(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
-
Upload
amazon-web-services -
Category
Technology
-
view
1.013 -
download
5
description
Transcript of (SEC404) Incident Response in the Cloud | AWS re:Invent 2014
![Page 1: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/1.jpg)
![Page 2: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/2.jpg)
![Page 3: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/3.jpg)
![Page 4: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/4.jpg)
![Page 5: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/5.jpg)
![Page 6: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/6.jpg)
Configuration
Amazon S3 Amazon EC2 Amazon VPC Amazon RDS Elastic BeanstalkIAM
Security
GroupVPC
SubnetAmazon
S3 Bucket
Groups,
Users,
Credentials
Applications
Amazon RDS
DB Instances
Objects
Instances
Internet
Gateways
Customer
AWS
Traditional IR
This Talk
![Page 7: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/7.jpg)
![Page 8: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/8.jpg)
![Page 9: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/9.jpg)
![Page 10: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/10.jpg)
![Page 11: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/11.jpg)
![Page 12: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/12.jpg)
Its Here
And Here
And Here
And Here
![Page 13: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/13.jpg)
![Page 14: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/14.jpg)
![Page 15: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/15.jpg)
![Page 16: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/16.jpg)
![Page 17: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/17.jpg)
https://s3.amazonaws.com/reinvent2014-
sec402/SecConfig.py
![Page 18: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/18.jpg)
https://s3.amazonaws.com/reinvent2014-
sec402/SecConfig.py
![Page 19: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/19.jpg)
![Page 20: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/20.jpg)
![Page 21: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/21.jpg)
![Page 22: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/22.jpg)
![Page 23: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/23.jpg)
![Page 24: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/24.jpg)
![Page 25: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/25.jpg)
![Page 26: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/26.jpg)
"accessKeyId": "AKIAJLMGEGEAYMFNTH2Q",
![Page 27: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/27.jpg)
![Page 28: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/28.jpg)
![Page 29: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/29.jpg)
"accessKeyId": "AKIAJLMGEGEAYMFNTH2Q",
"accessKeyId": "ASIAJNH65GHCSCYCGEUQ",
![Page 30: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/30.jpg)
![Page 31: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/31.jpg)
![Page 32: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/32.jpg)
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html#SG_Changing_Group_Membership
![Page 33: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/33.jpg)
![Page 34: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/34.jpg)
![Page 35: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/35.jpg)
![Page 36: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/36.jpg)
![Page 37: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/37.jpg)
![Page 38: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/38.jpg)
![Page 39: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/39.jpg)
![Page 40: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/40.jpg)
![Page 41: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/41.jpg)
![Page 42: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/42.jpg)
![Page 43: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/43.jpg)
beetle@forensics:~$ ping intern
PING intern (54.173.32.252) 56(84) bytes of data.
64 bytes from 54.173.32.252: icmp_seq=1 ttl=63 time=1.34 ms
64 bytes from 54.173.32.252: icmp_seq=2 ttl=63 time=1.10 ms
64 bytes from 54.173.32.252: icmp_seq=3 ttl=63 time=1.30 ms
64 bytes from 54.173.32.252: icmp_seq=4 ttl=63 time=1.50 ms
64 bytes from 54.173.32.252: icmp_seq=5 ttl=63 time=1.25 ms
^C
--- 54.173.32.252 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 1.108/1.302/1.500/0.135 ms
![Page 44: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/44.jpg)
beetle@forensics:~/tools$ uname -a
Linux ip-172-30-4-4 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
beetle@forensics:~/tools$ scp -i beetle-demo-1.pem ./lime* ubuntu@intern:/tmp
lime-3.13.0-36-generic.ko 100% 9896 9.7KB/s 00:00
beetle@forensics:~/tools$ ssh -i beetle-demo-1.pem ubuntu@intern
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-36-generic x86_64)
...
ubuntu@intern:~$ cd /tmp
ubuntu@intern:/tmp$ ls
lime-3.13.0-36-generic.ko
ubuntu@intern:/tmp$ sudo insmod lime*.ko "path=tcp:4444 format=lime"
![Page 45: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/45.jpg)
beetle@forensics:~/volatility$ nc intern 4444 > intern_memory.lime
![Page 46: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/46.jpg)
beetle@forensics:~$ zip internUbuntu14.zip module.dwarf \
/boot/System.map-`uname -r`
adding: module.dwarf (deflated 90%)
adding: boot/System.map-3.13.0-36-generic (deflated 79%)
beetle@forensics:~$ cp internUbuntu14.zip ~/volatility
beetle@forensics:~$ cd volatility
beetle@forensics:~/volatility$ python vol.py --info | grep Linux
Volatile Systems Volatility Framework 2.2
LinuxinternUbuntu14x64 - A Profile for Linux internUbuntu14 x64
![Page 47: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/47.jpg)
beetle@forensics:~/volatility$ python vol.py -f ~/intern_memory.lime \
--profile=LinuxinternUbuntu14x64 linux_pstree | more
Volatile Systems Volatility Framework 2.2
Name Pid Uid
init 1 149534510806724
.dhclient 598 149534603226500
.rsyslogd 787 149534603906244
.getty 912 149533581563780
.sshd 953 149534583307268
..sshd 1191 149534598143556
...sshd 1244 149534511131844
....bash 1245 149534510056196
.....sudo 1262 149534509945412
......insmod 1263 149534512334340
.cron 957 149534593742340
![Page 48: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/48.jpg)
beetle@forensics:~/volatility$ python vol.py -f ~/target_memory.lime \
--profile=LinuxinternUbuntu14x64 linux_bash –H 0x6fd618 -P | more
Volatile Systems Volatility Framework 2.2
Command Time Command
-------------------- -------
#1415809185 sudo apt-get update
#1415809185 sudo apt-get upgrade
#1415809185 sudo shutdown -r now
#1415809192 cd /tmp
#1415809194 ls
#1415809258 sudo insmod lime*.ko "path=tcp:4444 format=lime"
![Page 49: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/49.jpg)
beetle@forensics:~/volatility$ python vol.py -f ~/target_memory.lime \
--profile=LinuxinternUbuntu14x64 linux_ifconfig
Volatile Systems Volatility Framework 2.2
Interface IP Address MAC Address Promiscous Mode
---------------- -------------------- ------------------ ---------------
lo 127.0.0.1 00:00:00:00:00:00 False
eth0 172.30.4.75 00:00:00:00:00:00 False
![Page 50: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/50.jpg)
beetle@forensics:~/volatility$ python vol.py -f ~/target_memory.lime \
--profile=LinuxinternUbuntu14x64 linux_check_modules
Volatile Systems Volatility Framework 2.2
Module Name
-----------
![Page 51: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/51.jpg)
![Page 52: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/52.jpg)
![Page 53: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/53.jpg)
![Page 54: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/54.jpg)
![Page 56: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/56.jpg)
http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
![Page 57: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/57.jpg)
http://blogs.aws.amazon.com/security/
https://aws.amazon.com/security
![Page 58: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/58.jpg)
http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMGettingStarted.html
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.html
http://docs.aws.amazon.com/AmazonS3/latest/UG/ManagingBucketLogging.html
•http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html
http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
http://docs.aws.amazon.com/AmazonS3/latest/dev/MultiFactorAuthenticationDelete.html
![Page 59: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/59.jpg)
http://www.youtube.com/user/AmazonWebServices
![Page 60: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/60.jpg)
http://www.sans.org/reading-room/whitepapers/incident
http://www.first.org/resources/guides
http://www.cert.org/incident-management/publications/
![Page 61: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/61.jpg)
![Page 62: (SEC404) Incident Response in the Cloud | AWS re:Invent 2014](https://reader033.fdocuments.us/reader033/viewer/2022042816/5594455d1a28ab0e738b456c/html5/thumbnails/62.jpg)
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals