Given at SOURCE Boston 2017. Part one of a two part saga on cloud security monitoring, intrusion detection and threat hunting.

1. / 2017
1

2. ● twenty years experience in security including experience
as a cloud security lead in some of the world's largest
AWS environments
● patent holder; published researcher; advisor to various
security product plays and VCs; credited bug hunter
● veteran of six startups including two successful exits
● contributed, as an architect and / or core business logic
developer, to three successful security products, and six
large-scale security monitoring and threat hunting
projects, in both cloud and legacy environments
Craig Chamberlain | @randomuserid

3. →
▪
→
▪
→
▪

4. →
→

5. →
▪
→
▪
▪

8. 1.
2.
3.
a.
b.
c.
d.

9. →
→
→

10. →
▪
▪
→

15. →
▪
▪
→
▪

16. →
▪
▪
▪
→
▪
▪

20. →
▪
▪
→
▪
▪

22. top - 18:01:13 up 6:20, 3 users, load average: 53.42, 53.06, 45.76
Tasks: 424 total, 53 running, 371 sleeping, 0 stopped, 0 zombie
Cpu(s): 80.8%us, 14.6%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 4.6%si, 0.0%st
Mem: 7399012k total, 3800740k used, 3598272k free, 213076k buffers
Swap: 0k total, 0k used, 0k free, 2086332k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
5230 root 20 0 1046m 565m 7728 S 66 7.8 20:28.55 Suricata-Main
29038 piglet 20 0 422m 16m 8464 R 3 0.2 0:04.44 php-fpm
29045 piglet 20 0 424m 17m 8464 R 3 0.2 0:04.48 php-fpm
29390 piglet 20 0 423m 16m 8456 R 3 0.2 0:04.50 php-fpm
29480 piglet 20 0 424m 17m 8456 R 3 0.2 0:04.41 php-fpm
29744 piglet 20 0 424m 17m 8456 R 3 0.2 0:04.36 php-fpm
29761 piglet 20 0 423m 16m 8456 R 3 0.2 0:04.31 php-fpm
22

23. 1.
2.
a.
b.
3.

24. 2
4

26. →
▪
▪

27. •
•
•

28. •
•
–
–
–
•
–
–

29. →
→
▪
▪
→

30. top - 19:33:38 up 4 days, 7:52, 3 users, load average: 50.49, 44.14, 33.30
Mem: 7399012k total, 3998516k used, 3400496k free, 305752k buffers
Swap: 0k total, 0k used, 0k free, 2502508k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
13897 root 20 0 1108m 108m 8084 R 13 1.5 3:20.10 node
8669 threatst 20 0 227m 4844 2456 S 7 0.1 2:27.43 tsauditd
21213 piglet 20 0 424m 17m 8588 R 4 0.2 0:06.03 php-fpm
21935 piglet 20 0 424m 17m 8588 R 4 0.2 0:05.80 php-fpm
21672 piglet 20 0 424m 17m 8588 R 4 0.2 0:05.94 php-fpm
21941 piglet 20 0 423m 16m 8588 R 4 0.2 0:05.68 php-fpm
21997 piglet 20 0 422m 16m 8588 R 4 0.2 0:05.81 php-fpm
30

31. •
•
–
–

33. Proprietary and Confidential

34. •
•
–
–

35. •
•
•

39. ubuntu@ip-10-138-99-155:~$ ./lpe PP1
uid=1000, euid=1000
Increfing...
finished increfing
forking...
finished forking
caling revoke...
uid=1000, euid=1000

42. 42

44. 44

45. 45

46. 46

47. 47

50. 50

51. 51

55. redacted

57. 57

62. Possible Behavioral Detection Methods
1. Writes to system files
2. Anomalous process execution
3. Anomalous user / command activity

64. •
•

66. FBI Investigation
(conventional approach)
DHS Investigation
(spacefolding approach)
Reconstruct the past
using painstaking and
methodical forensics.
Time frame: days or
weeks
Directly observe the past
and determine what
happened using
“spacefolding”
technology.
Time frame: hours

67. •

68. Conventional IR / Live Response IR With SpaceFolding & Syscalls
1. Receive clues via alert(s)
2. Triage and prioritize
3. Coordinate with OPs to confirm and identify
instance ownership
4. Establish or declare incident
5. Communication and coordination
6. Communicate via conference call
7. Obtain time cycles from OPs resources
8. Request hands-on live response from OPS teams
9. Detail data requests and procedures
10. Await live response data
11. Analysis of LR data
12. Request supplemental data
13. Await supplemental data
14. Analysis of supplemental data
15. Complete analysis , triage of alert
16. Communication and next steps
1. Receive clues via alert(s)
2. Identify instance via CloudTrails data
3. Observe activity at the time of the alert and
determine cause of the alert
4. Complete analysis , triage of alert
5. Communication and next steps

69. •
–
–
•
–

72. 72