Design Goals of Cloud Response Establish response objectives 01 Respond using the cloud 02 Know what you have and what you need 03 Use redeployment mechanisms 04 Automate where possible 05 Choose scalable solutions 06 Learn and improve your process 07
Aws cloudtrail Log/Identify all API actions performed within an account • Who performed it(Principal type, Source IP/Service, User Agent) • When it occurred(Date/Time) • Where it occurred(Region) • What occurred(API action performed) • Which resource(s) were affected(with configuration/parameter info) • Result(s) of action(success/error with associated result info
AWS Config • Logs resource configurations(changes) over time • Can also record instance OS/Software Configuration changes and updates • Leverage these logs to discover, map, track(and alert on) AWS resource relationships and changes in your account
Preparation PEOPLE -Train security operations staff on AWS Process -Develop an incident response plan & strategy -Run drills & automate simulations where possible Technology -Build AWS accounts for security operations and log archive -Create read only and break glass roles for access to AWS accounts
Containment, Eradication & recovery CONTAINMENT -Disable/rotate IAM credentials -EC2 isolation through security groups and NACLs -System backup through snapshots Eradication -Leverage AWS Systems Manager to patch systems and run commands Recovery -Provision new infrastructure or modify NACLs/SGs back to original state Note: These are just an example
Post incident DOCUMENTATION -Complete answers to who, what, where, why, and How LESSONS LEARNED -Review IR processes and effectiveness with stakeholder
What is Cloud Forensics • Cloud Forensics can be defined as the application of computer forensics principles and procedures in a cloud computing environment.
Isolation…… Create a separate forensic VPC for compromised resources. This forensic VPC should not be connected to any other VPCs. Enable a logging mechanism, such as VPC flow logs Create Quarantine and Forensic Security Groups Create specific IAM roles with read-only access to resources Create a snapshot of the EC2 instance Store all log data to a separate S3 bucket with S3 Object Lock and MFA delete Take a memory dump of the instance
Cloud forensics challenges • Accessibility of logs • Physical inaccessibility • Volatility of data • Identification of evidence at client side • Dependence of CSP trust
e11i0t_4lders0n
dena_tech
hamakou108
renjikari
cembasaranoglu
hhc0null
sbtechnight
foursue
takakuni
doradora09
andyhume
samanthasiow
chrisshort
cherdarchuk
searls
sachag
bkeepers
speakerdeck
lynnandtonic
ammeep
notwaldorf
deanohume