A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC359-R1) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
A DIY Guide to Runbooks, