Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response,...

Preview:

Click to see full reader

Citation preview

DigitalForensics,IncidentResponse,and

CloudComputingTroyLarson

Azure|MSRCMicrosoftCorp.

Forensics, Response, Cloud Computing

•MSRC|Azure• Securityincidentresponseinvestigations.• Forensics@Microsoft.• Compromise|Intrusion|Breach.• Forensicsandincidentresponseinvestigationsforthecloud.

What is cloud computing?

• Insider’sviewofcloudcomputing:• Technologyoverview.• Policy.• ForensicsandIncidentresponse.• Practices.• Challenges.• Opportunities.

What is cloud computing?

What is cloud computing?

•Automated datacenter,wheremachines are-• Deployedbymachine.•Managedbymachine.•Monitoredbymachine.• Forservices.• Fortenants.

Cloud Compute

Vacation Resources

Azure Technical Overview

•Collectionofautomateddatacenters.•Primaryresources:• Compute.• Storage.• Network.

Azure Technical Overview

•Datacenters.•Clusters.• Nodes(blades).

Azure Technical Overview

•Computenode(hostserver).

Azure Technical Overview

•Virtualmachine,fromthehost.

Host

Memory

Media

GPA1 GPA2

VHD1 VHD2

VHD1 VHD2

Azure Technical Overview

•Thepersistent virtualharddrive.

Azure Technical Overview

•Thevirtualharddrive.• Tothehost,afile.• Tothevirtualmachine,aphysicaldisk.• Partitionedandformattedtocreatevolumesandfilesystems.• Canbeorganizedlikephysicalharddrives:• Singledisks.• Dynamicvolumes—volumesspanningvirtualdisks.• RAID.

Azure Technical Overview

•Virtualmachinememory.

PageFileonVHD

Azure Technical Overview

•Virtualmachine,fromwithin.

Memory

C:\ D:\

Azure Technical Overview

•Differentviewpoints.•Onthehostsideofthehypervisor:• Memoryisguestphysicaladdressspace.• Disksarefiles.

•Ontheguestsideofthehypervisor:• Memoryconsistsofvirtualandphysicaladdressspace.• Diskappearasphysicalandlogicalmedia.

Policy

Policy

•Cloudadministratorsandsecurityteams:• ExtremelylimitedvisibilityintowhatishappeningwithtenantVMs.

• Tenantadministratorsandsecurityteams:• CompletevisibilityintowhatishappeningontheirVMs.• NovisibilityintowhatishappeningonothertenantVMsorhostorinfrastructure.

• Securityresponsibilityfollowsownership.

Policy

•Security.• SharedSecurityModel:• Management.• Ownership.

Policy

•Securityincident.

TOR TOR TOR TOR TOR

Network

Forensics, Response, Cloud Computing

EvidenceAcquisitionof

Cloud-BasedMachines

Forensics, Response, Cloud Computing

•Virtualmachines,acquisition.

Forensics, Response, Cloud Computing

Host/VM•Memory• AsGPA.• Assavedstatefile(s).

•Media• Asfiles.• Asblobs.

• Network• Fromvirtualswitch.

Guest/VM•Memory• Live.

•Media• Asphysicalorlogicaldisks.• Asblobs.

• Network• Live.

Forensics, Response, Cloud Computing

Host/VM• Runningorstopped.• Statecanbefrozen.*• Nocollectionartifacts.*• Consistentmemoryanddiskimages.*

Guest/VM• Running.• Stateisdynamic.• Collectionartifacts.• Inconsistentmemoryanddiskimages.

GPAVHD

VHDC:\

D:\

Memory

Forensics, Response, Cloud Computing

Host/VM

•Cloudprovider.

Guest/VM

• Tenant.

Forensics, Response, Cloud Computing

•Tenantevidenceacquisition:• Standardremotecollectionproceduresandtoolsshouldworkforacquiringcloud-basedVMs.*•Blobstorageofvirtualdisksallowsforquickacquisitionorsnapshotsofvirtualdisks.• Equivalentto,orbetterthan,currententerpriseremoteevidencecollectioncapability.*

Forensics, Response, Cloud Computing

•Cloudinfrastructure.• Consistsofhundredsofthousandsofphysicalmachines.• HugeamountsofRAM.*• Hugeamountsofdiskstorage.*• Noveldiskstoragetechnologies.*• Underextremelyheavyload.*

• Canexceedthecapabilityofcurrentforensicstoolsandpractices.

Forensics, Response, Cloud Computing

•Cloudinfrastructure.• Networkisnotastandardcorporatenetwork.• Nodomainauthentication.• Segmented.• Firewalled.

• Standardenterpriseremoteevidencetoolsandproceduresoftenwillnotwork.

Forensics, Response, Cloud Computing

ForensicAnalysisOf

Cloud-BasedMachines

Forensics, Response, Cloud Computing

•Cloudmachines:• Usestandardoperatingsystems.• Common,wellknownfilesystems,filetypes,structures,andstrings.• Amenabletostandardanalyticaltoolsandprocedures.• Subjecttocompromise,breach,andothercommonsport.

Forensics, Response, Cloud Computing

•Securityincidentresponseandstateless virtualmachines.• PAASdesignedtobestateless.• Scalabilityandfaulttolerance.• Persistentdatagoestostorage.• Newinstancestartsclean.

• Remediationbycommandline.•Whatisthepointofdoingforensicsorotherin-depthsecurityincidentinvestigation?

