-identity ● Head of Threat & Detection Research at Clavis Security ● Living in Florianópolis (Silicon Island) ● Author of 2 patented technologies (US Patent Office) ● Speaker in different conferences (Brazil,USA,Canada) ● Proud Dad and Husband ● Full Ironman triathlon (2x) ● Crossfit and Powerlifting
Motivation
Agenda Introduction to AWS ecosystem 1 Control Plane & Data Plane The deFAULT truth of AWS shared responsibility model Building an incident response flow Conclusions
Introduction to AWS Ecosystem
AWS In Numbers ● Around 12k actions ● 973 Managed policies ● 5 actions access level ● Around 300 Services Fonte: https://aws.permissions.cloud/
How authentication and authorization works
AWS IAM policy flow analysis
Control Plane & Data Plane
Control Plane
Data Plane ● S3 buckets data events ● RDS Audit logs ● EKS (Kubernetes)
The deFAULT Truth of AWS shared responsibility model
AWS Shared Responsibility Model
● CSPM Detections (cloudsploit) ○ 460 findings (AWS) ○ 87 services covered (~29% of services) ● Services with Passrole ○ 330 actions ○ 92 services (~30.7% of services) ● Detections from Elastic rules ○ 59 detections ○ ~22 services covered (~7.3% of services) ● Detections from Sigma ○ 31 detections ○ ~20 services covered (~6.7% of services) Some numbers in secure ‘IN’ the cloud (AWS)
Small piece (but important) of a full talking on the way …
How many problems an AWS account start (with an Admin user) ?
Next let’s add an ec2 instance
Just to finish a s3 bucket …
Simple scenario (only 3 services) the deFAULT “problems”
Do not forget! ● Data Events ● Cross Account ● Uncommon services
Building an incident response flow
Building a flow ● Services inventory ● Inventory knowledge self assessment ● Guardrails / Security Architecture ● Threat Modeling / Researches ● Structure response actions ● Validate / Simulate
Services Inventory
Inventory knowledge self assessment Service Service Context Level (low to critical) Knowledge (1 to 5) Existing Detections / Researches (1 to 5) iam critical 3 4 ec2 high 4 4 appstream medium 3 2 sagemaker medium 1 1 rds high 2 3 redshift medium 1 1 * researching/developing idea for a threat score *
Guardrails & Security Architecture ● Deny services you don’t need ● Use conditions in your privilege policies ● Be ready to use AWSCompromisedQuarentinev2 ● Use different accounts ● Least privilege
Threat Modeling / Researches source: https://securitylabs.datadoghq.com/articles/threatest-end-to-end-testing-threat-detection/ Map the path from attacker to my assets and possible attack techniques Research how attack techniques mapped works and data source events need to detect Create detections based on requirements. Try to analyze events from real world. Analyze False Positives and False Negatives. Deploy in “testing mode” and keep improving until production. Monitor metrics.
Structure a response action
Validate / Simulate source: https://www.netspi.com/blog/technical/adversary-simulation/painting-a-threat-detection-landscape/
Future & Conclusions
Future and Conclusions ● Don’t trust default configurations ● Good architecture helps monitoring ● Know what you are running ● Find your knowledge gaps ● Keep researching and improving detections ● Make sure you train your team ● Build an Uncommon services Incident Response Cheatsheet
Obrigado Rodrigo Montoro @spookerlabs rodrigo.montoro@clavis.com.br

Recommended

Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance John Varghese
 
Cloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo MontoroCloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo MontoroClavis Segurança da Informação
 
004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptxnitinscribd
 
Compliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignAmazon Web Services
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Ryan Hodgin
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureCloudVillage
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 

Recommended

Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance John Varghese
 
Cloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo MontoroCloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo MontoroClavis Segurança da Informação
 
004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptxnitinscribd
 
Compliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignAmazon Web Services
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Ryan Hodgin
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureCloudVillage
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Kristana Kane
 
AWS Big Data Demystified #4 data governance demystified [security, networ...
AWS Big Data Demystified #4 data governance demystified [security, networ...AWS Big Data Demystified #4 data governance demystified [security, networ...
AWS Big Data Demystified #4 data governance demystified [security, networ...Omid Vahdaty
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleChris Farris
 
Cloud Forensics and Incident Response Training.pdf
Cloud Forensics and Incident Response Training.pdfCloud Forensics and Incident Response Training.pdf
Cloud Forensics and Incident Response Training.pdfChristopher Doman
 
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Amazon Web Services
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
NVS_Sentinel
NVS_SentinelNVS_Sentinel
NVS_SentinelMike Mihm
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoringJohn Varghese
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWSSanjeev Kumar Jaiswal
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningValdez Ladd MBA, CISSP, CISA,
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 
Best Practices for SecOps on AWS
Best Practices for SecOps on AWSBest Practices for SecOps on AWS
Best Practices for SecOps on AWSAmazon Web Services
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessToni de la Fuente
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Trupti Shiralkar, CISSP
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and ResponseAlert Logic
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsEvident.io
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)Julien SIMON
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Amazon Web Services
 
ES and CQRS workshop
ES and CQRS workshopES and CQRS workshop
ES and CQRS workshopZeldal Ozdemir
 
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...Amazon Web Services
 
Bsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptxBsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptxClavis Segurança da Informação
 
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - ApresentaçãoDesenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 

More Related Content

Similar to Resposta a incidentes em ambientes AWS

Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Kristana Kane
 
AWS Big Data Demystified #4 data governance demystified [security, networ...
AWS Big Data Demystified #4 data governance demystified [security, networ...AWS Big Data Demystified #4 data governance demystified [security, networ...
AWS Big Data Demystified #4 data governance demystified [security, networ...Omid Vahdaty
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleChris Farris
 
Cloud Forensics and Incident Response Training.pdf
Cloud Forensics and Incident Response Training.pdfCloud Forensics and Incident Response Training.pdf
Cloud Forensics and Incident Response Training.pdfChristopher Doman
 
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Amazon Web Services
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
NVS_Sentinel
NVS_SentinelNVS_Sentinel
NVS_SentinelMike Mihm
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoringJohn Varghese
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 
Best Practices for SecOps on AWS
Best Practices for SecOps on AWSBest Practices for SecOps on AWS
Best Practices for SecOps on AWSAmazon Web Services
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessToni de la Fuente
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Trupti Shiralkar, CISSP
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and ResponseAlert Logic
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsEvident.io
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)Julien SIMON
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Amazon Web Services
 
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...Amazon Web Services
 

Similar to Resposta a incidentes em ambientes AWS (20)

Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
AWS Big Data Demystified #4 data governance demystified [security, networ...
AWS Big Data Demystified #4 data governance demystified [security, networ...AWS Big Data Demystified #4 data governance demystified [security, networ...
AWS Big Data Demystified #4 data governance demystified [security, networ...
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for Scale
 
Cloud Forensics and Incident Response Training.pdf
Cloud Forensics and Incident Response Training.pdfCloud Forensics and Incident Response Training.pdf
Cloud Forensics and Incident Response Training.pdf
 
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
NVS_Sentinel
NVS_SentinelNVS_Sentinel
NVS_Sentinel
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoring
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWS
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
Best Practices for SecOps on AWS
Best Practices for SecOps on AWSBest Practices for SecOps on AWS
Best Practices for SecOps on AWS
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017
 
ES and CQRS workshop
ES and CQRS workshopES and CQRS workshop
ES and CQRS workshop
 
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
How Greenhouse Software Unlocked the Power of Machine Data Analytics with Sum...
 

