Embed Size (px)
DESCRIPTION
You've employed the practices outlined for incident detection, but what do you do when you detect an incident in the cloud? This session walks you through a hypothetical incident response on AWS. Learn to leverage the unique capabilities of the AWS environment when you respond to an incident, which in many ways is similar to how you respond to incidents in your own infrastructure. This session also covers specific environment recovery steps available on AWS.
Citation preview
Configuration
Amazon S3 Amazon EC2 Amazon VPC Amazon RDS Elastic BeanstalkIAM
Security
GroupVPC
SubnetAmazon
S3 Bucket
Groups,
Users,
Credentials
Applications
Amazon RDS
DB Instances
Objects
Instances
Internet
Gateways
Customer
AWS
Traditional IR
This Talk
Its Here
And Here
And Here
And Here
https://s3.amazonaws.com/reinvent2014-
sec402/SecConfig.py
https://s3.amazonaws.com/reinvent2014-
sec402/SecConfig.py
"accessKeyId": "AKIAJLMGEGEAYMFNTH2Q",
"accessKeyId": "AKIAJLMGEGEAYMFNTH2Q",
"accessKeyId": "ASIAJNH65GHCSCYCGEUQ",
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html#SG_Changing_Group_Membership
beetle@forensics:~$ ping intern
PING intern (54.173.32.252) 56(84) bytes of data.
64 bytes from 54.173.32.252: icmp_seq=1 ttl=63 time=1.34 ms
64 bytes from 54.173.32.252: icmp_seq=2 ttl=63 time=1.10 ms
64 bytes from 54.173.32.252: icmp_seq=3 ttl=63 time=1.30 ms
64 bytes from 54.173.32.252: icmp_seq=4 ttl=63 time=1.50 ms
64 bytes from 54.173.32.252: icmp_seq=5 ttl=63 time=1.25 ms
^C
--- 54.173.32.252 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 1.108/1.302/1.500/0.135 ms
beetle@forensics:~/tools$ uname -a
Linux ip-172-30-4-4 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
beetle@forensics:~/tools$ scp -i beetle-demo-1.pem ./lime* ubuntu@intern:/tmp
lime-3.13.0-36-generic.ko 100% 9896 9.7KB/s 00:00
beetle@forensics:~/tools$ ssh -i beetle-demo-1.pem ubuntu@intern
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-36-generic x86_64)
...
ubuntu@intern:~$ cd /tmp
ubuntu@intern:/tmp$ ls
lime-3.13.0-36-generic.ko
ubuntu@intern:/tmp$ sudo insmod lime*.ko "path=tcp:4444 format=lime"
beetle@forensics:~/volatility$ nc intern 4444 > intern_memory.lime
beetle@forensics:~$ zip internUbuntu14.zip module.dwarf \
/boot/System.map-`uname -r`
adding: module.dwarf (deflated 90%)
adding: boot/System.map-3.13.0-36-generic (deflated 79%)
beetle@forensics:~$ cp internUbuntu14.zip ~/volatility
beetle@forensics:~$ cd volatility
beetle@forensics:~/volatility$ python vol.py --info | grep Linux
Volatile Systems Volatility Framework 2.2
LinuxinternUbuntu14x64 - A Profile for Linux internUbuntu14 x64
beetle@forensics:~/volatility$ python vol.py -f ~/intern_memory.lime \
--profile=LinuxinternUbuntu14x64 linux_pstree | more
Volatile Systems Volatility Framework 2.2
Name Pid Uid
init 1 149534510806724
.dhclient 598 149534603226500
.rsyslogd 787 149534603906244
.getty 912 149533581563780
.sshd 953 149534583307268
..sshd 1191 149534598143556
...sshd 1244 149534511131844
....bash 1245 149534510056196
.....sudo 1262 149534509945412
......insmod 1263 149534512334340
.cron 957 149534593742340
beetle@forensics:~/volatility$ python vol.py -f ~/target_memory.lime \
--profile=LinuxinternUbuntu14x64 linux_bash –H 0x6fd618 -P | more
Volatile Systems Volatility Framework 2.2
Command Time Command
-------------------- -------
#1415809185 sudo apt-get update
#1415809185 sudo apt-get upgrade
#1415809185 sudo shutdown -r now
#1415809192 cd /tmp
#1415809194 ls
#1415809258 sudo insmod lime*.ko "path=tcp:4444 format=lime"
beetle@forensics:~/volatility$ python vol.py -f ~/target_memory.lime \
--profile=LinuxinternUbuntu14x64 linux_ifconfig
Volatile Systems Volatility Framework 2.2
Interface IP Address MAC Address Promiscous Mode
---------------- -------------------- ------------------ ---------------
lo 127.0.0.1 00:00:00:00:00:00 False
eth0 172.30.4.75 00:00:00:00:00:00 False
beetle@forensics:~/volatility$ python vol.py -f ~/target_memory.lime \
--profile=LinuxinternUbuntu14x64 linux_check_modules
Volatile Systems Volatility Framework 2.2
Module Name
-----------
http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
http://blogs.aws.amazon.com/security/
https://aws.amazon.com/security
http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMGettingStarted.html
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.html
http://docs.aws.amazon.com/AmazonS3/latest/UG/ManagingBucketLogging.html
•http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html
http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
http://docs.aws.amazon.com/AmazonS3/latest/dev/MultiFactorAuthenticationDelete.html
http://www.youtube.com/user/AmazonWebServices
http://www.sans.org/reading-room/whitepapers/incident
http://www.first.org/resources/guides
http://www.cert.org/incident-management/publications/
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals
![[AWS re:invent 2013 Report] AWS New EC2 Instance Types](https://img.dokumen.tips/doc/110x75/5565fe5cd8b42a2a4d8b4cc5/aws-reinvent-2013-report-aws-new-ec2-instance-types.jpg)
