SESSION ID: CSV-R07 Using Automation for Proactive Cloud Incident Response Ben Potter Global Security Lead, Well-Architected Amazon Web Services @benji_potter #RSAC #RSAC Agenda Your Adversary Preparation Detection & Analysis Containment, Eradication & Recovery Summary & Application 2 #RSAC www.nomoreransom.org 3 #RSAC Your Adversary #RSAC Motivation Insider | Outsider | Collaboration – Entertainment – Social group – Ego – Status – Cause Kilger, Stutzman, & Arkin, 2004 5 #RSAC Knowledge Insider – Knows specifics e.g. storage buckets – Goes direct to resources – Covers tracks Outsider – Reconnaissance – Fingerprinting – May be easily deceived 6 #RSAC Preparation Requirements & Frameworks • • • • • Local, federal laws Data breach notification Compliance e.g. PCI, HIPAA, GDPR Best practices https://aws.amazon.com/well-architected Threat model 8 #RSAC #RSAC Cloud account structure Data Bunker Root Management App #1 Audit Domain Registration Dev Logs DNS Test Intelligence Email Prod Tools 9 Canary Access & Credential Management All Users 2FA Least privilege Dynamic credentials Federation 10 #RSAC #RSAC Everything Is Code Dev Account Production Account Networking Application, infrastructure, management Repo • • • • Analysis Tests Compute Regions & Resources limited No human access Storage Compliance checks All metrics, logs to audit account Approval Database Pipeline Automation AWS DevSecOps Blog: https://go.aws/2Fxw89t 11 #RSAC Detection & Analysis #RSAC Example Application Architecture App Account Logs & Intel Accounts VPC Canary Account Load Balancer DNS Logs Internet Load Balancer Shared App Logs Sub DNS NAT Gateway Net Flow Logs Application Content Delivery Network Web App Firewall Instances Serverless SIEM Database API Gateway Credentials Dashboard Storage Database 13 Canary Buckets #RSAC DNS Reconnaissance App Account Logs & Intel Accounts VPC Canary Account Load Balancer DNS Logs Internet Canary Buckets Records alert on specific records > block IP/subnet/ASN Load Balancer test. App Logs Shared admin. beta. Net Flow Logs NAT Gateway wiki. Sub DNS Application Content Delivery Network Web App Firewall SIEM EDNS client subnet: https://tools.ietf.org/html/rfc7871 Instances Serverless Dashboard Database API Gateway Credentials Storage Database 14 #RSAC Hidden Honeypot API App Account Logs & Intel Accounts VPC Canary Account Load Balancer Hidden API: http://bit.ly/WAFSol1 DNS Logs Internet Load Balancer • • • Sub DNS App Logs IP: ASN, owner, country, VPN, TOR, blacklist? Request? Useragent? Net Flow Logs NAT Trick: Gateway 200 for every response Shared Application Content Delivery Network Web App Firewall SIEM Instances Serverless Dashboard Database API Gateway Storage Credentials Database 15 Canary Buckets #RSAC Storage Canaries App Account Logs & Intel Accounts VPC Canary Account Load Balancer Buckets: company-backupLoad Balancer company-cloudtrail DNS company-code 123456789012-cloudtrail DNS Logs Internet App Logs Shared Net Flow Logs NAT Gateway •ContentObscurity in real buckets? Delivery Web App Network Firewall abc123-us-east-1-cloudtrail Serverless Instances • Web + authentication? Application SIEM Dashboard Database API Gateway Credentials Block S3 public: http://bit.ly/S3Block AWS Abuse: https://go.aws/389sL4Z Database Storage 16 Canary Buckets #RSAC Identity Canary Tokens App Account Logs & Intel Accounts VPC Canary Account Load Balancer Internet Unused roles Load Balancer Canary keys: Spacecrab http://bit.ly/2QYviI5 Shared DNS Logs App Logs Sub DNS • Access denied • Behavior analysis Content Delivery Web App Network Firewall • Diff to pipeline Net Flow Logs NAT Gateway Instances Application SIEM Serverless Dashboard Database API Gateway Credentials Storage Database 17 Canary Buckets #RSAC Storage Detection for Insiders App Account Logs & Intel Accounts VPC Canary Account Load Balancer Internet Interesting buckets off limits: Load Balancer • company-hr Shared • company-inventions • abc123-clientdb Sub DNS NAT Gateway Files/objects inside of buckets keys linked to canaries DNS Logs App Logs Net Flow Logs Application Content Delivery Network Web App Firewall Instances SIEM Serverless Dashboard Database API Gateway Credentials Storage Database 18 Canary Buckets #RSAC Concealed Adversary Roles 19 Concealed Re