SlideShare a Scribd company logo
1 of 61
Download to read offline
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
An open-source adventure
in the cloud, containers,
and incident response
Nathan Case
Security Geek
AWS
S E P 3 1 5
Andrew Krug
Staff Security Engineer
Mozilla
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Additional Facilitators
Gene Wood
Senior Staff Security
Engineer
Mozilla
S E P 3 1 5
Guillaume Destuynder
Senior Staff Security
Engineer
Mozilla
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Related breakouts
Day of Week, Month Day
Session Title
Time – Time | Location
Day of Week, Month Day
Session Title
Time – Time | Location
Day of Week, Month Day
Session Title
Time – Time | Location
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Agenda – 120 minute workshop
Intro / Why OSS? ( 5-minutes )
Anatomy of a Healthy Security Operation ( 5-minutes )
Security Simulation Scenario Review ( 5-minutes )
Explorationand Alert Authoring ( 7-minutes )
Investigation ( 7-minutes )
WorkshopSection 1
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Agenda – 120 minute workshop
Responding to your findings aka Incident Response ( 10-minutes )
WorkshopSection 2
Wrap up / Retrospective ( 2-minutes )
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
A workshop unlike any other
80
40
Hands On Talking
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Workshop Introduction
What are we going to do?
Play through a security simulation in teams of two.
Use tools that Mozilla is releasing to the public in order to detect and respond to threats.
How are we going to do it?
Lecture format followed by open Q&A / Lab Time at intervals.
Ask questions! Everything is in scope so ask! ( You have 4 facilitators )
What are our goals?
Learn to tell stories using a SIEM and your sleuthing skills to get to the truth!
Ultimately try to remove the threat from your environment.
Have an awesome time practicing the act of incident response:
“Doing your best job on your worst day.”
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Why Open Source
Keep the web a global public resource open and accessible to all.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
For us, open means transparent, as in open
source – you're not locked in to what the
original creator did.
And in our case "open" also means distributed
decision making.
Mitchell Baker
Chair, Mozilla
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Different Types of Participation
Contribution is not just CODE!
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
We don't compete on security.
Dan Kaminsky
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
The make of the security team
There's no wrong way to "do security” – except not doing it.
• Embedded security engineers
• Dedicated security operations team
• Distributed security (engineers that also do security)
• ...the model needs to work for your business
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Scope
Focus on the threat management
and incident response
Intelligence gathering
Proactive defense
Incident handling
Tying it all together
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
So what's a SIEM?
SIEM: Security Information Event Management
- Log records (event data)
- Alerts
- Event data correlation
- Incident management
- Reports, dashboards, compliance
- OIC storage (indicatorsof compromise)
Mozilla Enterprise Defense Platform is an open-source SIEM
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Some things you'll want from your SIEM
• Know what you have (instances, accounts, data ==> logs)
• Understand your business (what's most at risk?)
• Be able to respond when there's a problem
• Understand your weaknesses (most common incident type)
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Typical event pipeline
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
A note on Normalized Event Data
Event data comes from various sources in various formats
For alerting and correlation to be as easy and reliable as possible, typical data
fields need to be normalized, e.g.:
details.username: banzai
...
Original event format Normalized event
https://mozdef.readthedocs.io/en/latest/usage.html for details about the Mozilla Enterprise Defense Platform normalized event format
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Typical incident workflow
A few months ago you wrote an alert matching on a Lambda function talking to a
specific set of known-badIP addresses...
1. Identification/ Open incident / Assemble team
2. Containment
3. Eradication
4. Recovery
5. Lesson learned
6. Close the incident
Record all actions as you progress
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Simulation Environment
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Expected IOCs – Use the tools to find them
Excessive Describe for a Production Service
SSH Traffic from the Outside
New S3 bucket suddenly made public
API calls from two or more IPs for the same principle
---------------------------------------------------------------------
We will provide full solutions at the end of the workshop!
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Mozdef Event Structure : Overview
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Mozdef Event Structure : Details
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Why alert?
• You can't respond if you can't detect.
• There are lots of patterns / IOCs
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Alert Type 1: Simple Alerts
Respond to the presence of an event that contains an action.
Example: Someone made a specific api call. `iam:CreateUser`
# How many minutes back in time would you like to search?
search_query = SearchQuery(minutes=15)
# What would you like to search for?
search_query.add_must([
TermMatch('source', 'cloudtrail'),
TermMatch('details.eventname', "CreateUser")
])
self.filtersManual(search_query)
self.searchEventsSimple()
self.walkEvents()
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Alert Type 2: Aggregation Alert
• Respond to the presence of multiple events across a sliding window
• Example: Someone did n of x things over x services in a time series.
# Create a query to look back the last 20 minutes
search_query = SearchQuery(minutes=20)
# Add search terms to our query
search_query.add_must([
TermMatch('source', 'cloudtrail'),
TermMatch('details.eventverb', 'Describe'),
ExistsMatch('details.source')
])
self.filtersManual(search_query)
# We aggregate on details.hostname which is the AWS service name
self.searchEventsAggregated('details.source', samplesLimit=2)
self.walkAggregations(threshold=50)
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Initial Investigation
• Gather data based on the initial indicatoryou received
• IP Address, AWS IAM username, time period, AWS service
• Determine who the responsible actor is
• What IP / IAM User / IAM Role is acting
• Is this benign
• Escalate from Investigation to Incident
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Incident Response with Kibana
• Determine what the attacker has done by tracking their actions in
events
• Identify what actions need to be taken as a result to contain the
breach
• Use data in Kibana to determine the systems that need to be
addressed to eradicate the threat
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
High-Level Playbook
Adversary or intern Your
environment
Lambda
responder
CloudWatch
Events
Step
Function
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Amazon
CloudWatch
AWS
CloudTrail
AWS Config
Lambda
function
AWS APIs
AWS WAF
AWS Shield
Detection
Alerting
Remediation
Countermeasures
Forensics
Team
collaboration
(Slack etc.)
Amazon GuardDuty
VPC Flow Logs
AWS Step functions
Amazon EC2
Systems Manager
Amazon EC2
Responding to Findings: Remediation
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
SSM
AWS Lambda
• Lambda Function:
• Removes instance from current Security
Group(s) and adds to one with all ingress and
egress blocked
• SnapshotsEBS volume(s)
• Alerts Security Team
• SSM Document:
• Forensics can begin
• Network Capture
• Memory Dump
• Process review
• Internal Tools Amazon EC2
Systems Manager
Lambda
Lambda
AWS Step
functions
Responding to Findings: Automation Example
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
• Step Function:
AWS Step Functions lets you coordinate multiple AWS services into
serverless workflows so you can build and update apps quickly. Using Step
Functions, you can design and run workflows that stitch together services
such as AWS Lambda and Amazon ECS into feature-rich applications.
Workflows are made up of a series of steps, with the output of one step
acting as input into the next. Application development is simpler and more
intuitive using Step Functions, because it translates your workflow into a
state machine diagram that is easy to understand, easy to explain to others,
and easy to change. You can monitor each step of execution as it happens,
which means you can identify and fix problems quickly. Step Functions
automatically triggers and tracks each step, and retries when there are
errors, so your application executes in order and as expected.
Responding to Findings: Automation Example
AWS Step functions
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
• Step Function:
AWS Step Functions lets you coordinate multiple AWS services into
serverless workflows so you can build and update apps quickly. Using Step
Functions, you can design and run workflows that stitch together services
such as AWS Lambda and Amazon ECS into feature-rich applications.
Workflows are made up of a series of steps, with the output of one step
acting as input into the next. Application development is simpler and more
intuitive using Step Functions, because it translates your workflow into a
state machine diagram that is easy to understand, easy to explain to others,
and easy to change. You can monitor each step of execution as it happens,
which means you can identify and fix problems quickly. Step Functions
automatically triggers and tracks each step, and retries when there are
errors, so your application executes in order and as expected.
AWS Step functions
Responding to Findings: Automation Example
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Remediation - CryptoCurrency:EC2/BitcoinTool.B!DNS
[
{
"schemaVersion": "2.0",
"accountId":”0123456789",
"region": "us-west-2",
"partition": "aws",
"id": ”[GUID]",
"arn": "arn:aws:guardduty:us-west-2:01234567890:detector/[GUID]/finding/[FindingGUID]",
"type": "CryptoCurrency:EC2/BitcoinTool.B!DNS",
"resource": {
"resourceType": "Instance",
"instanceDetails": {
"instanceId": "i-99999999",
"instanceType": "p2.xlarge",
"launchTime": "2017-12-20T23:46:44Z",
"platform": null,
"productCodes": [
{
"productCodeId": "GeneratedFindingProductCodeId",
"productCodeType": "GeneratedFindingProductCodeType"
}
Finding: [“type”]= “CryptoCurrency:EC2/BitcoinTool.B!DNS”
Instance: [“instanceDetails”][“instanceId”]= “i-99999999”
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Problem description
CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDutyunder this mean that we havean account or machine that has been compromised.
This findinginforms you that an EC2 instance in your AWS environment is queryinga domain name that is associated with Bitcoin-related activity.Bitcoin is a worldwide
cryptocurrencyand digital payment system.Besides beingcreated as a reward for Bitcoin mining,bitcoin can be exchanged for other currencies, products,and services.
Unless you use this EC2 instance to mine or manage cryptocurrencyor yourEC2 instance is involved in blockchain activity,your EC2instance might be compromised.
Data to gather for troubleshooting
Account User ID, Role or Profile that was accessed
Instance ID , Subnet ID, VPC ID
Connectivityto other systems
Review of CloudTrail and VPC Flows to and around the specified instance.
Steps to troubleshoot and fix
1.NotifyIR Team On call.
2.Run Automate instance quarantine
3.Role credentials associatedwith the aboveidentity
4.Snapshot instance and VPC Flow logs to forensics account
5.Validate that newASG created instance is working correctly
Urgencycategory
Critical
Escalation path:
Unable to fix, escalate to these individuals or groups in this order:
1.Someone, email and phone number
2.Someone Else, email phone number
3.DistributionList
4.…
5.…
Finding: [“type”]= “CryptoCurrency:EC2/BitcoinTool.B!DNS”
Instance: [“instanceDetails”][“instanceId”]= “i-99999999”
Remediation - CryptoCurrency:EC2/BitcoinTool.B!DNS
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Problem description
CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDuty under this mean that we have an account or machine that has been compromised.
This finding informs you that an EC2 instance in your AWS environment is querying a domain name that is associated with Bitcoin-related activity. Bitcoin is a worldwide cryptocurrency and digital payment system.
Besides being created as a reward for Bitcoin mining, bitcoin can be exchanged for other currencies, products, and services. Unless you use this EC2 instance to mine or manage cryptocurrency or your EC2 instance is
involved in blockchain activity, your EC2 instance might be compromised.
Data to gather for troubleshooting
Account User ID, Role or Profile that was accessed
Instance ID , Subnet ID, VPC ID
Connectivity to other systems
Review of CloudTrail and VPC Flows to and around the specified instance.
Steps to troubleshoot and fix
1.Notify IR TeamOn call.
2.Run Automate instance quarantine
3.Role credentials associated with the above identity
4.Snapshot instance and VPC Flow logs to forensics account
5.Validate that new ASG created instance is working correctly
Urgency category
Critical
Escalation path:
Unable to fix, escalate to these individuals or groups in this order:
1.Someone, email and phone number
2.Someone Else, email phone number
3.Distribution List
4.…
5.…
Remediation - CryptoCurrency:EC2/BitcoinTool.B!DNS
Steps to troubleshoot and fix
1.Notify IR Team On call.
2.Run Automate instance quarantine
3.Role credentials associated with the above identity
4.Snapshot instance and VPC Flow logs to forensics account
5.Validate that new ASG created instance is working correctly
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Problem description
CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDuty under this mean that we havean accountor machine that has been compromised.
This finding informs you thatan EC2 instancein your AWS environmentis querying a domain name that is associated with Bitcoin-related activity. Bitcoin is a worldwidecryptocurrency
and digital paymentsystem. Besides being created as a reward for Bitcoin mining, bitcoin can be exchanged for other currencies, products, and services. Unless you usethis EC2 instance
