AWS Logs Forensics and Incident Response

Transcript

1. AWS Log Forensics & Incident Response Cado Security | 1

2. Is DFIR in the Cloud just logging?

3. What is Cloud Trail? https://docs.aws.amazon.com/IAM/latest/UserGuide/security-logging-and-monitoring.html AWS CloudTrail AWS CloudTrail is

   a service that enables you to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. You can use CloudTrail to identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help you analyze and respond to activity in your AWS account.

4. https://www.chrisfarris.com/talks/SEC339-Final-Deck.pdf What is CloudTrail?

5. CloudWatch Logs https://www.wellarchitectedlabs.com/security/200_labs/200_remote_configuration_installation_and_viewing_cloudwatch_logs/6_view_cw_logs/

6. What is CloudWatch? https://docs.aws.amazon.com/IAM/latest/UserGuide/security-logging-and-monitoring.html Amazon CloudWatch monitors your AWS resources

   and the applications that you run on AWS in real time. You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a specified metric reaches a threshold that you specify. For example, you can have CloudWatch track CPU usage or other metrics of your Amazon EC2 instances and automatically launch new instances when needed. Amazon CloudWatch Logs helps you monitor, store, and access your log files from Amazon EC2 instances, CloudTrail, and other sources. CloudWatch Logs can monitor information in the log files and notify you when certain thresholds are met. You can also archive your log data in highly durable storage.

7. CloudWatch vs CloudTrail? CloudWatch CloudTrail Performance Monitoring Auditing Log events

   across AWS Services - operations Log API activity across AWS Services - Activities Higher Level Monitoring Lower Level Granular Data

8. Lambda Logging in CloudWatch https://docs.aws.amazon.com/lambda/latest/operatorguide/log-structure.html

9. Lambda Logging in CloudWatch https://docs.aws.amazon.com/lambda/latest/operatorguide/parse-logs.html

10. Collecting operating system logs with Cloudwatch agent https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Install-CloudWatch-Agent.html

11. So Many Logs, So Little Standards? See “AWS Logging Types”

    https://bit.ly/3XidVm3

12. Lots of options for monitoring compute

13. VPC Flow Logs https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/

14. ELB Logs https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html https 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 10.0.0.1:80 0.086 0.048

    0.037 200 200 0 57 "GET https://www.example.com:443/ HTTP/1.1" "curl/7.46.0" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337281-1d84f3d73c47ec4e58577259" "www.example.com" "arn:aws:acm:us-east-2:123456789012:certificate/12345678-1234-1234-1234-123456789012" 1 2018-07-02T22:22:48.364000Z "authenticate,forward" "-" "-" "10.0.0.1:80" "200" "-" "-"

15. Searching logs with… grep https://stackoverflow.com/questions/41179573/how-to-grep-into-files-stored-in-s3 aws s3 cp s3://bucket/log-folder/ .

    --recursive zgrep "evil" *

16. Searching logs with… Athena CREATE EXTERNAL TABLE IF NOT EXISTS

    elb_logs_raw_native ( request_timestamp string, request_ip string, request_port int, backend_ip string, backend_port int, …) ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.RegexSerDe' WITH SERDEPROPERTIES ( 'serialization.format' = '1','input.regex' = '([^ ]*) ... ([A-Za-z0-9.-]*)$' ) LOCATION 's3://athena-examples/elb/raw/'; SELECT * FROM elb_logs_raw_native WHERE elb_response_code = '200' LIMIT 100;

17. Great Resource

18. What logs will Cado capture?

19. How do you analyze AWS Logs in Cado?

20. Cado Response Free 14-day trial Receive unlimited access to the

    Cado Response Platform for 14 days. www.cadosecurity.com/free-investigation/