More from Clavis Segurança da Informação

Desenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - ApresentaçãoDesenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 
Big Data e Segurança da Informação - 10o Workshop SegInfo - Apresentação
Big Data e Segurança da Informação - 10o Workshop SegInfo - ApresentaçãoBig Data e Segurança da Informação - 10o Workshop SegInfo - Apresentação
Big Data e Segurança da Informação - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 
A maldição do local admin - 10o Workshop SegInfo - Apresentação
A maldição do local admin - 10o Workshop SegInfo - ApresentaçãoA maldição do local admin - 10o Workshop SegInfo - Apresentação
A maldição do local admin - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoAdoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 
Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...
Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...
Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...Clavis Segurança da Informação
 
Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401
Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401
Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401Clavis Segurança da Informação
 
Manobras Evasivas: Técnicas de Evasão para Varreduras com o Nmap
Manobras Evasivas: Técnicas de Evasão para Varreduras com o NmapManobras Evasivas: Técnicas de Evasão para Varreduras com o Nmap
Manobras Evasivas: Técnicas de Evasão para Varreduras com o NmapClavis Segurança da Informação
 
Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...
Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...
Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...Clavis Segurança da Informação
 
Testes de Invasão ajudam a alcançar a conformidade - Segurança da Informação
Testes de Invasão ajudam a alcançar a conformidade - Segurança da InformaçãoTestes de Invasão ajudam a alcançar a conformidade - Segurança da Informação
Testes de Invasão ajudam a alcançar a conformidade - Segurança da InformaçãoClavis Segurança da Informação
 
Entendendo como as Mídias Socias Revolucionaram os Ataques de Força Bruta
Entendendo como as Mídias Socias Revolucionaram os Ataques de Força BrutaEntendendo como as Mídias Socias Revolucionaram os Ataques de Força Bruta
Entendendo como as Mídias Socias Revolucionaram os Ataques de Força BrutaClavis Segurança da Informação
 
Descobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o Wmap
Descobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o WmapDescobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o Wmap
Descobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o WmapClavis Segurança da Informação
 
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DF
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DFGerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DF
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DFClavis Segurança da Informação
 
Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...
Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...
Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...Clavis Segurança da Informação
 
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ Clavis Segurança da Informação
 

More from Clavis Segurança da Informação (20)

Bsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptxBsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptx
 
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - ApresentaçãoDesenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
 
Big Data e Segurança da Informação - 10o Workshop SegInfo - Apresentação
Big Data e Segurança da Informação - 10o Workshop SegInfo - ApresentaçãoBig Data e Segurança da Informação - 10o Workshop SegInfo - Apresentação
Big Data e Segurança da Informação - 10o Workshop SegInfo - Apresentação
 
A maldição do local admin - 10o Workshop SegInfo - Apresentação
A maldição do local admin - 10o Workshop SegInfo - ApresentaçãoA maldição do local admin - 10o Workshop SegInfo - Apresentação
A maldição do local admin - 10o Workshop SegInfo - Apresentação
 
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoAdoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
 
Palestra GlobalSign
Palestra GlobalSignPalestra GlobalSign
Palestra GlobalSign
 
Palestra Clavis - Octopus
Palestra Clavis - OctopusPalestra Clavis - Octopus
Palestra Clavis - Octopus
 
Palestra Exceda - Clavis 2016
Palestra Exceda - Clavis 2016Palestra Exceda - Clavis 2016
Palestra Exceda - Clavis 2016
 
Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...
Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...
Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...
 
Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401
Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401
Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401
 
Webinar # 21 – Análise Forense de Redes
Webinar # 21 – Análise Forense de Redes Webinar # 21 – Análise Forense de Redes
Webinar # 21 – Análise Forense de Redes
 
Manobras Evasivas: Técnicas de Evasão para Varreduras com o Nmap
Manobras Evasivas: Técnicas de Evasão para Varreduras com o NmapManobras Evasivas: Técnicas de Evasão para Varreduras com o Nmap
Manobras Evasivas: Técnicas de Evasão para Varreduras com o Nmap
 
Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...
Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...
Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...
 
Testes de Invasão ajudam a alcançar a conformidade - Segurança da Informação
Testes de Invasão ajudam a alcançar a conformidade - Segurança da InformaçãoTestes de Invasão ajudam a alcançar a conformidade - Segurança da Informação
Testes de Invasão ajudam a alcançar a conformidade - Segurança da Informação
 
Entendendo como as Mídias Socias Revolucionaram os Ataques de Força Bruta
Entendendo como as Mídias Socias Revolucionaram os Ataques de Força BrutaEntendendo como as Mídias Socias Revolucionaram os Ataques de Força Bruta
Entendendo como as Mídias Socias Revolucionaram os Ataques de Força Bruta
 
Descobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o Wmap
Descobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o WmapDescobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o Wmap
Descobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o Wmap
 
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DF
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DFGerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DF
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DF
 
Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...
Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...
Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...
 
