SlideShare una empresa de Scribd logo

ThreatResponse

Amazon Web Services
Amazon Web Services

by Jeff Parr, ThreatResponse Learn how to use ThreatResponse's open source incident response toolkit https://www.threatresponse.cloud/.

1 de 59
ThreatResponse https://threatresponse.cloud
Be a free open source incident response toolkit for Amazon Web Services.
Agenda ● A Look at Cloud Incidents ● Resilient Security ● Standard incidents and response ● Incident Handling Challenges in AWS ● Tool Demos
How ready are you to respond to an incident at your place of business?
Cloud Incidents are High Risk
WHOLISTIC SECURITY
Attackers are automating. Why aren’t you?
Shamelessly borrowed from Dino Dai Zovi https://www.youtube.com/watch?v=86oTJjEnNEI Corollary Corollary Corollary Overly focused OS-Level protection misses avenues for cloud level priv-esc attacks. Overly focused security of one service / product misses avenues for cloud level compromise. Overly focused Devops and cattle class environments miss avenues for persistence. Attackers exploit new frontiers ...defenders are still fighting the last war.
RESILIENT SECURITY
12 The Red Pill of Resilience @swagitda_ aka Kelly Shortridge, Security ScoreCard https://www.youtube.com/watch?v=ux--pHFpeac
Resilience is systemic Infosec resilience means a flexible system that can absorb an attack and reorganize around a threat. -- Kelly Shortridge
https://www.youtube.com/watch?v=ux--pHFpeac Robustness How can you withstand an attack? Adaptability How can you reduce your losses? Transformability How can you challenge your assumptions? Who will attack you? What will you do?
Incident Response is a resilience tactic
Resilience makes response EASIER
Resilience by design... Everything fails all the time
We are all security engineers https://www.youtube.com/watch?v=nFKVzEAm-ts
EVALUATE THE RISK Assess the Risk Form a plan Test the plan Repeat Regularly and Randomly
Credit: Toni de la Fuente blyx.com
Common Incident Types ● Instance / Application ● IAM / Credentials ● S3
Common EC2 Incidents ● Cryptojacking ● Information Disclosure via Vulnerability ● Pivot via Vulnerability ● AMI Poisoning ● Account Jumping
Common IAM Incidents ● Credential Leak - Access Keys ● Temporary Session Token Attacks ● Role Attacks (unintended access) ● Backdooring Roles for Persisting via STSToken ● Persistance via Typo Squatting
Common S3 Incidents ● Data leaks ● Website defacement ● Subdomain Takeovers ● Hosting malicious files
● Create Internal Case File ● Create Support Case with AWS ○ Need to suppress AUP? ● Tag Resources under investigation ● Internal Disclosure ● Check Logging / Adjust ● Trigger Network Capture - VPC Logs Incident Response Basic first steps
Instance Compromises
Additional Evaluation Lateral Movement Potential ● Assess other systems running in the same VPC ● Was the instance running in a role? ● Were there keys on the box?
Additional Evaluation Evidence Preservation ● Do we have flow logs we can grab and archive for the incident? ● Do we need to do live response? ● Do we need to preserve a snapshot for offline forensics?
Access Key Compromises
… they happen ● Vim swap files ● Tools that generate key files ( Packer ) ● Mobile app distribution ● Slack bots Key Compromise
Key Compromises are Scary Persistence ● New users - typosquatting ● Creating new access keys ● STS Tokens
S3 Compromises What besides configuration? Code Corruption Attacks ● Malicious Code in Pipeline ● Replacing Signatures Hosted in S3 Web Hosting Attacks ● Defacement ● Subdomain takeovers ● Malicious Download Hosting Logs ● Attacks on CloudTrail Buckets via lifecycle manipulation
Having a tough day in the cloud Soft-Issues ● Cease and desist goes to account owner ● No response role ● Gaining necessary access ● Lack of uniformity ● Lack of familiarity on side of responder ● What is normal? Technical Issues ● Failed containment ● Destruction / Mishandling of evidence ● Involves lots of instances ( Maybe ) ● No auditd ● No syslogs
