hardening aws environment and automating incidence response for aws cmpromises
TRANSCRIPT
![Page 1: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/1.jpg)
Hardening AWS Environmentsand
Automating Incident Responsefor
AWS Compromises
Hardening AWS Environments and Automating Incident Response for AWS Compromises Andrew Krug and Alex McCormack
![Page 2: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/2.jpg)
Disclaimer
Everything you're about to see is our opinion.
Not a guaranteed IR process.
This will not replace preparedness or anincident response retainer.
Hardening AWS Environments and Automating Incident Response for AWS Compromises Andrew Krug and Alex McCormack
![Page 3: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/3.jpg)
A Challenge
![Page 4: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/4.jpg)
![Page 6: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/6.jpg)
ResultsDo you think there's room for improvement?
0 votes 0 participants
![Page 7: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/7.jpg)
![Page 8: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/8.jpg)
![Page 9: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/9.jpg)
![Page 10: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/10.jpg)
![Page 11: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/11.jpg)
The Beginning
![Page 12: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/12.jpg)
Best FreeIR Process
![Page 13: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/13.jpg)
Step 1Disable the Access Keys
aws iam list-access-keys
aws iam update-access-key \ --access-key-id AKIAIOSFODNN7EXAMPLE \
--status Inactive \ --user-name DeveloperDave
![Page 14: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/14.jpg)
Step 2Hunt new instances
aws ec2 describe-instances\ --region us-east-1 \
--query 'Reservations[].\
Instances[ ?LaunchTime>=̀2016-03-9̀][].\
{ id: InstanceId,
type: InstanceType, launched: LaunchTime
} '
![Page 15: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/15.jpg)
Step 3Tell AWS Support
![Page 16: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/16.jpg)
Step 4Isolate
aws ec2 create-security-group \ --group-name isolation-sg
aws ec2 authorize-security-group-ingress aws ec2 authorize-security-group-ingress \
--group-id sg-BLOCK-ID \ --protocol
aws ec2 modify-instance-attribute --instance-id i-INSTANCE-ID \
--groups sg-BLOCK-ID
![Page 17: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/17.jpg)
Step 5Tag the Instance
aws ec2 create-tags \ --resources i-INSTANCE-ID \ --tags “Key=Environment, \
Value=Quarantine:REFERENCE-ID”
![Page 18: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/18.jpg)
Step 6Save the instance metadata
aws ec2 describe-instances \ --instance-ids i-INSTANCE-ID > \
forensic-metadata.log
aws ec2 get-console-output \ --instance-id i-INSTANCE-ID
![Page 19: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/19.jpg)
Step 7Preserve Disk Data
aws ec2 create-snapshot \ –-volume-id vol-xxxx \
–-description \ “IR-ResponderName- Date-REFERENCE-ID”
![Page 20: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/20.jpg)
Step 8Acquire Memory
![Page 21: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/21.jpg)
Step 9Stop the Instance
aws ec2 stop-instances \ --instance-ids i-INSTANCE-ID
![Page 22: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/22.jpg)
Step 10Analysis
![Page 24: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/24.jpg)
ResultsDo you think there's room for improvement?
0 votes 0 participants
![Page 25: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/25.jpg)
Pros and Cons
![Page 26: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/26.jpg)
The Elephant in the Room
![Page 27: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/27.jpg)
Security is Difficult
![Page 28: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/28.jpg)
![Page 29: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/29.jpg)
![Page 30: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/30.jpg)
![Page 31: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/31.jpg)
Tool Release
![Page 32: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/32.jpg)
Mission Statement
Be the first truly free open source incidentresponse toolkit tailored for Amazon Web
Services. Help first responders by automatingworkflows using Amazon's very own boto3 pip
module.
![Page 33: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/33.jpg)
Challenge 1
![Page 34: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/34.jpg)
Margarita Shotgun
![Page 35: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/35.jpg)
![Page 36: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/36.jpg)
Module Warehouse
![Page 37: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/37.jpg)
![Page 38: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/38.jpg)
Margarita ShotgunWrap Up
![Page 39: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/39.jpg)
The Road to Automation
![Page 40: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/40.jpg)
AWSIR Moduleusage: aws_ir
[-h] [-n CASE_NUMBER]
[-e EXAMINER_CIDR_RANGE] [-c]
[-k KEY_NAME] [-b BUCKET_ID] {
host_compromise, key_compromise, create_workstation
}
![Page 41: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/41.jpg)
![Page 42: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/42.jpg)
![Page 43: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/43.jpg)
![Page 44: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/44.jpg)
![Page 45: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/45.jpg)
Analysis Views
![Page 46: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/46.jpg)
![Page 47: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/47.jpg)
![Page 48: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/48.jpg)
![Page 49: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/49.jpg)
Logs
![Page 50: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/50.jpg)
Evidence CollectionDisk
![Page 51: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/51.jpg)
DiskHow it's done.
![Page 52: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/52.jpg)
Evidence CollectionMemory
![Page 53: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/53.jpg)
MemoryMethodology
![Page 54: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/54.jpg)
EvidenceInstance Metadata
![Page 55: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/55.jpg)
EvidenceConsole Output
![Page 56: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/56.jpg)
EvidenceScreenshots
![Page 57: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/57.jpg)
AWSIRKey Compromise
A command as simple as:
$ python -m aws_ir.cli key_compromise\ --compromised-access-key-id AAYOURKEYHERE
![Page 58: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/58.jpg)
![Page 59: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/59.jpg)
ThreatPrep S3 Checks
![Page 60: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/60.jpg)
ThreatPrep IAM Checks
![Page 61: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/61.jpg)
Other Checks
![Page 62: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/62.jpg)
Alternatives From AWS
![Page 63: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/63.jpg)
Future
![Page 64: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/64.jpg)
Thank You
![Page 65: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/65.jpg)
Thank YouDon Bailey AWS
Zack Glick AWS
![Page 66: Hardening AWS environment and automating incidence response for AWS cmpromises](https://reader031.vdocument.in/reader031/viewer/2022021813/58729d2c1a28ab07208b4f5b/html5/thumbnails/66.jpg)
Questions?