SlideShare a Scribd company logo

How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) - AWS re:Invent 2018

Amazon Web Services
Amazon Web Services

Performing forensics on AWS resources is a new experience for many customers who might have older runbooks based on on-premises workflows using manual steps, or perhaps no processes in place at all. In this session, get a deeper insight into the various runbooks to perform practical forensic tasks on AWS resources like Amazon EC2 instances, using a combination of industry tooling, AWS serverless services like AWS Lambda and AWS Step Functions, and managed services like Amazon Athena.

1 of 41
Download to read offline
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How to Perform Forensics on AWS Using Serverless Infrastructure Henrik Johansson Principal – Office of the CISO AWS Security S E C 4 1 6 Andrew Krug Staff Security Engineer / Identity and Access Management Mozilla
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Intro/Primer ● Challenges with forensics ● Pre-Work ● Why do you need it? Tools ● On the fly forensics environment ● State tracking/orchestration ● Capturing Process/Runbook ● Recommendations Customer Dialogue ● What requirements do you have today? ● Are you meeting that requirement? ● What challenges do you run into? Closing Statements ● What to remember ● Next Steps ● More resources to look at
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Breakout repeats Monday, November 26 How to Perform Forensics on AWS Using Serverless Infrastructure - SEC416-R1 2:30PM PST | Venetian, Level 4, Lando 4305, T1 Wednesday, November 26 How to Perform Forensics on AWS Using Serverless Infrastructure - SEC416-R1 2:30PM PST | Venetian, Level 4, Lando 4305, T1
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud forensics: What is it? Forensics can occur during triage to answer the question: “Am I having a security incident?” Or can occur post incident to answer the who, what, where, when, why, and how of how a security incident occurred.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenges of cloud forensics ● Cloud can be a big place. ○ Hunting resources that are part of an incident can be challenging. ○ Your tooling and process needs to be as scalable as your application. ● Sometimes the speed of innovation outpaces forensics tools. ○ More on this later. ● Preparation is key to being effective at ensuring effectiveness.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud is a big place At the time of writing there are: ● 110 distinct AWS services available in botocore. ● 15 distinct regions in addition to AWS GovCloud
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sometimes innovation outpaces tooling ● New security features / tooling can render analysis tools obsolete. ● Community supported tools don’t always move at the same pace.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Preparation is key
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Pre-forensics Detection and analysis Containment and recovery Evidence Evidence Evidence Evidence Custody chain who did x at 0:00GMT checked out file x at 0:00GMT
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Some tools for detection • Amazon GuardDuty • AWS Trusted Advisor • Your SIEM using threat tntelligence • AWS CloudTrail anomalies • Billing alarms • AWS outreach • Ad-hoc contact
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Plenty of isolation code out there #!/bin/bash aws ec2 authorize-security-group-ingress --group-name isolation-sg --protocol tcp --port 22 --cidr YOUR.IP.ADDRESS.HERE/32 aws ec2 revoke-security-group-egress --group-id sg-BLOCK-ID --protocol ‘-1’ --port all --cidr ‘0.0.0.0/0’ # removed rule that allows all outbound traffic
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Additional considerations ● Prior to isolation ensure that evidence is preserved. ● You may need to do additional work to deregister from things like autoscale groups to prevent accidental termination.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Forensics in AWS : Why do you need it? ● Compliance ○ PCI, GDPR, ISO27001 ■ You need to have an incident plan in place. ● Alignment ○ AWS shared security model ● Your customers ○ Protect them from: ■ The obvious ■ Internally known risk ■ Blind spots ■ and the unknown ■ Trust
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Tools ● AWS services ○ Amazon CloudWatch Events ○ AWS Lambda functions ○ AWS Step Functions ○ EC2 API ○ AWS CLI ○ Amazon Athena ● Community provided tooling ○ Rekall framework / Volatility framework ○ ssm_acquire (new) - Released at re: Invent 2018 ○ AWS_IR ○ MargaritaShotgun ( Links on final slides for these )
Your on the fly forensics environment Analysis as a service
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What does a forensics environment look like? • Derived from a standard EC2 image. • Hardened to an appropriate baseline. • Throw away environment that includes tooling for analyze: • Services : Any events that could affect your account. • Infrastructure : Network traffic, OS related data ( disk, memory, etc ). • Application Data: Code deployed to Lambda, API Gateway, CloudFront, etc. • Updated regularly and validated against your current environment. • Deployed “close” to the affected resources to perform forensics.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Types of evidence Instance-based API-based CloudTrail x Syslog Files x Instance metadata x Disk snapshot x Memory sample x
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Additional evidence ( sometimes missed ) • Amazon S3 object logs • API Gateway logs • CloudFront logs • Docker container logs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Tenants of a good forensic tool • Does not give an attacker more privilege during acquisition. • Performs each action on an instance(s) only once. • When the environment is mutated ( i.e. attach security group ) keeps an audit log of the state before and after. • Alters the instance in the most minimal way possible.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. All about SSM Acquire What is SSM Acquire? SSM Acquire is a forensics tool that capitalizes on AWS Systems Manager in order to gather volatile data for use in triage, forensics, and other applications. SSM Acquire turns intent into code with an easy to use YAML-based system for driving preservation of incident data prior to isolation or destructive operations. Where is ssm_acquire: https://github.com/mozilla/ssm_acquire