Tools You wanted to see some, right?
Product Portfolio - Primary Offerings ● Margarita Shotgun ○ Remote Memory Acquisition ● AWS_IR ○ Command line Tool
Product Portfolio - Secondary Offerings ● Lime Compiler - Kernel Module Builder ○ Leveraged by Margarita Shotgun ● Aws-ir-plugins ○ Expandable architecture
Product Portfolio - Paid Offerings ● Ephemeral Systems Incident Pony ○ Automation Hub and Case Management ○ See: ephemeralsystems.com
Margarita Shotgun: Remote Memory Acquisition In Parallel
How does it work? ● SSH into target ● Interrogates system ● Fetches kernel module from repository ● Inserts that into system ● Delivers memory to ○ s3 ○ local disk
What’s new? 10x Faster with compression support at endpoint. Jump Box Support Auto module resolution with Lime Compiler Props to @joelferrier!
Margarita Shotgun Demo ASCIINEMA : https://asciinema.org/a/130403
LiME Compiler: Precompiled LiME Modules for common AWS hosts https://github.com/ThreatResponse/lime-compiler
Builds LiME Kernel modules for: ● Amazon Linux ● Centos 6 ● Centos 7 ● Debian 7 ● Debian 8 ● Ubuntu 12.04 ● Ubuntu 14.04 ● Ubuntu 15.10 ● Ubuntu 16.04 ● Ubuntu 16.10 ● Other? ... Hosted by Mozilla! ● You can byom ( run it yourself ) ● GPG Signing ● Standard yum XML repo format ● Docker Driver ● Currently builds every 4-hours
AWS_IR CLI: Response Automation for instance and key compromise
AWS_IR CLI: ● Parallel host acquisition ● IP or instance id for targeting ● Custom incident plans ● Plugin System ● GPG key installation
AWS_IR Setup: Responder Roles: https://github.com/ThreatResponse/aws_ir/bl ob/master/cloudformation/responder-role.yml
AWS_IR ASCIINEMA : https://asciinema.org/a/130418 Plugins: ● Gather Host ● Isolate Host ● Tag Host ● Snapshot disks ● Examiner ACL ● Get Memory ● Stop Host Targets.txt: One instance_id / IP per line
AWS_IR Key Compromise Plugins
Key Compromise $ aws_ir key-compromise --access-key-id AKIAINLHPIG64YJXPK5A 2017-07-20T21:04:01 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan. 2017-07-20T21:04:01 - aws_ir.plans.key - INFO - Attempting key disable. 2017-07-20T21:04:03 - aws_ir.plans.key - INFO - STS Tokens revoked issued prior to NOW. 2017-07-20T21:04:03 - aws_ir.plans.key - INFO - Disable complete. Uploading results. Processing complete for cr-17-072104-7d5f Artifacts stored in s3://cloud-response-9cabd252416b4e5a893395c533f340b7
AWS_IR : What is happening? $ aws_ir --examiner-cidr-range '4.4.4.4/32' instance-compromise --target 52.40.162.126 --user ec2-user --ssh-key ~/Downloads/testing-041.pem 2017-07-20T21:10:50 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan. 2017-07-20T21:10:50 - aws_ir.libs.case - INFO - Initial connection to AmazonWebServices made. 2017-07-20T21:11:03 - aws_ir.libs.case - INFO - Inventory AWS Regions Complete 14 found. 2017-07-20T21:11:03 - aws_ir.libs.case - INFO - Inventory Availability Zones Complete 37 found. 2017-07-20T21:11:03 - aws_ir.libs.case - INFO - Beginning inventory of resources world wide. This might take a minute... 2017-07-20T21:11:03 - aws_ir.libs.inventory - INFO - Searching ap-south-1 for instance. 2017-07-20T21:11:05 - aws_ir.libs.inventory - INFO - Searching eu-west-2 for instance. 2017-07-20T21:11:05 - aws_ir.libs.inventory - INFO - Searching eu-west-1 for instance. 2017-07-20T21:11:06 - aws_ir.libs.inventory - INFO - Searching ap-northeast-2 for instance. 2017-07-20T21:11:07 - aws_ir.libs.inventory - INFO - Searching ap-northeast-1 for instance. 2017-07-20T21:11:08 - aws_ir.libs.inventory - INFO - Searching sa-east-1 for instance. 2017-07-20T21:11:09 - aws_ir.libs.inventory - INFO - Searching ca-central-1 for instance. 2017-07-20T21:11:09 - aws_ir.libs.inventory - INFO - Searching ap-southeast-1 for instance. 