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ
 
Webinar #18 – A Nova Lei de Cibercrimes
Webinar #18 – A Nova Lei de CibercrimesWebinar #18 – A Nova Lei de Cibercrimes
Webinar #18 – A Nova Lei de Cibercrimes
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Resposta a incidentes em ambientes AWS

  • 1.
  • 2. Resposta a incidentes em ambientes AWS
  • 3. $ aws --profile Rodrigo Montoro sts get-caller-identity ● Head of Threat & Detection Research at Clavis Security ● Living in Florianópolis (Silicon Island) ● Author of 2 patented technologies (US Patent Office) ● Speaker in different conferences (Brazil,USA,Canada) ● Proud Dad and Husband ● Full Ironman triathlon (2x) ● Crossfit and Powerlifting
  • 5. Agenda Introduction to AWS ecosystem 1 Control Plane & Data Plane The deFAULT truth of AWS shared responsibility model Building an incident response flow Conclusions
  • 7. AWS In Numbers ● Around 12k actions ● 973 Managed policies ● 5 actions access level ● Around 300 Services Fonte: https://aws.permissions.cloud/
  • 8. How authentication and authorization works
  • 9. AWS IAM policy flow analysis
  • 12. Data Plane ● S3 buckets data events ● RDS Audit logs ● EKS (Kubernetes)
  • 13. The deFAULT Truth of AWS shared responsibility model
  • 15. ● CSPM Detections (cloudsploit) ○ 460 findings (AWS) ○ 87 services covered (~29% of services) ● Services with Passrole ○ 330 actions ○ 92 services (~30.7% of services) ● Detections from Elastic rules ○ 59 detections ○ ~22 services covered (~7.3% of services) ● Detections from Sigma ○ 31 detections ○ ~20 services covered (~6.7% of services) Some numbers in secure ‘IN’ the cloud (AWS)
  • 16. Small piece (but important) of a full talking on the way …
  • 17. How many problems an AWS account start (with an Admin user) ?
  • 18. Next let’s add an ec2 instance
  • 19. Just to finish a s3 bucket …
  • 20. Simple scenario (only 3 services) the deFAULT “problems”
  • 21. Do not forget! ● Data Events ● Cross Account ● Uncommon services
  • 23. Building a flow ● Services inventory ● Inventory knowledge self assessment ● Guardrails / Security Architecture ● Threat Modeling / Researches ● Structure response actions ● Validate / Simulate
  • 25. Inventory knowledge self assessment Service Service Context Level (low to critical) Knowledge (1 to 5) Existing Detections / Researches (1 to 5) iam critical 3 4 ec2 high 4 4 appstream medium 3 2 sagemaker medium 1 1 rds high 2 3 redshift medium 1 1 * researching/developing idea for a threat score *
  • 26. Guardrails & Security Architecture ● Deny services you don’t need ● Use conditions in your privilege policies ● Be ready to use AWSCompromisedQuarentinev2 ● Use different accounts ● Least privilege
  • 27. Threat Modeling / Researches source: https://securitylabs.datadoghq.com/articles/threatest-end-to-end-testing-threat-detection/ Map the path from attacker to my assets and possible attack techniques Research how attack techniques mapped works and data source events need to detect Create detections based on requirements. Try to analyze events from real world. Analyze False Positives and False Negatives. Deploy in “testing mode” and keep improving until production. Monitor metrics.
  • 29. Validate / Simulate source: https://www.netspi.com/blog/technical/adversary-simulation/painting-a-threat-detection-landscape/
  • 31. Future and Conclusions ● Don’t trust default configurations ● Good architecture helps monitoring ● Know what you are running ● Find your knowledge gaps ● Keep researching and improving detections ● Make sure you train your team ● Build an Uncommon services Incident Response Cheatsheet