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. SSM Acquire : How does it work? CloudWatch
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Live demo and artifact inspection
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What did we just do? Received an alert Ran SSM_Acquire Preserve a memory sample Build a Rekall Profile Analysis Netstat ProcessList YaraScan pidhashtable
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How did we embody the tenants of a good tool? # Template a limited access IAM policy for assumeRole def get_limited_policy(region, instance_id): config = get_config() policy_template = load_policy() instance_arn = generate_arn_for_instance(region, instance_id) s3_bucket = config('asset_bucket', namespace='ssm_acquire') for permission in policy_template['PolicyDocument']['Statement']: if permission['Action'][0] == 's3:PutObject': s3_arn = 'arn:aws:s3:::{}/{}'.format(s3_bucket, instance_id) s3_keys = 'arn:aws:s3:::{}/{}/*'.format(s3_bucket, instance_id) record_index = policy_template['PolicyDocument']['Statement'].index(permission) policy_template['PolicyDocument']['Statement'][record_index]['Resource'][0] = s3_arn policy_template['PolicyDocument']['Statement'][record_index]['Resource'][1] = s3_keys elif permission['Action'][0].startswith('ssm:Send'): record_index = policy_template['PolicyDocument']['Statement'].index(permission) policy_template['PolicyDocument']['Statement'][record_index]['Resource'][1] = instance_arn elif permission['Sid'] == 'STMT4': s3_arn = 'arn:aws:s3:::{}'.format(s3_bucket) s3_keys = 'arn:aws:s3:::{}/*'.format(s3_bucket) record_index = policy_template['PolicyDocument']['Statement'].index(permission) policy_template['PolicyDocument']['Statement'][record_index]['Resource'][0] = s3_arn policy_template['PolicyDocument']['Statement'][record_index]['Resource'][1] = s3_keys statements = json.dumps(policy_template['PolicyDocument']) logger.info('Limited scope role generated for assumeRole: {}'.format(statements)) return statements PolicyDocument: Version: "2012-10-17" Statement: - Sid: "STMT1" Effect: "Allow" Action: - "s3:PutObject" - "s3:GetObject" - "s3:ListObjects" Resource: - None - None - Sid: "STMT2" Effect: "Allow" Action: - "ssm:ListDocuments" - "ssm:ListDocumentsVersions" - "ssm:DescribeDocument" - "ssm:GetDocument" - "ssm:DescribeInstanceInformation" - "ssm:DescribeDocumentParameters" - "ssm:DescribeInstanceProperties" - "ssm:GetCommandInvocation" Resource: '*'
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resultant policy "Version": "2012-10-17", "Statement": [ { "Sid": "STMT1", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListObjects" ], "Resource": [ "arn:aws:s3:::ssmacquireroles-assetbucket-wuno61xfxj4k/i- 02b11a4e45295e95c", "arn:aws:s3:::ssmacquireroles-assetbucket-wuno61xfxj4k/i-02b11a4e45295e95c/*" ] }, { "Sid": "STMT2", "Effect": "Allow", "Action": [ "ssm:ListDocuments", "ssm:ListDocumentsVersions", "ssm:DescribeDocument", "ssm:GetDocument", "ssm:DescribeInstanceInformation", "ssm:DescribeDocumentParameters", "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation" ], "Resource": "*" }, { "Sid": "STMT3", "Effect": "Allow", "Action": [ "ssm:SendCommand", "ec2:DescribeInstanceStatus" ], "Resource": [ "arn:aws:ssm:*:*:document/*", "arn:aws:ec2:*:*:instance/i- 02b11a4e45295e95c" ] }, { "Sid": "STMT4", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::ssmacquireroles-assetbucket-wuno61xfxj4k", "arn:aws:s3:::ssmacquireroles-assetbucket- wuno61xfxj4k/*" ] } ] }
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The result • A time limited scoped token that can only runCommand on the instance in question and putObject to the asset store. • The asset store in Amazon S3 has bucket versioning enabled. • If an attacker exfiltrates the credential the blast radius is limited to uploading versions of assets and SSM runCommand on the instance they already gained access to.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where do I begin? At this stage: ● You’ve acknowledged being able to perform forensics provides value. ● Understand the pre-work of reaching isolation / containment. ● Have a firm grasp of what evidence preservation and chain of custody or audit logs look like. What’s next? ● Start writing runbooks for potential incidents.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why runbooks? ● Runbooks ensure reliable / consistent process when you most need it ● Runbooks provide a baseline for iteration and continuous improvement
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. A starting point If you have ever wondered about what kind of security incidents you could have in Amazon GuardDuty is an excellent starting point. The Generate Sample Findings feature will populate the console with every type of finding GuardDuty knows how to detect. You can then decided which are relevant to you and write a run book for each type of finding.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Anatomy of a runbook Purpose Title The title of your runbook. CreateDate When was this written? Owner Who owns the process? Objective What does the process seek to achieve? Scope What does the runbook apply to ( People, process, technology ) Methodology What are our IOCs? Who should be notified? What is the kill chain?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sample runbook : Backdoor:EC2/Spambot Purpose Title Unusual Behavior Detected on Port 25 CreateDate 11-20-18 Owner John Smith Objective Determine if the instance is sending out spam. Mitigate, preserve evidence, inform stakeholders. Scope Compromised EC2 instances. Methodology ( continued next slide )
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Methodology : automate what is possible Humans are awesome… unless you want consistent results - Henrik
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Henrik Johansson @henrikjay - twitter henrikj@amazon.com Andrew Krug @andrewkrug - twitter akrug@mozilla.com
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Recommended

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1anilinvns
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 

Recommended

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Cyber forensic 1
Cyber forensic 1Cyber forensic 1
Cyber forensic 1anilinvns
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Welcome Webinar Slides
Welcome Webinar SlidesWelcome Webinar Slides
Welcome Webinar SlidesSumo Logic
 
Understanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iUnderstanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iPrecisely
 
Piggy Backing & Tailgating (Security)
Piggy Backing & Tailgating (Security)Piggy Backing & Tailgating (Security)
Piggy Backing & Tailgating (Security)GAURAV. H .TANDON
 
Real-Time Anomaly Detection with Spark MLlib, Akka and Cassandra
Real-Time Anomaly Detection with Spark MLlib, Akka and CassandraReal-Time Anomaly Detection with Spark MLlib, Akka and Cassandra
Real-Time Anomaly Detection with Spark MLlib, Akka and CassandraNatalino Busa
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
Zabbix Monitoring Platform
Zabbix Monitoring Platform Zabbix Monitoring Platform
Zabbix Monitoring Platform Seyedmajid Etehadi
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 
Eventlog
EventlogEventlog
EventlogShashi Kanth
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Kali linux
Kali linuxKali linux
Kali linuxAadhithyanPandian
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 

More Related Content

What's hot

Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
Welcome Webinar Slides
Welcome Webinar SlidesWelcome Webinar Slides
Welcome Webinar SlidesSumo Logic
 
Understanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iUnderstanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iPrecisely
 
Piggy Backing & Tailgating (Security)
Piggy Backing & Tailgating (Security)Piggy Backing & Tailgating (Security)
Piggy Backing & Tailgating (Security)GAURAV. H .TANDON
 
Real-Time Anomaly Detection with Spark MLlib, Akka and Cassandra
Real-Time Anomaly Detection with Spark MLlib, Akka and CassandraReal-Time Anomaly Detection with Spark MLlib, Akka and Cassandra
Real-Time Anomaly Detection with Spark MLlib, Akka and CassandraNatalino Busa
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 

What's hot (20)

Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Welcome Webinar Slides
Welcome Webinar SlidesWelcome Webinar Slides
Welcome Webinar Slides
 
Understanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iUnderstanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM i
 
Piggy Backing & Tailgating (Security)
Piggy Backing & Tailgating (Security)Piggy Backing & Tailgating (Security)
Piggy Backing & Tailgating (Security)
 
Real-Time Anomaly Detection with Spark MLlib, Akka and Cassandra
Real-Time Anomaly Detection with Spark MLlib, Akka and CassandraReal-Time Anomaly Detection with Spark MLlib, Akka and Cassandra
Real-Time Anomaly Detection with Spark MLlib, Akka and Cassandra
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
 
Zabbix Monitoring Platform
Zabbix Monitoring Platform Zabbix Monitoring Platform
Zabbix Monitoring Platform
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
 
Eventlog
EventlogEventlog
Eventlog
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Kali linux
Kali linuxKali linux
Kali linux
 

Similar to How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) - AWS re:Invent 2018

A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Amazon Web Services
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadAmazon Web Services
 
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...Amazon Web Services
 
Threat Detection and Remediation Workshop
Threat Detection and Remediation WorkshopThreat Detection and Remediation Workshop
Threat Detection and Remediation WorkshopAmazon Web Services
 
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018Amazon Web Services
 
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018Amazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Amazon Web Services
 
Threat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopThreat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopAmazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Amazon Web Services
 
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon Web Services
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Amazon Web Services
 
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...Amazon Web Services
 
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 

Similar to How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) - AWS re:Invent 2018 (20)

A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your Workload
 
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Threat Detection and Remediation Workshop
Threat Detection and Remediation WorkshopThreat Detection and Remediation Workshop
Threat Detection and Remediation Workshop
 
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
[NEW LAUNCH!] Introduction to AWS Security Hub (SEC397) - AWS re:Invent 2018
 
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
Build Your Own Log Analytics Solutions on AWS (ANT323-R) - AWS re:Invent 2018
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
 
Threat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopThreat Detection & Remediation Workshop
Threat Detection & Remediation Workshop
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS
 
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and Remediation
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
Security Framework Shakedown: Chart Your Journey with AWS Best Practices (SEC...
 
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
Inventory, Track, and Respond to AWS Asset Changes within Seconds at Scale (S...
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) - AWS re:Invent 2018