2017-07-20T21:11:10 - aws_ir.libs.inventory - INFO - Searching ap-southeast-2 for instance. 2017-07-20T21:11:11 - aws_ir.libs.inventory - INFO - Searching eu-central-1 for instance. 2017-07-20T21:11:12 - aws_ir.libs.inventory - INFO - Searching us-east-1 for instance. 2017-07-20T21:11:13 - aws_ir.libs.inventory - INFO - Searching us-east-2 for instance. 2017-07-20T21:11:13 - aws_ir.libs.inventory - INFO - Searching us-west-1 for instance. 2017-07-20T21:11:13 - aws_ir.libs.inventory - INFO - Searching us-west-2 for instance. 2017-07-20T21:11:14 - aws_ir.libs.case - INFO - Inventory complete. Proceeding to resource identification.
Lock step execution 2017-07-20T21:11:14 - aws_ir.plans.host - INFO - Proceeding with incident plan steps included are ['gather_host', 'isolate_host', 'tag_host', 'snapshotdisks_host', 'examineracl_host', 'get_memory', 'stop_host'] 2017-07-20T21:11:14 - aws_ir.plans.host - INFO - Executing step gather_host. 2017-07-20T21:11:15 - aws_ir.plans.host - INFO - Executing step isolate_host. 2017-07-20T21:11:16 - aws_ir.plans.host - INFO - Executing step tag_host. 2017-07-20T21:11:17 - aws_ir.plans.host - INFO - Executing step snapshotdisks_host. 2017-07-20T21:11:17 - aws_ir.plans.host - INFO - Executing step examineracl_host. 2017-07-20T21:11:19 - aws_ir.plans.host - INFO - Executing step get_memory. 2017-07-20T21:11:19 - aws_ir.plans.host - INFO - attempting memory run 2017-07-20T21:11:19 - aws_ir.plans.host - INFO - Attempting run margarita shotgun for ec2-user on 52.40.162.126 with /Users/akrug/Downloads/testing-041.pem 2017-07-20T21:11:21 - margaritashotgun.repository - INFO - downloading https://threatresponse-lime-modules.s3.amazonaws.com/modules/lime-4.9.32-15.41.amzn1.x86_64.ko as lime-2017-07-21T04:11:21-4.9.32-15.41.amzn1.x86_64.ko 2017-07-20T21:11:25 - margaritashotgun.memory - INFO - 52.40.162.126: dumping memory to s3://cloud-response-a0f2d7e68ef44c36a79ccfe4dcef205a/52.40.162.126-2017-07-21T04:11:19-mem.lime 2017-07-20T21:15:43 - margaritashotgun.memory - INFO - 52.40.162.126: capture 10% complete 2017-07-20T21:19:37 - margaritashotgun.memory - INFO - 52.40.162.126: capture 20% complete 2017-07-20T21:23:41 - margaritashotgun.memory - INFO - 52.40.162.126: capture 30% complete 2017-07-20T21:28:17 - margaritashotgun.memory - INFO - 52.40.162.126: capture 40% complete 2017-07-20T21:32:42 - margaritashotgun.memory - INFO - 52.40.162.126: capture 50% complete 2017-07-20T21:37:18 - margaritashotgun.memory - INFO - 52.40.162.126: capture 60% complete 2017-07-20T21:39:18 - margaritashotgun.memory - INFO - 52.40.162.126: capture 70% complete 2017-07-20T22:00:13 - margaritashotgun.memory - INFO - 52.40.162.126: capture 80% complete 2017-07-20T22:04:19 - margaritashotgun.memory - INFO - 52.40.162.126: capture 90% complete 2017-07-20T22:17:32 - margaritashotgun.memory - INFO - 52.40.162.126: capture 100% complete 2017-07-20T21:41:52 - aws_ir.plans.host - INFO - memory capture completed for: ['52.40.162.126'], failed for: [] 2017-07-20T21:41:52 - aws_ir.plans.host - INFO - Executing step stop_host. Processing complete for cr-17-072104-7d5f Artifacts stored in s3://cloud-response-a0f2d7e68ef44c36a79ccfe4dcef205a
Demo ThreatResponse workstation: https://github.com/EphemeralSystems/threatresponse-ws Find Demo Videos here: https://vimeo.com/user27700454
Incident Pony ● Automation & Preparedness ● Cross Account Wizardry ● Pub / Sub for SEIM, GuardDuty, Alert Pipelines, Etc ● Team Handoffs with Access Control ● Case File Management ● Chain of Custody ● Logging, logging, logging ● Change Tracking ● Security Guardrails
Future Will you be a contributor?
Alex McCormack Joel Ferrier Graham Jones Toni de la Fuente Jeff Parr Jeff Bryner Daniel Hartnell Kevin Hock Julien Vehent Gene Wood Henrik Johansson Beetle Bailey Rich Jones Greg Guthe Vegard Vaage Contributors:

Recomendados

The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategyAmazon Web Services
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...Amazon Web Services
 

Recomendados

The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategyAmazon Web Services
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...Amazon Web Services
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Amazon Web Services
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Amazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Amazon Web Services
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...Amazon Web Services
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes EverywhereAmazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionAmazon Web Services
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Amazon Web Services
 
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017Amazon Web Services
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaAmazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Amazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
Detective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record ChangeDetective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record ChangeAmazon Web Services
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...CiNPA Security SIG
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with ZapSoluto
 

Más contenido relacionado

La actualidad más candente

Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Amazon Web Services
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Amazon Web Services
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Amazon Web Services
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...Amazon Web Services
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes EverywhereAmazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionAmazon Web Services
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Amazon Web Services
 
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017Amazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Amazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
Detective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record ChangeDetective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record ChangeAmazon Web Services
 

La actualidad más candente (20)

Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes Everywhere
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
 
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy Ninja
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
 
Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4Threat Detection & Remediation Workshop - Module 4
Threat Detection & Remediation Workshop - Module 4
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
 
Detective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record ChangeDetective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record Change
 

Similar a ThreatResponse

NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...CiNPA Security SIG
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with ZapSoluto
 
All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...
All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...
All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...DevOpsDays Tel Aviv
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOpsWeaveworks
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Bootstrapping - Session 1 - Your First Week with Amazon EC2
Bootstrapping - Session 1 - Your First Week with Amazon EC2Bootstrapping - Session 1 - Your First Week with Amazon EC2
Bootstrapping - Session 1 - Your First Week with Amazon EC2Amazon Web Services
 
Stay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft AzureStay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft AzureHARMAN Services
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...Amazon Web Services
 
Cloudefigo - From zero to secure in 1 minute
Cloudefigo - From zero to secure in 1 minuteCloudefigo - From zero to secure in 1 minute
Cloudefigo - From zero to secure in 1 minuteIsrael AWS User Group
 
Integrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfIntegrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfAmazon Web Services
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
Languages don't matter anymore!
Languages don't matter anymore!Languages don't matter anymore!
Languages don't matter anymore!Soluto
 
Integrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdfIntegrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdfAmazon Web Services
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Raising ux bar with offline first design
Raising ux bar with offline first designRaising ux bar with offline first design
Raising ux bar with offline first designKyrylo Reznykov
 
Writing and deploying serverless python applications
Writing and deploying serverless python applicationsWriting and deploying serverless python applications
Writing and deploying serverless python applicationsCesar Cardenas Desales
 
PyConIT 2018 Writing and deploying serverless python applications
PyConIT 2018 Writing and deploying serverless python applicationsPyConIT 2018 Writing and deploying serverless python applications
PyConIT 2018 Writing and deploying serverless python applicationsCesar Cardenas Desales
 
AWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast ForwardAWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast ForwardShuen-Huei Guan
 
Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)Yan Cui
 

Similar a ThreatResponse (20)

NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
 
All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...
All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...
All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOps
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Bootstrapping - Session 1 - Your First Week with Amazon EC2
Bootstrapping - Session 1 - Your First Week with Amazon EC2Bootstrapping - Session 1 - Your First Week with Amazon EC2
Bootstrapping - Session 1 - Your First Week with Amazon EC2
 
Stay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft AzureStay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft Azure
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
 
Cloudefigo - From zero to secure in 1 minute
Cloudefigo - From zero to secure in 1 minuteCloudefigo - From zero to secure in 1 minute
Cloudefigo - From zero to secure in 1 minute
 
Integrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfIntegrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdf
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
 
Languages don't matter anymore!
Languages don't matter anymore!Languages don't matter anymore!
Languages don't matter anymore!
 
Integrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdfIntegrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdf
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Raising ux bar with offline first design
Raising ux bar with offline first designRaising ux bar with offline first design
Raising ux bar with offline first design
 
Writing and deploying serverless python applications
Writing and deploying serverless python applicationsWriting and deploying serverless python applications
Writing and deploying serverless python applications
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
PyConIT 2018 Writing and deploying serverless python applications
PyConIT 2018 Writing and deploying serverless python applicationsPyConIT 2018 Writing and deploying serverless python applications
PyConIT 2018 Writing and deploying serverless python applications
 
AWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast ForwardAWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast Forward
 
Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

ThreatResponse

  • 2. Be a free open source incident response toolkit for Amazon Web Services.
  • 3. Agenda ● A Look at Cloud Incidents ● Resilient Security ● Standard incidents and response ● Incident Handling Challenges in AWS ● Tool Demos
  • 4. How ready are you to respond to an incident at your place of business?
  • 5.
  • 7.
  • 10. Shamelessly borrowed from Dino Dai Zovi https://www.youtube.com/watch?v=86oTJjEnNEI Corollary Corollary Corollary Overly focused OS-Level protection misses avenues for cloud level priv-esc attacks. Overly focused security of one service / product misses avenues for cloud level compromise. Overly focused Devops and cattle class environments miss avenues for persistence. Attackers exploit new frontiers ...defenders are still fighting the last war.
  • 12. 12 The Red Pill of Resilience @swagitda_ aka Kelly Shortridge, Security ScoreCard https://www.youtube.com/watch?v=ux--pHFpeac
  • 13. Resilience is systemic Infosec resilience means a flexible system that can absorb an attack and reorganize around a threat. -- Kelly Shortridge
  • 14. https://www.youtube.com/watch?v=ux--pHFpeac Robustness How can you withstand an attack? Adaptability How can you reduce your losses? Transformability How can you challenge your assumptions? Who will attack you? What will you do?
  • 19. EVALUATE THE RISK Assess the Risk Form a plan Test the plan Repeat Regularly and Randomly
  • 20. Credit: Toni de la Fuente blyx.com
  • 21. Common Incident Types ● Instance / Application ● IAM / Credentials ● S3
  • 22. Common EC2 Incidents ● Cryptojacking ● Information Disclosure via Vulnerability ● Pivot via Vulnerability ● AMI Poisoning ● Account Jumping
  • 23. Common IAM Incidents ● Credential Leak - Access Keys ● Temporary Session Token Attacks ● Role Attacks (unintended access) ● Backdooring Roles for Persisting via STSToken ● Persistance via Typo Squatting
  • 24. Common S3 Incidents ● Data leaks ● Website defacement ● Subdomain Takeovers ● Hosting malicious files
  • 25. ● Create Internal Case File ● Create Support Case with AWS ○ Need to suppress AUP? ● Tag Resources under investigation ● Internal Disclosure ● Check Logging / Adjust ● Trigger Network Capture - VPC Logs Incident Response Basic first steps
  • 27.
  • 28. Additional Evaluation Lateral Movement Potential ● Assess other systems running in the same VPC ● Was the instance running in a role? ● Were there keys on the box?
  • 29. Additional Evaluation Evidence Preservation ● Do we have flow logs we can grab and archive for the incident? ● Do we need to do live response? ● Do we need to preserve a snapshot for offline forensics?
  • 31. … they happen ● Vim swap files ● Tools that generate key files ( Packer ) ● Mobile app distribution ● Slack bots Key Compromise
  • 32.
  • 33.
  • 34. Key Compromises are Scary Persistence ● New users - typosquatting ● Creating new access keys ● STS Tokens
  • 35. S3 Compromises What besides configuration? Code Corruption Attacks ● Malicious Code in Pipeline ● Replacing Signatures Hosted in S3 Web Hosting Attacks ● Defacement ● Subdomain takeovers ● Malicious Download Hosting Logs ● Attacks on CloudTrail Buckets via lifecycle manipulation
  • 36. Having a tough day in the cloud Soft-Issues ● Cease and desist goes to account owner ● No response role ● Gaining necessary access ● Lack of uniformity ● Lack of familiarity on side of responder ● What is normal? Technical Issues ● Failed containment ● Destruction / Mishandling of evidence ● Involves lots of instances ( Maybe ) ● No auditd ● No syslogs
  • 37. Tools You wanted to see some, right?
