AWS Forensics & Incident Response Training

Transcript

1. AWS Forensics & Incident Response Training Cado Security | 1

2. AWS Incident Response Playbooks catalog.workshops.aws

3. None

4. Unauthorized IAM Credential Use - Simulation and Detection During this

   workshop, you will simulate the unauthorized use of IAM credentials using a script invoked within AWS CloudShell. The script will perform reconnaissance and privilege escalation activities that have been commonly seen by the AWS CIRT (Customer Incident Response Team) and are typically performed during similar events of this nature. You will then be introduced to some of the tools and processes that the AWS CIRT use, and learn how to use these tools to find evidence of unauthorized activity. Ransomware on S3 - Simulation and Detection During this workshop, you will use a CloudFormation template to replicate an environment with multiple IAM users and five (5) Amazon S3 buckets. AWS CloudShell will then be used to run a bash script that will simulate data exfiltration and data deletion events that replicate a ransomware based security event. You will then be introduced to some of the tools and processes that the AWS CIRT (Customer Incident Response Team) team use in response to similar events, and learn how to use these tools to find evidence of unauthorized activity. Cryptominer Based Security Events - Simulation and Detection During this workshop, you will simulate a cryptomining security event by using a CloudFormation template to initialize five EC2 instances. These five EC2 instances will mimic cryptomining activity by performing DNS requests to known cryptomining domains. You will then be introduced to some of the tools and processes that the AWS CIRT (Customer Incident Response Team) use in response to similar events, and learn how to use these tools to find evidence of unauthorized activity.

5. SSRF on IMDSv1 - Simulation and Detection During this workshop,

   you will simulate the unauthorized use of a web application that is hosted on an AWS EC2 instance configured to use IMDSv1 (Instance Metadata Service Version 1) and is vulnerable to SSRF (Server Side Request Forgery). You will then walk through some of the detection activities that the AWS CIRT (Customer Incident Response Team) perform when responding to security events of this nature. AWS CIRT Toolkit For Incident Response Preparedness During this workshop, you will install and experiment with some common tools and utilities that the AWS CIRT (Customer Incident Response Team) use on a daily basis. The AWS CIRT uses these tools to detect security misconfigurations, respond to active events, and assist customers with protecting their infrastructure. (Mostly Athena…)

6. Threat Detection and Response with Amazon GuardDuty and Amazon Detective

   https://catalog.workshops.aws/guardduty/en-US/0-workshop-introduction#threat-detection-and-response-scenarios

7. Well Architected Labs: Incident Response https://www.wellarchitectedlabs.com/security/quests/quest_200_incident_response_day/ (Official AWS Site)

8. None

9. Forensicate.Cloud AWS Training https://forensicate.cloud/ws1/MODULE_1

10. SANS 509 https://www.sans.org/cyber-security-courses/enterprise-cloud-forensics-incident-response/

11. None

12. https://www.cadosecurity.com/cado-community-edition/

13. Cado Response Free 14-day trial Receive unlimited access to the

    Cado Response Platform for 14 days. www.cadosecurity.com/free-investigation/