incident response and forensics in your pyjamas when
play

Incident Response and Forensics in your Pyjamas When security - PDF document

Mar 20, 2024 •257 likes •558 views

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit

  1. Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit the data centre to capture data from the systems. And that would mean getting dressed. When infrastructure is in the cloud, you have remote access and APIs for managing all your infrastructure, so you can respond to incidents with automation and do your forensic analysis in your bunny slippers. But is it as good as the capabilities you have in a data centre? Is getting dressed the price you have to pay for high quality forensics and incident response? In this talk Paco will explain the two major domains of cloud events (infrastructure domain and service domain) and describe the security and incident response techniques pioneered by AWS customers like Mozilla, Alfresco, and Netflix. He'll explain how to isolate resources to preserve the integrity of the data; get RAM dumps and disk image snapshots; and identify unauthorised changes to cloud resources using API tools and logs. And all of this while wearing pyjamas. 1

  2. For more on this, see: https://aws.amazon.com/what-is-cloud-computing/

  3. Photo “lazy day” by monicasecas Image Source: https://www.flickr.com/photos/monicasecas/3171587103 License: Attribution 2.0 Generic (CC BY 2.0) https://creativecommons.org/licenses/by/2.0/ 3

  4. This shared model can help relieve customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. 4

  5. 5

  6. Compliance variance — data or resources configured in a way that violates your compliance policies Service disruption — users or systems unable to access resources in your environment Unauthorized resources — resources created in your environment that are unauthorized or unexpected Unauthorized access — access to your resources via an IP address, user, or system, that is unauthorized Privilege escalation — attempts to gain elevated access to resources that are normally protected from an application or user, or attempts to gain access to your system or network for an extended period of time Persistence — attempts to establish an access mechanism allowing future access to resources Excessive permissions — resources that have overly permissive access control mechanisms or permissions Information exposure — anomalous or unauthorised access to sensitive data Credentials exposure — unauthorized access to AWS-specific credentials 6

  7. Service Domain: Events in the service domain affect a customer's AWS account, billing, IAM permissions, resource metadata, etc. A service domain event is one that you respond to exclusively with AWS API mechanisms. Infrastructure Domain: Events in the infrastructure domain include data or network-related activity, such as the traffic to your Amazon EC2 instances within the VPC, processes and data on your Amazon EC2 instances, etc. Your response to infrastructure domain events will often involve commands and software that executes in the operating system of an instance, but may also involve AWS API mechanisms where they can be applied. 7

  8. Logs and Monitors — There are AWS logs like Amazon CloudTrail, S3 access logs, and VPC Flow Logs and security monitoring services such as Amazon GuardDuty and Amazon Macie. There are also AWS monitors like Route 53 health checks and CloudWatch Alarms. Similarly there are the Windows Events, Linux syslog logs, and other application-specific logs that you might generate in your applications. Billing Activity — A sudden change in billing activity may indicate a security event. Threat Intelligence — if you subscribe to a third-party threat intelligence feed, you can correlate that information with other logging and monitoring to identify potential indicators of events. AWS Outreach — AWS Support may contact you if we identify abusive or malicious activity. See the following section, “ AWS Response to Abuse and Compromise” , for additional information. Ad Hoc Contact — Sometimes your customers, your developers, or other staff in your organization notice something unusual. It is important to have a well-known, well-publicized “front door” for your security team to receive notifications from people. Popular choices include ticketing systems, contact email addresses,and web forms. If your organization deals with the general public, you may need to have a public-facing security contact mechanism as well. 8

  9. CloudWatch Logs — a number of services utilize CloudWatch Logs for their logging mechanism, such as Lambda. You can create filters to look for patterns in CloudWatch Logs and create CloudWatch metrics with them to trigger downstream actions CloudWatch Events — A place that you can “listen” for specific events happening on AWS such as EC2 instance states or a specific API call. When an event is matched, it can trigger Lambda or SNS (or both) CloudWatch Alarms — An alarm can trigger a workflow via SNS that can chain up a number of reactions including Lambda VPC Flow Logs — Can be a telling source of nefarious network access GuardDuty — A powerful threat detection tool that can notify you when something is off of baseline Macie — Macie can notify you when sensitive data in S3 is being moved or accessed. Additionally, Macie reports all findings to CloudWatch. S3 access logs — These logs could indicate possible data exfiltration CloudTrail — CloudTrail logs all API calls on the platform, who called them, when, if it was successful or not, etc. This is not an exhaustive list. Consider other things like: • Health checks (ELB, Route53) • OS and Application logs 9

  10. Two options for forensic analysis in the infrastructure domain: Online analysis Offline analysis You can do either or both 10

  11. So we have a VPC… web tier, each instance has a data volume 11

  12. Let’s assume that we’re sending logs to S3, as well as running some monitoring tools 12

  13. Change the security group around it to stop the horizontal movement around the compromised instance. 13

  14. You can leave it and use it as a honeypot, but make sure the rest of your users aren’t accessing it. 14

  15. Take a snapshot 15

  16. 16

  17. Load the snapshot onto your forensic instance 17

  18. From there, you can connect the two and run the forensics and find the threats and patterns to help you with your investigation. 18

  19. 19

  20. Photo “Sleeping Woman” by Petr Kratochvil Source: https://www.publicdomainpictures.net/en/view- image.php?image=208413&picture=sleeping-woman License: CC0 Public domain: http://creativecommons.org/publicdomain/zero/1.0/ 20

  21. 21

  22. 22

  23. 23

  24. 24

  25. 25

  26. 26

  27. 27

  28. 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline College NSF Grant Award #1800999 Agenda Background on Coastline College Need for Incident Response Professionals Overview Advisory

571 views • 14 slides
TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing

TBD Challenges for Digital Forensics and Incident Response on Virtualization and Cloud Computing Platforms Introduction Christopher Day, Chief Security Architect, Terremark Responsible for Terremarks global information security services

332 views • 30 slides
For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke

For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke

For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke Presentation Overview 1. Incident Response Lifecycle 2. Forensic Artifacts 1. DISK & RAM 3. Demo Incident Response Lifecycle 1.Preparation

575 views • 34 slides
Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC

Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC

Towards Large-Scale Incident Response and Interactive Network Forensics Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Dissertation Proposal UC Berkeley December 14, 2011 April 21, 2009: Bad News for UC Berkeley 2 / 63 Blind SQL

790 views • 63 slides
Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD,

629 views • 27 slides
Web Application Incident Response & Forensics: A Whole New Ball Game! Chuck Willis

Web Application Incident Response & Forensics: A Whole New Ball Game! Chuck Willis

Web Application Incident Response & Forensics: A Whole New Ball Game! Chuck Willis chuck.willis@mandiant.com Rohyt Belani rohyt.belani@intrepidusgroup.com Black Hat Briefings DC 2007 February 28, 2007 Company Overviews MANDIANT

1.38k views • 69 slides
Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

Incident Response: Goals of Incident Management Steps to Preparation Risk Assessment

6/19/2015 Incidents Are Not Necessarily Emergencies Incident Laboratory Incidences and An event thats likely to have adverse consequences Emergency Response Programs Emergency Unanticipated circumstances resulting in

564 views • 5 slides
Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Topic Outcomes Acquire data (from a disk) using `dd` Analyze image of disk from `dd` using forensics tools including

492 views • 19 slides
Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016

Introduction to Incident Response Renana Friedlich, National Incident Response Leader March 2016 Agenda Evaluation of Cybersecurity risks The attackers playbook Case study What can you do today Page 2 Evaluation of

622 views • 12 slides
BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF

5/20/2014 COURSE OUTLINE Purpose Building Incident Response Team Expectations BIRT BIRT Liaisons Incident Response Incident Follow-Up Q&A 1 2 PURPOSE OF BIRT PURPOSE OF BIRT Prepare units to respond to a

342 views • 4 slides
Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May 22, 2015 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response

407 views • 13 slides
Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info Malware Forensics and Incident Response Anti-Forensics Executables Stealth Techniques Live System Anti-Forensics Process

907 views • 76 slides
Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I?

Agile Incident Response: Operating through Ongoing Confrontation Kevin Mandia Who Am I? Professorial Lecturer Carnegie Mellon University 95-856 Incident Response Master of Information System Management The George Washington

1.29k views • 60 slides
SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar

SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics Sundar Krishnan & Dr. Mingkui Wei Department of Computer Science Sam Houston State University, Huntsville, Texas ISDFS 2019 SC SCADA Ov Overv

635 views • 22 slides
Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council

Above My Pay Grade: Incident Response at the National Level Jason Healey Atlantic Council Traditional Incident Response But at the national level, incident response is a different game Implications for Misunderstandings between geeks and

541 views • 27 slides
T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic Monitor.

834 views • 70 slides
DFS / FCU METRICS CASEWORK Performed 809 exhibits for USAO/NSID/OCME/DOC o Superior Court (379

DFS / FCU METRICS CASEWORK Performed 809 exhibits for USAO/NSID/OCME/DOC o Superior Court (379

DFS / FCU METRICS CASEWORK Performed 809 exhibits for USAO/NSID/OCME/DOC o Superior Court (379 felony exhibits, 282 misdemeanor exhibits) o District Courts (47 exhibits) o District agencies "Surveillance" (98+ exhibits) FCU Reports for

159 views • 3 slides
Similarity of 2D images: An application to the forensic comparison of shoe outsole impressions

Similarity of 2D images: An application to the forensic comparison of shoe outsole impressions

Similarity of 2D images: An application to the forensic comparison of shoe outsole impressions Soyoung Park, Ph.D and Alicia Carriquiry,Ph.D CSAFE/Iowa State University March, 11,2019 1/29 Acknowledgements Thanks to, Dr. Hariharan K.

627 views • 29 slides
Inventors: Jennifer Doering, Ph.D., RN College of Nursing, UW-Milwaukee Greg Krzecki Director

Inventors: Jennifer Doering, Ph.D., RN College of Nursing, UW-Milwaukee Greg Krzecki Director

Inventors: Jennifer Doering, Ph.D., RN College of Nursing, UW-Milwaukee Greg Krzecki Director of Maintenance, Quad Air Whats the Problem? 3,600 infant deaths/year due to SIDS 60% of parents sleep with their infant(s) Existing

517 views • 10 slides
Web Application Forensics HTTPD Logfile Security Analysis Jens Mller, Ruhr University Bochum

Web Application Forensics HTTPD Logfile Security Analysis Jens Mller, Ruhr University Bochum

Web Application Forensics HTTPD Logfile Security Analysis Jens Mller, Ruhr University Bochum jens.a.mueller@rub.de Scenario You got pwned The Log File Problem Log files are huge. We are lazy. How find important stuff? Still

873 views • 28 slides
Topics in Security: Forensic Signal Analysis Markus Kuhn, Andrew Lewis Computer Laboratory

Topics in Security: Forensic Signal Analysis Markus Kuhn, Andrew Lewis Computer Laboratory

Fact or fiction? Topics in Security: Forensic Signal Analysis Markus Kuhn, Andrew Lewis Computer Laboratory http://www.cl.cam.ac.uk/teaching/0910/R08/ Michaelmas 2009 MPhil ACS Hans D. Baumann, DOCMA 3 Real Introductory examples:

491 views • 7 slides
The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley /

The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley /

The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Bro Workshop 2011 NCSA, Champaign-Urbana, IL Outline 1. The Bro Difference 2. Abstract Use Cases 3. From Post-Facto to

530 views • 23 slides
ForgetMeNot: Memory-Aware Forensic Facial Sketch Matching Authors: Ouyang, Hospedales, Song, Li

ForgetMeNot: Memory-Aware Forensic Facial Sketch Matching Authors: Ouyang, Hospedales, Song, Li

ForgetMeNot: Memory-Aware Forensic Facial Sketch Matching Authors: Ouyang, Hospedales, Song, Li Slides by Josh Kelle 1 Overview VIPSL dataset experiment goals experiment results conclusion 2 VIPSL Dataset artist A B C D

377 views • 22 slides

More recommend