  • 38. Product Portfolio - Primary Offerings ● Margarita Shotgun ○ Remote Memory Acquisition ● AWS_IR ○ Command line Tool
  • 39. Product Portfolio - Secondary Offerings ● Lime Compiler - Kernel Module Builder ○ Leveraged by Margarita Shotgun ● Aws-ir-plugins ○ Expandable architecture
  • 40. Product Portfolio - Paid Offerings ● Ephemeral Systems Incident Pony ○ Automation Hub and Case Management ○ See: ephemeralsystems.com
  • 41. Margarita Shotgun: Remote Memory Acquisition In Parallel
  • 42. How does it work? ● SSH into target ● Interrogates system ● Fetches kernel module from repository ● Inserts that into system ● Delivers memory to ○ s3 ○ local disk
  • 43. What’s new? 10x Faster with compression support at endpoint. Jump Box Support Auto module resolution with Lime Compiler Props to @joelferrier!
  • 44. Margarita Shotgun Demo ASCIINEMA : https://asciinema.org/a/130403
  • 45. LiME Compiler: Precompiled LiME Modules for common AWS hosts https://github.com/ThreatResponse/lime-compiler
  • 46. Builds LiME Kernel modules for: ● Amazon Linux ● Centos 6 ● Centos 7 ● Debian 7 ● Debian 8 ● Ubuntu 12.04 ● Ubuntu 14.04 ● Ubuntu 15.10 ● Ubuntu 16.04 ● Ubuntu 16.10 ● Other? ... Hosted by Mozilla! ● You can byom ( run it yourself ) ● GPG Signing ● Standard yum XML repo format ● Docker Driver ● Currently builds every 4-hours
  • 47. AWS_IR CLI: Response Automation for instance and key compromise
  • 48. AWS_IR CLI: ● Parallel host acquisition ● IP or instance id for targeting ● Custom incident plans ● Plugin System ● GPG key installation
  • 50. AWS_IR ASCIINEMA : https://asciinema.org/a/130418 Plugins: ● Gather Host ● Isolate Host ● Tag Host ● Snapshot disks ● Examiner ACL ● Get Memory ● Stop Host Targets.txt: One instance_id / IP per line
  • 52. Key Compromise $ aws_ir key-compromise --access-key-id AKIAINLHPIG64YJXPK5A 2017-07-20T21:04:01 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan. 2017-07-20T21:04:01 - aws_ir.plans.key - INFO - Attempting key disable. 2017-07-20T21:04:03 - aws_ir.plans.key - INFO - STS Tokens revoked issued prior to NOW. 2017-07-20T21:04:03 - aws_ir.plans.key - INFO - Disable complete. Uploading results. Processing complete for cr-17-072104-7d5f Artifacts stored in s3://cloud-response-9cabd252416b4e5a893395c533f340b7
  • 53. AWS_IR : What is happening? $ aws_ir --examiner-cidr-range '4.4.4.4/32' instance-compromise --target 52.40.162.126 --user ec2-user --ssh-key ~/Downloads/testing-041.pem 2017-07-20T21:10:50 - aws_ir.cli - INFO - Initialization successful proceeding to incident plan. 2017-07-20T21:10:50 - aws_ir.libs.case - INFO - Initial connection to AmazonWebServices made. 2017-07-20T21:11:03 - aws_ir.libs.case - INFO - Inventory AWS Regions Complete 14 found. 2017-07-20T21:11:03 - aws_ir.libs.case - INFO - Inventory Availability Zones Complete 37 found. 2017-07-20T21:11:03 - aws_ir.libs.case - INFO - Beginning inventory of resources world wide. This might take a minute... 2017-07-20T21:11:03 - aws_ir.libs.inventory - INFO - Searching ap-south-1 for instance. 2017-07-20T21:11:05 - aws_ir.libs.inventory - INFO - Searching eu-west-2 for instance. 2017-07-20T21:11:05 - aws_ir.libs.inventory - INFO - Searching eu-west-1 for instance. 2017-07-20T21:11:06 - aws_ir.libs.inventory - INFO - Searching ap-northeast-2 for instance. 2017-07-20T21:11:07 - aws_ir.libs.inventory - INFO - Searching ap-northeast-1 for instance. 2017-07-20T21:11:08 - aws_ir.libs.inventory - INFO - Searching sa-east-1 for instance. 2017-07-20T21:11:09 - aws_ir.libs.inventory - INFO - Searching ca-central-1 for instance. 2017-07-20T21:11:09 - aws_ir.libs.inventory - INFO - Searching ap-southeast-1 for instance. 2017-07-20T21:11:10 - aws_ir.libs.inventory - INFO - Searching ap-southeast-2 for instance. 