to mine or manage cryptocurrency or your EC2 instanceis involved in blockchain activity, your EC2 instance might be compromised.
Data to gather for troubleshooting
AccountUser ID, Roleor Profilethat was accessed
Instance ID , Subnet ID, VPCID
Connectivity to other systems
Review of CloudTrail and VPC Flows to and around the specified instance.
Steps to troubleshoot and fix
1.Notify IRTeam On call.
2.Run Automate instance quarantine
3.Role credentials associated with the aboveidentity
4.Snapshotinstanceand VPC Flow logs to forensics account
5.Validate that new ASG created instanceis working correctly
Urgency category
Critical
Escalation path:
Unable to fix, escalate to these individuals or groups in this order:
1.Someone, email and phone number
2.Someone Else, email phonenumber
3.Distribution List
4.…
5.…
Remediation - CryptoCurrency:EC2/BitcoinTool.B!DNS
Items to Code:
1. Cloud Watch Filter to trap a finding from GuardDuty, with:
[“type”]= “CryptoCurrency:EC2/BitcoinTool.B!DNS”
2. Step Functions Start
a. SNS Fires to notify Ops of an issue
b. Lambda Function is fired to run SSM
i. Finished and a Lambda Function is fired to
quarantine the instance
c. Lambda Function is fired to Snap Shot the instance
d. Step Function checks responses
3. Lambda is fired to Stop and destroy the instance.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Problem description
CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDuty under this mean that we havean accountor machine that has been compromised.
This finding informs you thatan EC2 instancein your AWS environmentis querying a domain name that is associated with Bitcoin-related activity. Bitcoin is a worldwidecryptocurrency
and digital paymentsystem. Besides being created as a reward for Bitcoin mining, bitcoin can be exchanged for other currencies, products, and services. Unless you usethis EC2 instance
to mine or manage cryptocurrency or your EC2 instanceis involved in blockchain activity, your EC2 instance might be compromised.
Data to gather for troubleshooting
AccountUser ID, Roleor Profilethat was accessed
Instance ID , Subnet ID, VPCID
Connectivity to other systems
Review of CloudTrail and VPC Flows to and around the specified instance.
Steps to troubleshoot and fix
1.Notify IRTeam On call.
2.Run Automate instance quarantine
3.Role credentials associated with the aboveidentity
4.Snapshotinstanceand VPC Flow logs to forensics account
5.Validate that new ASG created instanceis working correctly
Urgency category
Critical
Escalation path:
Unable to fix, escalate to these individuals or groups in this order:
1.Someone, email and phone number
2.Someone Else, email phonenumber
3.Distribution List
4.…
5.…
Remediation - CryptoCurrency:EC2/BitcoinTool.B!DNS
Items to Code:
1. Actual Coding to occur later in the talk.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Problem description
CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDuty under this mean that we havean accountor machine that has been compromised.
This finding informs you thatan EC2 instancein your AWS environmentis querying a domain name that is associated with Bitcoin-related activity. Bitcoin is a worldwidecryptocurrency
and digital paymentsystem. Besides being created as a reward for Bitcoin mining, bitcoin can be exchanged for other currencies, products, and services. Unless you usethis EC2 instance
to mine or manage cryptocurrency or your EC2 instanceis involved in blockchain activity, your EC2 instance might be compromised.
Data to gather for troubleshooting
AccountUser ID, Roleor Profilethat was accessed
Instance ID , Subnet ID, VPCID
Connectivity to other systems
Review of CloudTrail and VPC Flows to and around the specified instance.
Steps to troubleshoot and fix
1.Notify IRTeam On call.
2.Run Automate instance quarantine
3.Role credentials associated with the aboveidentity
4.Snapshotinstanceand VPC Flow logs to forensics account
5.Validate that new ASG created instanceis working correctly
Urgency category
Critical
Escalation path:
Unable to fix, escalate to these individuals or groups in this order:
1.Someone, email and phone number
2.Someone Else, email phonenumber
3.Distribution List
4.…
5.…
Remediation - CryptoCurrency:EC2/BitcoinTool.B!DNS
Escalation path:
Unable to fix, escalate to these individuals or groups in this order:
1.Someone, email and phone number
2.Someone Else, email phone number
3.Distribution List
4.…
5.…
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Problem description
CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDuty under this mean that we havean accountor machine that has been compromised.
John, our lead developer added his AWS Key and Secret key to his most recent git post. This was found by someoneand then sold to a Crypto Mining company in another country. We had
bad threat detection and the account was utilized for a couple of days beforewefound out.
-or-
John had his laptop stolen and didn’t encrypthis hard drive. Because he kept every thing in his local Git Repo his user was compromised.
Postmortem
Utilize good development practices. Adding static variables that contain access keys to a git, causes long term issues for a cloud account.
- Utilize git-secrets
- Attend a workshop at re:invent discussing use of open source dev tools
- Limit blast radius
- Enjoy one of the multi account session at re:Invent
The loss of corporate resources that were unencrypted.
- Encrypt hard Drives going forward
- Limit account activities of humans for threat detection
- Limit account access of people in production and test environments
Postmortem - CryptoCurrency:EC2/BitcoinTool.B!DNS
Members of the Postmortem Team:
Developers
Operations
Security Operations
Management ?
Leadership Level ?
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Problem description
CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDuty under this mean that we havean accountor machine that has been compromised.
John, our lead developer added his AWS Key and Secret key to his most recent git post. This was found by someoneand then sold to a Crypto Mining company in another country. We had
bad threat detection and the account was utilized for a couple of days beforewefound out.
-or-
John had his laptop stolen and didn’t encrypthis hard drive. Because he kept every thing in his local Git Repo his user was compromised.
Postmortem
Utilize good development practices. Adding static variables that contain access keys to a git, causes long term issues for a cloud account.
- Utilize git-secrets
- Attend a workshop at re:invent discussing use of open source dev tools
- Limit blast radius
- Enjoy one of the multi account session at re:Invent
The loss of corporate resources that were unencrypted.
- Encrypt hard Drives going forward
- Limit account activities of humans for threat detection
- Limit account access of people in production and test environments
Postmortem - CryptoCurrency:EC2/BitcoinTool.B!DNS
Aws_labs repos.
https://github.com/awslabs
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Retro
How to reach us
Twitter: @andrewkrug @kangsterizer
Email: akrug@mozilla.com gene@mozilla.com kang@mozilla.com
Want to get in the MozDef Beta? - take a quick survey
https://www.surveygizmo.com/s3/5040959/7ef0ac201fb2
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
Gene Wood
Senior Staff Security
Engineer
Mozilla
Guillaume Destuynder
Senior Staff Security
Engineer
Mozilla
Nathan Case
Security Geek
AWS
Andrew Krug
Staff Security Engineer
Mozilla

More Related Content

What's hot

Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoringJohn Varghese
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityJohn Varghese
 
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)Amazon Web Services
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Amazon Web Services
 
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionA Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionAmazon Web Services
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Teri Radichel
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application securityJohn Varghese
 
Security Operations in the Cloud
Security Operations in the CloudSecurity Operations in the Cloud
Security Operations in the CloudArmor
 
Stop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually MatterStop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually MatterAmazon Web Services
 
Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to BuildCloudVillage
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Defcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud EraDefcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud EraNetskope
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesLacework
 
AWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials   challenges in prevention detection mitigationAWS temporary credentials   challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigationJohn Varghese
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 

What's hot (20)

Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoring
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
 
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionA Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application security
 
Security Operations in the Cloud
Security Operations in the CloudSecurity Operations in the Cloud
Security Operations in the Cloud
 
Stop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually MatterStop Wasting Your Time: Focus on Security Practices that Actually Matter
Stop Wasting Your Time: Focus on Security Practices that Actually Matter
 
Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to Build
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
 
Defcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud EraDefcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud Era
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing Kubernetes
 
AWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials   challenges in prevention detection mitigationAWS temporary credentials   challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigation
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
 

Similar to MozDef Workshop slide

An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...Amazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...Amazon Web Services
 
Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...Amazon Web Services
 
Threat Detection using artificial intelligence
Threat Detection using artificial intelligenceThreat Detection using artificial intelligence
Threat Detection using artificial intelligenceAmazon Web Services
 
Continuous security monitoring and threat detection with AWS services - SEC20...
Continuous security monitoring and threat detection with AWS services - SEC20...Continuous security monitoring and threat detection with AWS services - SEC20...
Continuous security monitoring and threat detection with AWS services - SEC20...Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Amazon Web Services
 
Design with ops in mind | AWS Summit Tel Aviv 2019
Design with ops in mind | AWS Summit Tel Aviv 2019Design with ops in mind | AWS Summit Tel Aviv 2019
Design with ops in mind | AWS Summit Tel Aviv 2019Amazon Web Services
 
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019 Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019 Amazon Web Services
 
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...Amazon Web Services
 
How Pokémon’s SecOps team enables its business - SDD328 - AWS re:Inforce 2019
How Pokémon’s SecOps team enables its business - SDD328 - AWS re:Inforce 2019 How Pokémon’s SecOps team enables its business - SDD328 - AWS re:Inforce 2019
How Pokémon’s SecOps team enables its business - SDD328 - AWS re:Inforce 2019 Amazon Web Services
 
AI/ML Week: Innovate Digital Content Management
AI/ML Week: Innovate Digital Content ManagementAI/ML Week: Innovate Digital Content Management
AI/ML Week: Innovate Digital Content ManagementAmazon Web Services
 
Using chaos to bring resiliency to your applications
Using chaos to bring resiliency to your applicationsUsing chaos to bring resiliency to your applications
Using chaos to bring resiliency to your applicationsJohn Varghese
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Amazon Web Services
 
How to act on security and compliance alerts with AWS Security Hub - SEC202 -...
How to act on security and compliance alerts with AWS Security Hub - SEC202 -...How to act on security and compliance alerts with AWS Security Hub - SEC202 -...
How to act on security and compliance alerts with AWS Security Hub - SEC202 -...Amazon Web Services
 
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...Amazon Web Services
 
人工智慧雲服務與金融服務應用
人工智慧雲服務與金融服務應用人工智慧雲服務與金融服務應用
人工智慧雲服務與金融服務應用Amazon Web Services
 
Detect Abnormal Device Behavior with AWS IoT Device Defender (IOT313-R3) - AW...
Detect Abnormal Device Behavior with AWS IoT Device Defender (IOT313-R3) - AW...Detect Abnormal Device Behavior with AWS IoT Device Defender (IOT313-R3) - AW...
Detect Abnormal Device Behavior with AWS IoT Device Defender (IOT313-R3) - AW...Amazon Web Services
 
Culture of Innovation at Amazon - AWS Startup Day Johannesburg.pdf
Culture of Innovation at Amazon - AWS Startup Day Johannesburg.pdfCulture of Innovation at Amazon - AWS Startup Day Johannesburg.pdf
Culture of Innovation at Amazon - AWS Startup Day Johannesburg.pdfAmazon Web Services
 
AI/ML Week: Strengthen Cybersecurity
AI/ML Week: Strengthen CybersecurityAI/ML Week: Strengthen Cybersecurity
AI/ML Week: Strengthen CybersecurityAmazon Web Services
 

Similar to MozDef Workshop slide (20)

An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWS
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...
 
Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...Take action on your security & compliance alerts with AWS Security Hub - SEC2...
Take action on your security & compliance alerts with AWS Security Hub - SEC2...
 
Threat Detection using artificial intelligence
Threat Detection using artificial intelligenceThreat Detection using artificial intelligence
Threat Detection using artificial intelligence
 
Continuous security monitoring and threat detection with AWS services - SEC20...
Continuous security monitoring and threat detection with AWS services - SEC20...Continuous security monitoring and threat detection with AWS services - SEC20...
Continuous security monitoring and threat detection with AWS services - SEC20...
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
 
Design with ops in mind | AWS Summit Tel Aviv 2019
Design with ops in mind | AWS Summit Tel Aviv 2019Design with ops in mind | AWS Summit Tel Aviv 2019
Design with ops in mind | AWS Summit Tel Aviv 2019
 
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019 Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
Leadership session: Foundational security - FND313-L - AWS re:Inforce 2019
 
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
 
How Pokémon’s SecOps team enables its business - SDD328 - AWS re:Inforce 2019
How Pokémon’s SecOps team enables its business - SDD328 - AWS re:Inforce 2019 How Pokémon’s SecOps team enables its business - SDD328 - AWS re:Inforce 2019
How Pokémon’s SecOps team enables its business - SDD328 - AWS re:Inforce 2019
 
AI/ML Week: Innovate Digital Content Management
AI/ML Week: Innovate Digital Content ManagementAI/ML Week: Innovate Digital Content Management
AI/ML Week: Innovate Digital Content Management
 
Using chaos to bring resiliency to your applications
Using chaos to bring resiliency to your applicationsUsing chaos to bring resiliency to your applications
Using chaos to bring resiliency to your applications
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
 
How to act on security and compliance alerts with AWS Security Hub - SEC202 -...
How to act on security and compliance alerts with AWS Security Hub - SEC202 -...How to act on security and compliance alerts with AWS Security Hub - SEC202 -...
How to act on security and compliance alerts with AWS Security Hub - SEC202 -...
 
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
 
人工智慧雲服務與金融服務應用
人工智慧雲服務與金融服務應用人工智慧雲服務與金融服務應用
人工智慧雲服務與金融服務應用
 
Detect Abnormal Device Behavior with AWS IoT Device Defender (IOT313-R3) - AW...
Detect Abnormal Device Behavior with AWS IoT Device Defender (IOT313-R3) - AW...Detect Abnormal Device Behavior with AWS IoT Device Defender (IOT313-R3) - AW...
Detect Abnormal Device Behavior with AWS IoT Device Defender (IOT313-R3) - AW...
 
Culture of Innovation at Amazon - AWS Startup Day Johannesburg.pdf
Culture of Innovation at Amazon - AWS Startup Day Johannesburg.pdfCulture of Innovation at Amazon - AWS Startup Day Johannesburg.pdf
Culture of Innovation at Amazon - AWS Startup Day Johannesburg.pdf
 
AI/ML Week: Strengthen Cybersecurity
AI/ML Week: Strengthen CybersecurityAI/ML Week: Strengthen Cybersecurity
AI/ML Week: Strengthen Cybersecurity
 

Recently uploaded

Introduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxIntroduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxmprakaash5
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023Joshua Flannery
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MIRomil Mishra
 
A PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxA PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxatharvdev2010
 
Why Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionWhy Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionDEEPRAJ PATHAK
 
Bitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactiveBitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactivestartupro
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfwill854175
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationDianaGray10
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationBuild Intuit
 

Recently uploaded (20)

Introduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptxIntroduction-to-Wazuh-and-its-integration.pptx
Introduction-to-Wazuh-and-its-integration.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
THE STATE OF STARTUP ECOSYSTEM - INDIA x JAPAN 2023
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MI
 
A PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxA PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptx
 
Why Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionWhy Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile Evolution
 
Bitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactiveBitdefender-CSG-Report-creat7534-interactive
Bitdefender-CSG-Report-creat7534-interactive
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdf
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automation
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientation
 

MozDef Workshop slide

  • 1.
  • 2. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. An open-source adventure in the cloud, containers, and incident response Nathan Case Security Geek AWS S E P 3 1 5 Andrew Krug Staff Security Engineer Mozilla
  • 3. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Additional Facilitators Gene Wood Senior Staff Security Engineer Mozilla S E P 3 1 5 Guillaume Destuynder Senior Staff Security Engineer Mozilla
  • 4. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Related breakouts Day of Week, Month Day Session Title Time – Time | Location Day of Week, Month Day Session Title Time – Time | Location Day of Week, Month Day Session Title Time – Time | Location
  • 5. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Agenda – 120 minute workshop Intro / Why OSS? ( 5-minutes ) Anatomy of a Healthy Security Operation ( 5-minutes ) Security Simulation Scenario Review ( 5-minutes ) Explorationand Alert Authoring ( 7-minutes ) Investigation ( 7-minutes ) WorkshopSection 1
  • 6. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Agenda – 120 minute workshop Responding to your findings aka Incident Response ( 10-minutes ) WorkshopSection 2 Wrap up / Retrospective ( 2-minutes )
  • 7. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. A workshop unlike any other 80 40 Hands On Talking
  • 8. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 9. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Workshop Introduction What are we going to do? Play through a security simulation in teams of two. Use tools that Mozilla is releasing to the public in order to detect and respond to threats. How are we going to do it? Lecture format followed by open Q&A / Lab Time at intervals. Ask questions! Everything is in scope so ask! ( You have 4 facilitators ) What are our goals? Learn to tell stories using a SIEM and your sleuthing skills to get to the truth! Ultimately try to remove the threat from your environment. Have an awesome time practicing the act of incident response: “Doing your best job on your worst day.”
  • 10. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Why Open Source Keep the web a global public resource open and accessible to all.
  • 11. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. For us, open means transparent, as in open source – you're not locked in to what the original creator did. And in our case "open" also means distributed decision making. Mitchell Baker Chair, Mozilla
  • 12. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Different Types of Participation Contribution is not just CODE!
  • 13. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. We don't compete on security. Dan Kaminsky
  • 14. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 15. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. The make of the security team There's no wrong way to "do security” – except not doing it. • Embedded security engineers • Dedicated security operations team • Distributed security (engineers that also do security) • ...the model needs to work for your business
  • 16. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Scope Focus on the threat management and incident response Intelligence gathering Proactive defense Incident handling Tying it all together
  • 17. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. So what's a SIEM? SIEM: Security Information Event Management - Log records (event data) - Alerts - Event data correlation - Incident management - Reports, dashboards, compliance - OIC storage (indicatorsof compromise) Mozilla Enterprise Defense Platform is an open-source SIEM
  • 18. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Some things you'll want from your SIEM • Know what you have (instances, accounts, data ==> logs) • Understand your business (what's most at risk?) • Be able to respond when there's a problem • Understand your weaknesses (most common incident type)
  • 19. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Typical event pipeline
  • 20. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. A note on Normalized Event Data Event data comes from various sources in various formats For alerting and correlation to be as easy and reliable as possible, typical data fields need to be normalized, e.g.: details.username: banzai ... Original event format Normalized event https://mozdef.readthedocs.io/en/latest/usage.html for details about the Mozilla Enterprise Defense Platform normalized event format
  • 21. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Typical incident workflow A few months ago you wrote an alert matching on a Lambda function talking to a specific set of known-badIP addresses... 1. Identification/ Open incident / Assemble team 2. Containment 3. Eradication 4. Recovery 5. Lesson learned 6. Close the incident Record all actions as you progress
  • 22. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 23. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Simulation Environment
  • 24. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Expected IOCs – Use the tools to find them Excessive Describe for a Production Service SSH Traffic from the Outside New S3 bucket suddenly made public API calls from two or more IPs for the same principle --------------------------------------------------------------------- We will provide full solutions at the end of the workshop!
  • 25. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 26. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 27. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Mozdef Event Structure : Overview
  • 28. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Mozdef Event Structure : Details
  • 29. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 30. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 31. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Why alert? • You can't respond if you can't detect. • There are lots of patterns / IOCs
  • 32. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Alert Type 1: Simple Alerts Respond to the presence of an event that contains an action. Example: Someone made a specific api call. `iam:CreateUser` # How many minutes back in time would you like to search? search_query = SearchQuery(minutes=15) # What would you like to search for? search_query.add_must([ TermMatch('source', 'cloudtrail'), TermMatch('details.eventname', "CreateUser") ]) self.filtersManual(search_query) self.searchEventsSimple() self.walkEvents()
  • 33. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Alert Type 2: Aggregation Alert • Respond to the presence of multiple events across a sliding window • Example: Someone did n of x things over x services in a time series. # Create a query to look back the last 20 minutes search_query = SearchQuery(minutes=20) # Add search terms to our query search_query.add_must([ TermMatch('source', 'cloudtrail'), TermMatch('details.eventverb', 'Describe'), ExistsMatch('details.source') ]) self.filtersManual(search_query) # We aggregate on details.hostname which is the AWS service name self.searchEventsAggregated('details.source', samplesLimit=2) self.walkAggregations(threshold=50)
  • 34. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 35. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 36. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 37. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 38. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 39. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 40. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 41. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Initial Investigation • Gather data based on the initial indicatoryou received • IP Address, AWS IAM username, time period, AWS service • Determine who the responsible actor is • What IP / IAM User / IAM Role is acting • Is this benign • Escalate from Investigation to Incident
