Download as PDF, PPTX
More Related Content
![Laura Garcia - Shodan API and Coding Skills [rooted2019]](https://cdn.slidesharecdn.com/ss_thumbnails/shondaapiandcodingskillsrootedcon2019-190403190029-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloud
- 1.
- 2. ● twenty yearsexperience in security including experience as a cloud security lead in some of the world's largest AWS environments ● patent holder; published researcher; advisor to various security product plays and VCs; credited bug hunter ● veteran of six startups including two successful exits ● contributed, as an architect and / or core business logic developer, to three successful security products, and six large-scale security monitoring and threat hunting projects, in both cloud and legacy environments Craig Chamberlain | @randomuserid
- 3.
- 4.
- 5.
- 8.
- 9.
- 10.
- 15.
- 16.
- 20.
- 22. top - 18:01:13up 6:20, 3 users, load average: 53.42, 53.06, 45.76 Tasks: 424 total, 53 running, 371 sleeping, 0 stopped, 0 zombie Cpu(s): 80.8%us, 14.6%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 4.6%si, 0.0%st Mem: 7399012k total, 3800740k used, 3598272k free, 213076k buffers Swap: 0k total, 0k used, 0k free, 2086332k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 5230 root 20 0 1046m 565m 7728 S 66 7.8 20:28.55 Suricata-Main 29038 piglet 20 0 422m 16m 8464 R 3 0.2 0:04.44 php-fpm 29045 piglet 20 0 424m 17m 8464 R 3 0.2 0:04.48 php-fpm 29390 piglet 20 0 423m 16m 8456 R 3 0.2 0:04.50 php-fpm 29480 piglet 20 0 424m 17m 8456 R 3 0.2 0:04.41 php-fpm 29744 piglet 20 0 424m 17m 8456 R 3 0.2 0:04.36 php-fpm 29761 piglet 20 0 423m 16m 8456 R 3 0.2 0:04.31 php-fpm 22
- 23.
- 24.
- 26.
- 27.
- 28.
- 29.
- 30. top - 19:33:38up 4 days, 7:52, 3 users, load average: 50.49, 44.14, 33.30 Mem: 7399012k total, 3998516k used, 3400496k free, 305752k buffers Swap: 0k total, 0k used, 0k free, 2502508k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 13897 root 20 0 1108m 108m 8084 R 13 1.5 3:20.10 node 8669 threatst 20 0 227m 4844 2456 S 7 0.1 2:27.43 tsauditd 21213 piglet 20 0 424m 17m 8588 R 4 0.2 0:06.03 php-fpm 21935 piglet 20 0 424m 17m 8588 R 4 0.2 0:05.80 php-fpm 21672 piglet 20 0 424m 17m 8588 R 4 0.2 0:05.94 php-fpm 21941 piglet 20 0 423m 16m 8588 R 4 0.2 0:05.68 php-fpm 21997 piglet 20 0 422m 16m 8588 R 4 0.2 0:05.81 php-fpm 30
- 31.
- 33.
- 34.
- 35.
- 39. ubuntu@ip-10-138-99-155:~$ ./lpe PP1 uid=1000,euid=1000 Increfing... finished increfing forking... finished forking caling revoke... uid=1000, euid=1000
- 42.
- 44.
- 45.
- 46.
- 47.
- 50.
- 51.
- 55.
- 57.
- 62. Possible Behavioral DetectionMethods 1. Writes to system files 2. Anomalous process execution 3. Anomalous user / command activity
- 64.
- 66. FBI Investigation (conventional approach) DHSInvestigation (spacefolding approach) Reconstruct the past using painstaking and methodical forensics. Time frame: days or weeks Directly observe the past and determine what happened using “spacefolding” technology. Time frame: hours
- 67.
- 68. Conventional IR /Live Response IR With SpaceFolding & Syscalls 1. Receive clues via alert(s) 2. Triage and prioritize 3. Coordinate with OPs to confirm and identify instance ownership 4. Establish or declare incident 5. Communication and coordination 6. Communicate via conference call 7. Obtain time cycles from OPs resources 8. Request hands-on live response from OPS teams 9. Detail data requests and procedures 10. Await live response data 11. Analysis of LR data 12. Request supplemental data 13. Await supplemental data 14. Analysis of supplemental data 15. Complete analysis , triage of alert 16. Communication and next steps 1. Receive clues via alert(s) 2. Identify instance via CloudTrails data 3. Observe activity at the time of the alert and determine cause of the alert 4. Complete analysis , triage of alert 5. Communication and next steps
- 69.
- 72.