2017-07-20T21:11:11 - aws_ir.libs.inventory - INFO - Searching eu-central-1 for instance. 2017-07-20T21:11:12 - aws_ir.libs.inventory - INFO - Searching us-east-1 for instance. 2017-07-20T21:11:13 - aws_ir.libs.inventory - INFO - Searching us-east-2 for instance. 2017-07-20T21:11:13 - aws_ir.libs.inventory - INFO - Searching us-west-1 for instance. 2017-07-20T21:11:13 - aws_ir.libs.inventory - INFO - Searching us-west-2 for instance. 2017-07-20T21:11:14 - aws_ir.libs.case - INFO - Inventory complete. Proceeding to resource identification.
  • 54. Lock step execution 2017-07-20T21:11:14 - aws_ir.plans.host - INFO - Proceeding with incident plan steps included are ['gather_host', 'isolate_host', 'tag_host', 'snapshotdisks_host', 'examineracl_host', 'get_memory', 'stop_host'] 2017-07-20T21:11:14 - aws_ir.plans.host - INFO - Executing step gather_host. 2017-07-20T21:11:15 - aws_ir.plans.host - INFO - Executing step isolate_host. 2017-07-20T21:11:16 - aws_ir.plans.host - INFO - Executing step tag_host. 2017-07-20T21:11:17 - aws_ir.plans.host - INFO - Executing step snapshotdisks_host. 2017-07-20T21:11:17 - aws_ir.plans.host - INFO - Executing step examineracl_host. 2017-07-20T21:11:19 - aws_ir.plans.host - INFO - Executing step get_memory. 2017-07-20T21:11:19 - aws_ir.plans.host - INFO - attempting memory run 2017-07-20T21:11:19 - aws_ir.plans.host - INFO - Attempting run margarita shotgun for ec2-user on 52.40.162.126 with /Users/akrug/Downloads/testing-041.pem 2017-07-20T21:11:21 - margaritashotgun.repository - INFO - downloading https://threatresponse-lime-modules.s3.amazonaws.com/modules/lime-4.9.32-15.41.amzn1.x86_64.ko as lime-2017-07-21T04:11:21-4.9.32-15.41.amzn1.x86_64.ko 2017-07-20T21:11:25 - margaritashotgun.memory - INFO - 52.40.162.126: dumping memory to s3://cloud-response-a0f2d7e68ef44c36a79ccfe4dcef205a/52.40.162.126-2017-07-21T04:11:19-mem.lime 2017-07-20T21:15:43 - margaritashotgun.memory - INFO - 52.40.162.126: capture 10% complete 2017-07-20T21:19:37 - margaritashotgun.memory - INFO - 52.40.162.126: capture 20% complete 2017-07-20T21:23:41 - margaritashotgun.memory - INFO - 52.40.162.126: capture 30% complete 2017-07-20T21:28:17 - margaritashotgun.memory - INFO - 52.40.162.126: capture 40% complete 2017-07-20T21:32:42 - margaritashotgun.memory - INFO - 52.40.162.126: capture 50% complete 2017-07-20T21:37:18 - margaritashotgun.memory - INFO - 52.40.162.126: capture 60% complete 2017-07-20T21:39:18 - margaritashotgun.memory - INFO - 52.40.162.126: capture 70% complete 2017-07-20T22:00:13 - margaritashotgun.memory - INFO - 52.40.162.126: capture 80% complete 2017-07-20T22:04:19 - margaritashotgun.memory - INFO - 52.40.162.126: capture 90% complete 2017-07-20T22:17:32 - margaritashotgun.memory - INFO - 52.40.162.126: capture 100% complete 2017-07-20T21:41:52 - aws_ir.plans.host - INFO - memory capture completed for: ['52.40.162.126'], failed for: [] 2017-07-20T21:41:52 - aws_ir.plans.host - INFO - Executing step stop_host. Processing complete for cr-17-072104-7d5f Artifacts stored in s3://cloud-response-a0f2d7e68ef44c36a79ccfe4dcef205a
  • 55.
  • 57. Incident Pony ● Automation & Preparedness ● Cross Account Wizardry ● Pub / Sub for SEIM, GuardDuty, Alert Pipelines, Etc ● Team Handoffs with Access Control ● Case File Management ● Chain of Custody ● Logging, logging, logging ● Change Tracking ● Security Guardrails
  • 58. Future Will you be a contributor?
  • 59. Alex McCormack Joel Ferrier Graham Jones Toni de la Fuente Jeff Parr Jeff Bryner Daniel Hartnell Kevin Hock Julien Vehent Gene Wood Henrik Johansson Beetle Bailey Rich Jones Greg Guthe Vegard Vaage Contributors: