Slide 1

Slide 1 text

AWS Cloud Forensics & Incident Response TUSHAR VERMA

Slide 2

Slide 2 text

whoami 2 DevSecOps Engineer at Shaadi.com Synack Red Team Member

Slide 3

Slide 3 text

Incident Response in Cloud 3

Slide 4

Slide 4 text

Aspects of AWS incident response Preparation Operations Post-incident activity

Slide 5

Slide 5 text

9/3/20XX Presentation Title 5

Slide 6

Slide 6 text

Design Goals of Cloud Response Establish response objectives 01 Respond using the cloud 02 Know what you have and what you need 03 Use redeployment mechanisms 04 Automate where possible 05 Choose scalable solutions 06 Learn and improve your process 07

Slide 7

Slide 7 text

Cloud security incident domains SERVICE DOMAIN INFRASTRUCTURE DOMAIN APPLICATION DOMAIN

Slide 8

Slide 8 text

AWS SERVICES FOR INCIDENT RESPONSE

Slide 9

Slide 9 text

Aws cloudtrail Log/Identify all API actions performed within an account • Who performed it(Principal type, Source IP/Service, User Agent) • When it occurred(Date/Time) • Where it occurred(Region) • What occurred(API action performed) • Which resource(s) were affected(with configuration/parameter info) • Result(s) of action(success/error with associated result info

Slide 10

Slide 10 text

Amazon CLoudwatch Log target/ aggregation point for monitoring/querying/alerting on various logs: • Instance(System) Performance Metrics • OS/Application Logs • AWS Service Logs(Cloudtrail, GuardDuty, Security Hub • VPC flow logs

Slide 11

Slide 11 text

AWS Config • Logs resource configurations(changes) over time • Can also record instance OS/Software Configuration changes and updates • Leverage these logs to discover, map, track(and alert on) AWS resource relationships and changes in your account

Slide 12

Slide 12 text

VPC Flow Logs Netflow(ish) type network flow logs Collects and delivers network flow log record in aggression intervals

Slide 13

Slide 13 text

Other aws services for IR Amazon GuardDuty Amazon Security Hub Amazon Detective

Slide 14

Slide 14 text

Aws Incident response lifecycle

Slide 15

Slide 15 text

Preparation PEOPLE -Train security operations staff on AWS Process -Develop an incident response plan & strategy -Run drills & automate simulations where possible Technology -Build AWS accounts for security operations and log archive -Create read only and break glass roles for access to AWS accounts

Slide 16

Slide 16 text

Detection & Analysis DETECTION -Setup CloudTrail organisation trail -Enable amazon GuardDuty and aws security hub with security operations account as delegated admin -Monitor the GuardDuty & Security Hub findings ANALYSIS -Query CloudTrail logs with aws athena(or with your SIEM) -Leverage aws detective for investigations and triaging findings

Slide 17

Slide 17 text

Containment, Eradication & recovery CONTAINMENT -Disable/rotate IAM credentials -EC2 isolation through security groups and NACLs -System backup through snapshots Eradication -Leverage AWS Systems Manager to patch systems and run commands Recovery -Provision new infrastructure or modify NACLs/SGs back to original state Note: These are just an example

Slide 18

Slide 18 text

Post incident DOCUMENTATION -Complete answers to who, what, where, why, and How LESSONS LEARNED -Review IR processes and effectiveness with stakeholder

Slide 19

Slide 19 text

AWS CLOUD forensics

Slide 20

Slide 20 text

What is Cloud Forensics • Cloud Forensics can be defined as the application of computer forensics principles and procedures in a cloud computing environment.

Slide 21

Slide 21 text

Cloud Forensic Process Flow IDENTIFICATION EVIDENCE COLLECTION EXAMINATION & ANALYSIS PRESERVATION PRESENTATION & REPORTING

Slide 22

Slide 22 text

Significant Log Sources Cloudtrail Cloudtrail Insights Cloudwatch Logs GuardDuty VPC Flow Logs S3 Server Access Route53 Load Balancer Logs

Slide 23

Slide 23 text

Isolation…… Create a separate forensic VPC for compromised resources. This forensic VPC should not be connected to any other VPCs. Enable a logging mechanism, such as VPC flow logs Create Quarantine and Forensic Security Groups Create specific IAM roles with read-only access to resources Create a snapshot of the EC2 instance Store all log data to a separate S3 bucket with S3 Object Lock and MFA delete Take a memory dump of the instance

Slide 24

Slide 24 text

Cloud forensics challenges • Accessibility of logs • Physical inaccessibility • Volatility of data • Identification of evidence at client side • Dependence of CSP trust

Slide 25

Slide 25 text

Get in touch at Twitter: @e11i0t_4lders0n LinkedIn: /in/tushars25 Instagram: @e11i0t_4lders0n__ Email: [email protected]

Slide 26

Slide 26 text

Thank you