AWS Security Week: Incident Response

Incident Response
Eyes Everywhere

Agenda
• Definition of Incident Response (IR)
• Indicators and attack surface
• Different types of incidents
• Event management over IR lifecycle
• Automated response examples
• Security IR simulations (SIRS)
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0

Goals
• Become aware of indicators of security incidents
• Classify incident types
• Discover sources of information to respond to an incident
• Understand incident response workflows
• Learn to prepare for incidents
AMAZON CONFIDENTIAL

Definition
Incident Response
An organized approach to addressing and managing the aftermath
of a security breach or attack*, with a goal of handling the
situation to limit damage and reduce recovery time and costs.
*also known as an IT incident, computer incident, or security incident
AMAZON CONFIDENTIAL

IR Principles
• Establish Goals
• Respond using the cloud
• Know what you have and what you need
• Do things that scale
• Use redeployment mechanisms
• Iteratively automate the mundane
• Learn and improve your process
AMAZON CONFIDENTIAL

IR Lifecycle
Establish
control
Determine
impact
Recover
as needed
Investigate
root cause
Improve
AMAZON CONFIDENTIAL

Finding the signal
AMAZON CONFIDENTIAL
Incident: deviation from your
[security] baseline

Understanding Normal
AMAZON CONFIDENTIAL

Changes in Configuration or Behavior
Configuration
Security Group rules
NACL
Bucket Policy
Behavior
Login attempts
New credentials
Unusual access patterns

Indicators
AMAZON CONFIDENTIAL
Logs and Monitors
Billing Activity
Threat Intelligence
AWS Outreach
Ad Hoc Contact

Understand Your Attack Surface
Infrastructure
VPC Resources
Connectivity
On-instance
...
Application
Patching Issue
Code Insecurity
...
Incident Response Domains

Incidents in the Infrastructure Domain
AMAZON CONFIDENTIAL
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Bastion
App
App
W
eb
W
eb
Security groups
Route table
NACLsInternet Gateway
Instance compromise

Infrastructure
VPC Resources
Connectivity
On-instance
...
Service
IAM
S3 buckets
Billing
...
Application
Patching
Coding hole
...

Incidents in the Service Domain
AMAZON CONFIDENTIAL
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Bastion
App
App
W
eb
W
eb
Credentials
S3 bucket policies
Changes in permissions

Infrastructure
VPC Resources
Connectivity
On-instance
...
Service
IAM
S3 buckets
Billing
...
Application
Patching
Coding hole
...
Other?

Types of Incidents
Compliance
variance
Service
disruption
Unauthorized
resources
Unauthorized
access
Privilege
escalation
Persistence
Excessive
permissions
Information
exposure
Credentials
exposure
AMAZON CONFIDENTIAL

EVENT MANAGEMENT
AMAZON CONFIDENTIAL

IR Lifecycle
Establish
control
Determine
impact
Recover
as needed
Investigate
root cause
Improve
AMAZON CONFIDENTIAL
Establish control
• Can I Log into the console
• Can I log into the instance
• Can I review/copy logs/Cloudtrail
• Can I copy information to a
forensics account
• Can I rotate credentials
• Can I review billing
• Can I isolate the instance

IR Lifecycle
Establish
control
Determine
impact
Recover
as needed
Investigate
root cause
Improve
AMAZON CONFIDENTIAL
Determine impact
• Review logs/CloudTrail/VPC
Flow for changes
• Reviews Account resources
• Review Billing
• Review Access Permissions
• Review Data Loss and targets

IR Lifecycle
Establish
control
Determine
impact
Recover
as needed
Investigate
root cause
Improve
AMAZON CONFIDENTIAL
Recover as needed
• Do I remove instances
• Do I change security groups
• Do I remove user
• Do I change credentials
• Do I recover security groups

IR Lifecycle
Establish
control
Determine
impact
Recover
as needed
Investigate
root cause
Improve
AMAZON CONFIDENTIAL
Investigate root cause
• How did this happen?
• Why did this happen?
• Who did it?
• How can we stop it from
happening again?

IR Lifecycle
Establish
control
Determine
impact
Recover
as needed
Investigate
root cause
Improve
AMAZON CONFIDENTIAL
Improve
• Improve our systems and
processes
• Iterate. Iterate. Iterate. Iterate.

AWS Support Escalation Path
• In situations where an escalation is required, customers can
follow a pre-defined escalation path:
– Submit a Support Case
– Technical Account Manager
– On-call Operation Manager
– Global Enterprise Support Manager
– Director of Support Engineering
– VP of AWS Support
AMAZON CONFIDENTIAL

Preparation
• Keep a pre-configured forensics AMI on hand
• Decide on the forensic procedure
• Create IAM role for incident responders and for the forensic
workstation
AMAZON CONFIDENTIAL

Response Time Comparison (notional)
time
get logs
analyze
correlate
trace origin
locate
remediate
event delivered
rule matched
alert sent
correlate
check baseline
remediate
incidentdetected
Traditional Datacenter Response
AWS Response

The high-level playbook
CloudWatch EventAdversary Your environment Responder

“IF SOMEONE TURNS CLOUDTRAIL
OFF, TURN IT BACK ON.”
Security Objective

cloudtrail:StopLogging
Incident: CloudTrail gets turned off
Adversary API Call
AMAZON CONFIDENTIAL

CloudWatch
Events event
{
"detail-type": [ "AWS API Call via CloudTrail" ],
"detail": {
"eventSource": [ "cloudtrail.amazonaws.com" ],
"eventName": [ "StopLogging" ]
}
}
Adversary CloudWatch
Event
API Call
AMAZON CONFIDENTIAL

Adversary ResponderCloudWatch
Event
API Call
cloudtrail.start_logging
AMAZON CONFIDENTIAL

“I ONLY WANT APPROVED MANAGED
POLICIES ATTACHED TO IAM USERS.”
Security Objective

Adversary
iam.attach_user_policy(
UserName='Bill',
PolicyArn='arn:aws:iam::aws:policy/PowerUserAccess'
)
IAM

CloudWatch
Events event
Adversary
{
"detail-type": [ "AWS API Call via CloudTrail" ],
"detail": {
"eventSource": [ "iam.amazonaws.com" ],
"eventName": [
"AttachGroupPolicy”,
"AttachRolePolicy",
"AttachUserPolicy"
]
}
}

Adversary Responder
iam.detach_user_policy

Wrangling information sources
Macie GuardDutyCloudTrail CloudWatch
Events
On-Instance
Logs
VPC Flow
Logs
CloudWatch
Logs
CloudWatch
Alarms
(via
SN
S)
S3 Access Logs S3 Bucket
Lambda Function Amazon EMR
Amazon Athena
Amazon ES
Amazon SNS
Amazon Kinesis

SECURITY INCIDENT RESPONSE
SIMULATIONS
AMAZON CONFIDENTIAL

What’s a SIRS?
• Security Incident Response Simulations (SIRS) are internal
events that provide a structured opportunity to practice your
incident response plan during a realistic scenario.
• SIRS events are fundamentally about being prepared and
iteratively improving your response capabilities.
AMAZON CONFIDENTIAL

Working back from customers
• Customers voice the following reasons why they want to
perform SIRS:
– Validate readiness
– Develop confidence – Learn from and train staff
– Generate artifacts for accreditation
– Be agile – Incremental improvement with laser focus
– Become faster and improve tools
– Refine escalation and communication
– Develop comfort with the rare and the creative
AMAZON CONFIDENTIAL

Preparing for a simulation
1. Find an issue of importance.
2. Find skilled security geeks.
3. Build a realistic model system.
4. Build and test the scenario elements.
5. Invite other security geeks and real people.
6. Run the simulation live.
7. Get better and repeat.
AMAZON CONFIDENTIAL

Key Simulation Elements
AMAZON CONFIDENTIAL
Scenario Build Process Test
Live
Event

When should I contact AWS?
• If you are planning SIRS:
– Obtain permission to perform penetration testing/scanning.
– Confirm the SIRS does not violate the AWS Acceptable Use Policy.
AMAZON CONFIDENTIAL

AWS Security Partner Solutions

Go forth and respond!
• Understand what normal looks like
• Express your security objectives in a clear way
• Know where to find the right information
• Plan, prepare, practice!

AWS Security Week: Incident Response

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AWS Security Week: Incident Response

Similar to AWS Security Week: Incident Response (20)

More from Amazon Web Services

More from Amazon Web Services (20)

AWS Security Week: Incident Response