whoami
2
DevSecOps Engineer at Shaadi.com
Synack Red Team Member
Slide 3
Slide 3 text
Incident
Response in
Cloud
3
Slide 4
Slide 4 text
Aspects of AWS incident response
Preparation Operations
Post-incident
activity
Slide 5
Slide 5 text
9/3/20XX Presentation Title 5
Slide 6
Slide 6 text
Design Goals of Cloud Response
Establish response
objectives
01
Respond using the
cloud
02
Know what you have
and what you need
03
Use redeployment
mechanisms
04
Automate where
possible
05
Choose scalable
solutions
06
Learn and improve
your process
07
Slide 7
Slide 7 text
Cloud security incident domains
SERVICE DOMAIN INFRASTRUCTURE DOMAIN APPLICATION DOMAIN
Slide 8
Slide 8 text
AWS SERVICES
FOR INCIDENT
RESPONSE
Slide 9
Slide 9 text
Aws cloudtrail
Log/Identify all API actions performed within an
account
• Who performed it(Principal type, Source IP/Service, User
Agent)
• When it occurred(Date/Time)
• Where it occurred(Region)
• What occurred(API action performed)
• Which resource(s) were affected(with configuration/parameter
info)
• Result(s) of action(success/error with associated result info
Slide 10
Slide 10 text
Amazon
CLoudwatch
Log target/ aggregation point for
monitoring/querying/alerting on various
logs:
• Instance(System) Performance Metrics
• OS/Application Logs
• AWS Service Logs(Cloudtrail, GuardDuty, Security
Hub
• VPC flow logs
Slide 11
Slide 11 text
AWS Config
• Logs resource configurations(changes)
over time
• Can also record instance OS/Software
Configuration changes and updates
• Leverage these logs to discover, map,
track(and alert on) AWS resource
relationships and changes in your
account
Slide 12
Slide 12 text
VPC Flow Logs
Netflow(ish) type network flow
logs
Collects and delivers network flow
log record in aggression intervals
Slide 13
Slide 13 text
Other aws services for IR
Amazon GuardDuty
Amazon Security
Hub
Amazon Detective
Slide 14
Slide 14 text
Aws Incident
response lifecycle
Slide 15
Slide 15 text
Preparation
PEOPLE
-Train security operations staff on AWS
Process
-Develop an incident response plan & strategy
-Run drills & automate simulations where possible
Technology
-Build AWS accounts for security operations and log archive
-Create read only and break glass roles for access to AWS accounts
Slide 16
Slide 16 text
Detection &
Analysis
DETECTION
-Setup CloudTrail organisation trail
-Enable amazon GuardDuty and aws security hub with security
operations account as delegated admin
-Monitor the GuardDuty & Security Hub findings
ANALYSIS
-Query CloudTrail logs with aws athena(or with your SIEM)
-Leverage aws detective for investigations and triaging findings
Slide 17
Slide 17 text
Containment,
Eradication &
recovery
CONTAINMENT
-Disable/rotate IAM credentials
-EC2 isolation through security groups and NACLs
-System backup through snapshots
Eradication
-Leverage AWS Systems Manager to patch systems and run commands
Recovery
-Provision new infrastructure or modify NACLs/SGs back to original state
Note: These are just an example
Slide 18
Slide 18 text
Post incident
DOCUMENTATION
-Complete answers to who, what,
where, why, and How
LESSONS LEARNED
-Review IR processes and
effectiveness with stakeholder
Slide 19
Slide 19 text
AWS CLOUD
forensics
Slide 20
Slide 20 text
What is Cloud Forensics
• Cloud Forensics can be defined as the application of
computer forensics principles and procedures in a
cloud computing environment.
Isolation……
Create a separate forensic
VPC for compromised
resources.
This forensic VPC should
not be connected to any
other VPCs.
Enable a logging
mechanism, such as VPC
flow logs
Create Quarantine and
Forensic Security Groups
Create specific IAM roles
with read-only access to
resources
Create a snapshot of the
EC2 instance
Store all log data to a
separate S3 bucket with S3
Object Lock and MFA delete
Take a memory dump of the
instance
Slide 24
Slide 24 text
Cloud forensics challenges
• Accessibility of logs
• Physical inaccessibility
• Volatility of data
• Identification of evidence at client side
• Dependence of CSP trust
Slide 25
Slide 25 text
Get in touch at
Twitter: @e11i0t_4lders0n
LinkedIn: /in/tushars25
Instagram: @e11i0t_4lders0n__
Email: [email protected]