  • 1.
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How to Perform Forensics on AWS Using Serverless Infrastructure Henrik Johansson Principal – Office of the CISO AWS Security S E C 4 1 6 Andrew Krug Staff Security Engineer / Identity and Access Management Mozilla
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Intro/Primer ● Challenges with forensics ● Pre-Work ● Why do you need it? Tools ● On the fly forensics environment ● State tracking/orchestration ● Capturing Process/Runbook ● Recommendations Customer Dialogue ● What requirements do you have today? ● Are you meeting that requirement? ● What challenges do you run into? Closing Statements ● What to remember ● Next Steps ● More resources to look at
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Breakout repeats Monday, November 26 How to Perform Forensics on AWS Using Serverless Infrastructure - SEC416-R1 2:30PM PST | Venetian, Level 4, Lando 4305, T1 Wednesday, November 26 How to Perform Forensics on AWS Using Serverless Infrastructure - SEC416-R1 2:30PM PST | Venetian, Level 4, Lando 4305, T1
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud forensics: What is it? Forensics can occur during triage to answer the question: “Am I having a security incident?” Or can occur post incident to answer the who, what, where, when, why, and how of how a security incident occurred.
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenges of cloud forensics ● Cloud can be a big place. ○ Hunting resources that are part of an incident can be challenging. ○ Your tooling and process needs to be as scalable as your application. ● Sometimes the speed of innovation outpaces forensics tools. ○ More on this later. ● Preparation is key to being effective at ensuring effectiveness.
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud is a big place At the time of writing there are: ● 110 distinct AWS services available in botocore. ● 15 distinct regions in addition to AWS GovCloud
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sometimes innovation outpaces tooling ● New security features / tooling can render analysis tools obsolete. ● Community supported tools don’t always move at the same pace.
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Preparation is key
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Pre-forensics Detection and analysis Containment and recovery Evidence Evidence Evidence Evidence Custody chain who did x at 0:00GMT checked out file x at 0:00GMT
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Some tools for detection • Amazon GuardDuty • AWS Trusted Advisor • Your SIEM using threat tntelligence • AWS CloudTrail anomalies • Billing alarms • AWS outreach • Ad-hoc contact
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Plenty of isolation code out there #!/bin/bash aws ec2 authorize-security-group-ingress --group-name isolation-sg --protocol tcp --port 22 --cidr YOUR.IP.ADDRESS.HERE/32 aws ec2 revoke-security-group-egress --group-id sg-BLOCK-ID --protocol ‘-1’ --port all --cidr ‘0.0.0.0/0’ # removed rule that allows all outbound traffic
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Additional considerations ● Prior to isolation ensure that evidence is preserved. ● You may need to do additional work to deregister from things like autoscale groups to prevent accidental termination.
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Forensics in AWS : Why do you need it? ● Compliance ○ PCI, GDPR, ISO27001 ■ You need to have an incident plan in place. ● Alignment ○ AWS shared security model ● Your customers ○ Protect them from: ■ The obvious ■ Internally known risk ■ Blind spots ■ and the unknown ■ Trust
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Tools ● AWS services ○ Amazon CloudWatch Events ○ AWS Lambda functions ○ AWS Step Functions ○ EC2 API ○ AWS CLI ○ Amazon Athena ● Community provided tooling ○ Rekall framework / Volatility framework ○ ssm_acquire (new) - Released at re: Invent 2018 ○ AWS_IR ○ MargaritaShotgun ( Links on final slides for these )
  • 18. Your on the fly forensics environment Analysis as a service
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What does a forensics environment look like? • Derived from a standard EC2 image. • Hardened to an appropriate baseline. • Throw away environment that includes tooling for analyze: • Services : Any events that could affect your account. • Infrastructure : Network traffic, OS related data ( disk, memory, etc ). • Application Data: Code deployed to Lambda, API Gateway, CloudFront, etc. • Updated regularly and validated against your current environment. • Deployed “close” to the affected resources to perform forensics.
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Types of evidence Instance-based API-based CloudTrail x Syslog Files x Instance metadata x Disk snapshot x Memory sample x
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Additional evidence ( sometimes missed ) • Amazon S3 object logs • API Gateway logs • CloudFront logs • Docker container logs
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Tenants of a good forensic tool • Does not give an attacker more privilege during acquisition. • Performs each action on an instance(s) only once. • When the environment is mutated ( i.e. attach security group ) keeps an audit log of the state before and after. • Alters the instance in the most minimal way possible.
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. All about SSM Acquire What is SSM Acquire? SSM Acquire is a forensics tool that capitalizes on AWS Systems Manager in order to gather volatile data for use in triage, forensics, and other applications. SSM Acquire turns intent into code with an easy to use YAML-based system for driving preservation of incident data prior to isolation or destructive operations. Where is ssm_acquire: https://github.com/mozilla/ssm_acquire
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. SSM Acquire : How does it work? CloudWatch
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Live demo and artifact inspection
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What did we just do? Received an alert Ran SSM_Acquire Preserve a memory sample Build a Rekall Profile Analysis Netstat ProcessList YaraScan pidhashtable
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How did we embody the tenants of a good tool? # Template a limited access IAM policy for assumeRole def get_limited_policy(region, instance_id): config = get_config() policy_template = load_policy() instance_arn = generate_arn_for_instance(region, instance_id) s3_bucket = config('asset_bucket', namespace='ssm_acquire') for permission in policy_template['PolicyDocument']['Statement']: if permission['Action'][0] == 's3:PutObject': s3_arn = 'arn:aws:s3:::{}/{}'.format(s3_bucket, instance_id) s3_keys = 'arn:aws:s3:::{}/{}/*'.format(s3_bucket, instance_id) record_index = policy_template['PolicyDocument']['Statement'].index(permission) policy_template['PolicyDocument']['Statement'][record_index]['Resource'][0] = s3_arn policy_template['PolicyDocument']['Statement'][record_index]['Resource'][1] = s3_keys elif permission['Action'][0].startswith('ssm:Send'): record_index = policy_template['PolicyDocument']['Statement'].index(permission) policy_template['PolicyDocument']['Statement'][record_index]['Resource'][1] = instance_arn elif permission['Sid'] == 'STMT4': s3_arn = 'arn:aws:s3:::{}'.format(s3_bucket) s3_keys = 'arn:aws:s3:::{}/*'.format(s3_bucket) record_index = policy_template['PolicyDocument']['Statement'].index(permission) policy_template['PolicyDocument']['Statement'][record_index]['Resource'][0] = s3_arn policy_template['PolicyDocument']['Statement'][record_index]['Resource'][1] = s3_keys statements = json.dumps(policy_template['PolicyDocument']) logger.info('Limited scope role generated for assumeRole: {}'.format(statements)) return statements PolicyDocument: Version: "2012-10-17" Statement: - Sid: "STMT1" Effect: "Allow" Action: - "s3:PutObject" - "s3:GetObject" - "s3:ListObjects" Resource: - None - None - Sid: "STMT2" Effect: "Allow" Action: - "ssm:ListDocuments" - "ssm:ListDocumentsVersions" - "ssm:DescribeDocument" - "ssm:GetDocument" - "ssm:DescribeInstanceInformation" - "ssm:DescribeDocumentParameters" - "ssm:DescribeInstanceProperties" - "ssm:GetCommandInvocation" Resource: '*'
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resultant policy "Version": "2012-10-17", "Statement": [ { "Sid": "STMT1", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListObjects" ], "Resource": [ "arn:aws:s3:::ssmacquireroles-assetbucket-wuno61xfxj4k/i- 02b11a4e45295e95c", "arn:aws:s3:::ssmacquireroles-assetbucket-wuno61xfxj4k/i-02b11a4e45295e95c/*" ] }, { "Sid": "STMT2", "Effect": "Allow", "Action": [ "ssm:ListDocuments", "ssm:ListDocumentsVersions", "ssm:DescribeDocument", "ssm:GetDocument", "ssm:DescribeInstanceInformation", "ssm:DescribeDocumentParameters", "ssm:DescribeInstanceProperties", "ssm:GetCommandInvocation" ], "Resource": "*" }, { "Sid": "STMT3", "Effect": "Allow", "Action": [ "ssm:SendCommand", "ec2:DescribeInstanceStatus" ], "Resource": [ "arn:aws:ssm:*:*:document/*", "arn:aws:ec2:*:*:instance/i- 02b11a4e45295e95c" ] }, { "Sid": "STMT4", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::ssmacquireroles-assetbucket-wuno61xfxj4k", "arn:aws:s3:::ssmacquireroles-assetbucket- wuno61xfxj4k/*" ] } ] }
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The result • A time limited scoped token that can only runCommand on the instance in question and putObject to the asset store. • The asset store in Amazon S3 has bucket versioning enabled. • If an attacker exfiltrates the credential the blast radius is limited to uploading versions of assets and SSM runCommand on the instance they already gained access to.
  • 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where do I begin? At this stage: ● You’ve acknowledged being able to perform forensics provides value. ● Understand the pre-work of reaching isolation / containment. ● Have a firm grasp of what evidence preservation and chain of custody or audit logs look like. What’s next? ● Start writing runbooks for potential incidents.
  • 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why runbooks? ● Runbooks ensure reliable / consistent process when you most need it ● Runbooks provide a baseline for iteration and continuous improvement
  • 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. A starting point If you have ever wondered about what kind of security incidents you could have in Amazon GuardDuty is an excellent starting point. The Generate Sample Findings feature will populate the console with every type of finding GuardDuty knows how to detect. You can then decided which are relevant to you and write a run book for each type of finding.
  • 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Anatomy of a runbook Purpose Title The title of your runbook. CreateDate When was this written? Owner Who owns the process? Objective What does the process seek to achieve? Scope What does the runbook apply to ( People, process, technology ) Methodology What are our IOCs? Who should be notified? What is the kill chain?
  • 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sample runbook : Backdoor:EC2/Spambot Purpose Title Unusual Behavior Detected on Port 25 CreateDate 11-20-18 Owner John Smith Objective Determine if the instance is sending out spam. Mitigate, preserve evidence, inform stakeholders. Scope Compromised EC2 instances. Methodology ( continued next slide )
  • 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Methodology : automate what is possible Humans are awesome… unless you want consistent results - Henrik
  • 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 40. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Henrik Johansson @henrikjay - twitter henrikj@amazon.com Andrew Krug @andrewkrug - twitter akrug@mozilla.com
  • 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.