  • 42. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 43. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 44. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Incident Response with Kibana • Determine what the attacker has done by tracking their actions in events • Identify what actions need to be taken as a result to contain the breach • Use data in Kibana to determine the systems that need to be addressed to eradicate the threat
  • 45. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 46. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. High-Level Playbook Adversary or intern Your environment Lambda responder CloudWatch Events Step Function
  • 47. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Amazon CloudWatch AWS CloudTrail AWS Config Lambda function AWS APIs AWS WAF AWS Shield Detection Alerting Remediation Countermeasures Forensics Team collaboration (Slack etc.) Amazon GuardDuty VPC Flow Logs AWS Step functions Amazon EC2 Systems Manager Amazon EC2 Responding to Findings: Remediation
  • 48. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SSM AWS Lambda • Lambda Function: • Removes instance from current Security Group(s) and adds to one with all ingress and egress blocked • SnapshotsEBS volume(s) • Alerts Security Team • SSM Document: • Forensics can begin • Network Capture • Memory Dump • Process review • Internal Tools Amazon EC2 Systems Manager Lambda Lambda AWS Step functions Responding to Findings: Automation Example
  • 49. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. • Step Function: AWS Step Functions lets you coordinate multiple AWS services into serverless workflows so you can build and update apps quickly. Using Step Functions, you can design and run workflows that stitch together services such as AWS Lambda and Amazon ECS into feature-rich applications. Workflows are made up of a series of steps, with the output of one step acting as input into the next. Application development is simpler and more intuitive using Step Functions, because it translates your workflow into a state machine diagram that is easy to understand, easy to explain to others, and easy to change. You can monitor each step of execution as it happens, which means you can identify and fix problems quickly. Step Functions automatically triggers and tracks each step, and retries when there are errors, so your application executes in order and as expected. Responding to Findings: Automation Example AWS Step functions
  • 50. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. • Step Function: AWS Step Functions lets you coordinate multiple AWS services into serverless workflows so you can build and update apps quickly. Using Step Functions, you can design and run workflows that stitch together services such as AWS Lambda and Amazon ECS into feature-rich applications. Workflows are made up of a series of steps, with the output of one step acting as input into the next. Application development is simpler and more intuitive using Step Functions, because it translates your workflow into a state machine diagram that is easy to understand, easy to explain to others, and easy to change. You can monitor each step of execution as it happens, which means you can identify and fix problems quickly. Step Functions automatically triggers and tracks each step, and retries when there are errors, so your application executes in order and as expected. AWS Step functions Responding to Findings: Automation Example
  • 51. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Remediation - CryptoCurrency:EC2/BitcoinTool.B!DNS [ { "schemaVersion": "2.0", "accountId":”0123456789", "region": "us-west-2", "partition": "aws", "id": ”[GUID]", "arn": "arn:aws:guardduty:us-west-2:01234567890:detector/[GUID]/finding/[FindingGUID]", "type": "CryptoCurrency:EC2/BitcoinTool.B!DNS", "resource": { "resourceType": "Instance", "instanceDetails": { "instanceId": "i-99999999", "instanceType": "p2.xlarge", "launchTime": "2017-12-20T23:46:44Z", "platform": null, "productCodes": [ { "productCodeId": "GeneratedFindingProductCodeId", "productCodeType": "GeneratedFindingProductCodeType" } Finding: [“type”]= “CryptoCurrency:EC2/BitcoinTool.B!DNS” Instance: [“instanceDetails”][“instanceId”]= “i-99999999”
  • 52. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Problem description CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDutyunder this mean that we havean account or machine that has been compromised. This findinginforms you that an EC2 instance in your AWS environment is queryinga domain name that is associated with Bitcoin-related activity.Bitcoin is a worldwide cryptocurrencyand digital payment system.Besides beingcreated as a reward for Bitcoin mining,bitcoin can be exchanged for other currencies, products,and services. Unless you use this EC2 instance to mine or manage cryptocurrencyor yourEC2 instance is involved in blockchain activity,your EC2instance might be compromised. Data to gather for troubleshooting Account User ID, Role or Profile that was accessed Instance ID , Subnet ID, VPC ID Connectivityto other systems Review of CloudTrail and VPC Flows to and around the specified instance. Steps to troubleshoot and fix 1.NotifyIR Team On call. 2.Run Automate instance quarantine 3.Role credentials associatedwith the aboveidentity 4.Snapshot instance and VPC Flow logs to forensics account 5.Validate that newASG created instance is working correctly Urgencycategory Critical Escalation path: Unable to fix, escalate to these individuals or groups in this order: 1.Someone, email and phone number 2.Someone Else, email phone number 3.DistributionList 4.… 5.… Finding: [“type”]= “CryptoCurrency:EC2/BitcoinTool.B!DNS” Instance: [“instanceDetails”][“instanceId”]= “i-99999999” Remediation - CryptoCurrency:EC2/BitcoinTool.B!DNS
  • 53. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Problem description CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDuty under this mean that we have an account or machine that has been compromised. This finding informs you that an EC2 instance in your AWS environment is querying a domain name that is associated with Bitcoin-related activity. Bitcoin is a worldwide cryptocurrency and digital payment system. Besides being created as a reward for Bitcoin mining, bitcoin can be exchanged for other currencies, products, and services. Unless you use this EC2 instance to mine or manage cryptocurrency or your EC2 instance is involved in blockchain activity, your EC2 instance might be compromised. Data to gather for troubleshooting Account User ID, Role or Profile that was accessed Instance ID , Subnet ID, VPC ID Connectivity to other systems Review of CloudTrail and VPC Flows to and around the specified instance. Steps to troubleshoot and fix 1.Notify IR TeamOn call. 2.Run Automate instance quarantine 3.Role credentials associated with the above identity 4.Snapshot instance and VPC Flow logs to forensics account 5.Validate that new ASG created instance is working correctly Urgency category Critical Escalation path: Unable to fix, escalate to these individuals or groups in this order: 1.Someone, email and phone number 2.Someone Else, email phone number 3.Distribution List 4.… 5.… Remediation - CryptoCurrency:EC2/BitcoinTool.B!DNS Steps to troubleshoot and fix 1.Notify IR Team On call. 2.Run Automate instance quarantine 3.Role credentials associated with the above identity 4.Snapshot instance and VPC Flow logs to forensics account 5.Validate that new ASG created instance is working correctly
  • 54. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Problem description CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDuty under this mean that we havean accountor machine that has been compromised. This finding informs you thatan EC2 instancein your AWS environmentis querying a domain name that is associated with Bitcoin-related activity. Bitcoin is a worldwidecryptocurrency and digital paymentsystem. Besides being created as a reward for Bitcoin mining, bitcoin can be exchanged for other currencies, products, and services. Unless you usethis EC2 instance to mine or manage cryptocurrency or your EC2 instanceis involved in blockchain activity, your EC2 instance might be compromised. Data to gather for troubleshooting AccountUser ID, Roleor Profilethat was accessed Instance ID , Subnet ID, VPCID Connectivity to other systems Review of CloudTrail and VPC Flows to and around the specified instance. Steps to troubleshoot and fix 1.Notify IRTeam On call. 2.Run Automate instance quarantine 3.Role credentials associated with the aboveidentity 4.Snapshotinstanceand VPC Flow logs to forensics account 5.Validate that new ASG created instanceis working correctly Urgency category Critical Escalation path: Unable to fix, escalate to these individuals or groups in this order: 1.Someone, email and phone number 2.Someone Else, email phonenumber 3.Distribution List 4.… 5.… Remediation - CryptoCurrency:EC2/BitcoinTool.B!DNS Items to Code: 1. Cloud Watch Filter to trap a finding from GuardDuty, with: [“type”]= “CryptoCurrency:EC2/BitcoinTool.B!DNS” 2. Step Functions Start a. SNS Fires to notify Ops of an issue b. Lambda Function is fired to run SSM i. Finished and a Lambda Function is fired to quarantine the instance c. Lambda Function is fired to Snap Shot the instance d. Step Function checks responses 3. Lambda is fired to Stop and destroy the instance.
  • 55. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Problem description CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDuty under this mean that we havean accountor machine that has been compromised. This finding informs you thatan EC2 instancein your AWS environmentis querying a domain name that is associated with Bitcoin-related activity. Bitcoin is a worldwidecryptocurrency and digital paymentsystem. Besides being created as a reward for Bitcoin mining, bitcoin can be exchanged for other currencies, products, and services. Unless you usethis EC2 instance to mine or manage cryptocurrency or your EC2 instanceis involved in blockchain activity, your EC2 instance might be compromised. Data to gather for troubleshooting AccountUser ID, Roleor Profilethat was accessed Instance ID , Subnet ID, VPCID Connectivity to other systems Review of CloudTrail and VPC Flows to and around the specified instance. Steps to troubleshoot and fix 1.Notify IRTeam On call. 2.Run Automate instance quarantine 3.Role credentials associated with the aboveidentity 4.Snapshotinstanceand VPC Flow logs to forensics account 5.Validate that new ASG created instanceis working correctly Urgency category Critical Escalation path: Unable to fix, escalate to these individuals or groups in this order: 1.Someone, email and phone number 2.Someone Else, email phonenumber 3.Distribution List 4.… 5.… Remediation - CryptoCurrency:EC2/BitcoinTool.B!DNS Items to Code: 1. Actual Coding to occur later in the talk.
  • 56. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Problem description CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDuty under this mean that we havean accountor machine that has been compromised. This finding informs you thatan EC2 instancein your AWS environmentis querying a domain name that is associated with Bitcoin-related activity. Bitcoin is a worldwidecryptocurrency and digital paymentsystem. Besides being created as a reward for Bitcoin mining, bitcoin can be exchanged for other currencies, products, and services. Unless you usethis EC2 instance to mine or manage cryptocurrency or your EC2 instanceis involved in blockchain activity, your EC2 instance might be compromised. Data to gather for troubleshooting AccountUser ID, Roleor Profilethat was accessed Instance ID , Subnet ID, VPCID Connectivity to other systems Review of CloudTrail and VPC Flows to and around the specified instance. Steps to troubleshoot and fix 1.Notify IRTeam On call. 2.Run Automate instance quarantine 3.Role credentials associated with the aboveidentity 4.Snapshotinstanceand VPC Flow logs to forensics account 5.Validate that new ASG created instanceis working correctly Urgency category Critical Escalation path: Unable to fix, escalate to these individuals or groups in this order: 1.Someone, email and phone number 2.Someone Else, email phonenumber 3.Distribution List 4.… 5.… Remediation - CryptoCurrency:EC2/BitcoinTool.B!DNS Escalation path: Unable to fix, escalate to these individuals or groups in this order: 1.Someone, email and phone number 2.Someone Else, email phone number 3.Distribution List 4.… 5.…
  • 57. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Problem description CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDuty under this mean that we havean accountor machine that has been compromised. John, our lead developer added his AWS Key and Secret key to his most recent git post. This was found by someoneand then sold to a Crypto Mining company in another country. We had bad threat detection and the account was utilized for a couple of days beforewefound out. -or- John had his laptop stolen and didn’t encrypthis hard drive. Because he kept every thing in his local Git Repo his user was compromised. Postmortem Utilize good development practices. Adding static variables that contain access keys to a git, causes long term issues for a cloud account. - Utilize git-secrets - Attend a workshop at re:invent discussing use of open source dev tools - Limit blast radius - Enjoy one of the multi account session at re:Invent The loss of corporate resources that were unencrypted. - Encrypt hard Drives going forward - Limit account activities of humans for threat detection - Limit account access of people in production and test environments Postmortem - CryptoCurrency:EC2/BitcoinTool.B!DNS Members of the Postmortem Team: Developers Operations Security Operations Management ? Leadership Level ?
  • 58. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Problem description CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDuty under this mean that we havean accountor machine that has been compromised. John, our lead developer added his AWS Key and Secret key to his most recent git post. This was found by someoneand then sold to a Crypto Mining company in another country. We had bad threat detection and the account was utilized for a couple of days beforewefound out. -or- John had his laptop stolen and didn’t encrypthis hard drive. Because he kept every thing in his local Git Repo his user was compromised. Postmortem Utilize good development practices. Adding static variables that contain access keys to a git, causes long term issues for a cloud account. - Utilize git-secrets - Attend a workshop at re:invent discussing use of open source dev tools - Limit blast radius - Enjoy one of the multi account session at re:Invent The loss of corporate resources that were unencrypted. - Encrypt hard Drives going forward - Limit account activities of humans for threat detection - Limit account access of people in production and test environments Postmortem - CryptoCurrency:EC2/BitcoinTool.B!DNS Aws_labs repos. https://github.com/awslabs
  • 59. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 60. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Retro How to reach us Twitter: @andrewkrug @kangsterizer Email: akrug@mozilla.com gene@mozilla.com kang@mozilla.com Want to get in the MozDef Beta? - take a quick survey https://www.surveygizmo.com/s3/5040959/7ef0ac201fb2
  • 61. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Gene Wood Senior Staff Security Engineer Mozilla Guillaume Destuynder Senior Staff Security Engineer Mozilla Nathan Case Security Geek AWS Andrew Krug Staff Security Engineer Mozilla