AWS Cloud Forensics & Incident Response TUSHAR VERMA

whoami 2 DevSecOps Engineer at Shaadi.com Synack Red Team Member

Incident Response in Cloud 3

Aspects of AWS incident response Preparation Operations Post-incident activity

9/3/20XX Presentation Title 5

Design Goals of Cloud Response Establish response objectives 01 Respond using the cloud 02 Know what you have and what you need 03 Use redeployment mechanisms 04 Automate where possible 05 Choose scalable solutions 06 Learn and improve your process 07

Cloud security incident domains SERVICE DOMAIN INFRASTRUCTURE DOMAIN APPLICATION DOMAIN

AWS SERVICES FOR INCIDENT RESPONSE

Aws cloudtrail Log/Identify all API actions performed within an account • Who performed it(Principal type, Source IP/Service, User Agent) • When it occurred(Date/Time) • Where it occurred(Region) • What occurred(API action performed) • Which resource(s) were affected(with configuration/parameter info) • Result(s) of action(success/error with associated result info

Amazon CLoudwatch Log target/ aggregation point for monitoring/querying/alerting on various logs: • Instance(System) Performance Metrics • OS/Application Logs • AWS Service Logs(Cloudtrail, GuardDuty, Security Hub • VPC flow logs

AWS Config • Logs resource configurations(changes) over time • Can also record instance OS/Software Configuration changes and updates • Leverage these logs to discover, map, track(and alert on) AWS resource relationships and changes in your account

VPC Flow Logs Netflow(ish) type network flow logs Collects and delivers network flow log record in aggression intervals

Other aws services for IR Amazon GuardDuty Amazon Security Hub Amazon Detective

Aws Incident response lifecycle

Preparation PEOPLE -Train security operations staff on AWS Process -Develop an incident response plan & strategy -Run drills & automate simulations where possible Technology -Build AWS accounts for security operations and log archive -Create read only and break glass roles for access to AWS accounts

Detection & Analysis DETECTION -Setup CloudTrail organisation trail -Enable amazon GuardDuty and aws security hub with security operations account as delegated admin -Monitor the GuardDuty & Security Hub findings ANALYSIS -Query CloudTrail logs with aws athena(or with your SIEM) -Leverage aws detective for investigations and triaging findings

Containment, Eradication & recovery CONTAINMENT -Disable/rotate IAM credentials -EC2 isolation through security groups and NACLs -System backup through snapshots Eradication -Leverage AWS Systems Manager to patch systems and run commands Recovery -Provision new infrastructure or modify NACLs/SGs back to original state Note: These are just an example

Post incident DOCUMENTATION -Complete answers to who, what, where, why, and How LESSONS LEARNED -Review IR processes and effectiveness with stakeholder

AWS CLOUD forensics

What is Cloud Forensics • Cloud Forensics can be defined as the application of computer forensics principles and procedures in a cloud computing environment.

Cloud Forensic Process Flow IDENTIFICATION EVIDENCE COLLECTION EXAMINATION & ANALYSIS PRESERVATION PRESENTATION & REPORTING

Significant Log Sources Cloudtrail Cloudtrail Insights Cloudwatch Logs GuardDuty VPC Flow Logs S3 Server Access Route53 Load Balancer Logs

Isolation…… Create a separate forensic VPC for compromised resources. This forensic VPC should not be connected to any other VPCs. Enable a logging mechanism, such as VPC flow logs Create Quarantine and Forensic Security Groups Create specific IAM roles with read-only access to resources Create a snapshot of the EC2 instance Store all log data to a separate S3 bucket with S3 Object Lock and MFA delete Take a memory dump of the instance

Cloud forensics challenges • Accessibility of logs • Physical inaccessibility • Volatility of data • Identification of evidence at client side • Dependence of CSP trust

Get in touch at Twitter: @e11i0t_4lders0n LinkedIn: /in/tushars25 Instagram: @e11i0t_4lders0n__ Email: tushar.infosec@gmail.com

Thank you