Forensics, Response, Cloud Computing

•Cloud(virtual)machineadvantages.• Fromhost:• Fullyconsistentmemorydumps.• Fullyconsistentdrive(volume)images.• Statefiles.

• Bytenant:• Fullyconsistentdriveimagesfromstorage.*

Forensics, Response, Cloud Computing

• Issuesofscaleandscalability.• Cloudinfrastructureisvast.• Cloudenvironmentismorevast.• Virtualentitiescanbedynamic,andendpointsephemeral.

• Tenantdeploymentscanbevastanddynamic,too.

Forensics, Response, Cloud Computing

•Cloud-readyincidentresponseandforensics:•Mustbeabletoworkatscale.•Mustbescalable—monitoring,triage,loganalysis,forensics.*

•Problem:• DF/IRisdependentonsubjectmatterexpertise.• Subjectmatterexpertsdonotscalewell.*

Forensics, Response, Cloud Computing

Researchtopics.

Forensics, Response, Cloud Computing

•Whatisnormal?*

Theanalyticalopportunitiesofscale.

*JesseKornblumhttps://digital-forensics.sans.org/summit-archives/2010/eu-digital-forensics-incident-response-summit-jesse-kornblum-computer-forensic-tool-panel.pdf

Forensics, Response, Cloud Computing

•Cloudmachines|“Roles”|n identicalinstances.• Role instances:• xyz-service-01_of_200• xyz-service-02_of_200• xyz-service-03_of_200• ...• xyz-service-56_of_200

Forensics, Response, Cloud Computing

•RoleInstances:• SameOSVHD.• Samehardwareanddrivers.• Sameconfigurationsettings.• Sameapplicationsandservices.• Sameprocessesandcommandlines.• Sameevents.

Forensics, Response, Cloud Computing

•Processescreationevent(SecEventID4688):• Newprocessnameandpath.• Parentprocess.• Commandline.• Accountthatlaunchestheprocess.

•Whatprocessesruninexactlythesameway,onallroleinstances?

Forensics, Response, Cloud Computing

•Role-specific,eventbaselines:• Identical4688events,acrossallinstances(perrole),showwhatruns,how,bywhataccount.• Whatisnormalforanyinstanceofthatrole.• Usage:Compareindividualtotheherd.• Detectionandmonitoring.• Liveanalysisandtriage(e.g.,Kansa).• Memoryforensics.• Diskforensics.

Forensics, Response, Cloud Computing

•Role-specific,eventbaselines:• Signaltonoise:non-identical4688events.• Uniqueforaroleinstance.• Anomalous,mayindicatesecurityissue.• Usage:Whatstandsoutagainsttheherd.• Detectionandmonitoring.• Hunting.

Forensics, Response, Cloud Computing

•Whatotherherdbehaviorcanindicatenormalorhighlightanomalies?• Taskschedulerandserviceevents.• Objectaccessevents?• Logon,sourceIPaddress?• Errorandfailureevents?• IPFIX?• Prefetch?• Amache.hve?

Forensics, Response, Cloud Computing

Questions?

Recommended

Incident Response and Forensics in AWS - SecTor · Incident Response and Forensics in AWS ... •Overview of AWS Security Model ... effective Digital Forensics and Incident Response
Documents
proactive n reactive forensics - RedIRIS · QWhat is Digital Forensics? – Incident response – Computer Forensic Investigations ... Forensics Response ... proactive_n_reactive_forensics.ppt
Documents
Establishing an Incident Response Plan...Computer Forensics. AGENDA • Incident Response Landscape • Incident Response Considerations • NIST Framework • Elements of an IR Plan
Documents
Cyber Incident Response & Digital Forensics Lecture
Technology
Trends in Digital Forensics & Incident Response · Several Incident Response or Incident Handling frameworks One popular approach has 6 steps Steps 1 & 2 are Preparation and Identification
Documents
Memory Forensics for Incident Response
Technology
Intro to Incident Response and Forensics
Documents
PACB One-Day Cybersecurity Workshop · PACB One-Day Cybersecurity Workshop INCIDENT RESPONSE AND ... No standard incident response form Missing Forensics Support ... Computer Forensics
Documents
Digital forensics and incident response€¦ · Digital forensics is often part of an incident responder’sjob Law enforcements Computer Emergency Response Teams (CERTs) In Norway:
Documents
A Common Process Model for Incident Response and Computer Forensics · A Common Process Model for Incident Response and Computer Forensics Felix C. Freiling Laboratory for Dependable
Documents
The SANS Survey of Digital Forensics and Incident Response · PDF fileThe SANS Survey of Digital Forensics and Incident Response ... lack of specialized tools, ... Program 1 The SANS
Documents
Fusing digital forensics, electronic discovery and incident response
Technology
INCIDENT RESPONSEINCIDENT RESPONSE CONTAINMENT REMEDIATION Data recovery Find root cause Devise incident response plan Forensics Assess impact Security audits Detect malware After
Documents
Memory forensics and incident response
Technology
Incident Response: Network Forensics
Education
Security Engineer - Incident Response and Digital Forensics · 2020-05-13 · Security Engineer – Incident Response and Digital Forensics SpearTip - Mission Statement Blend cutting-edge
Documents
The SANS Survey of Digital Forensics and Incident Response
Documents
Distributed forensics and incident response in the enterprise · 2017-01-27 · Distributed forensics and incident response in the enterprise M.I. Cohen*, D. Bilby, G. Caronni Google
Documents
Incident Response and Digital Forensics – Denver Chapter of ISACA
Documents
SANS Digital Forensics and Incident Response Poster 2012
Technology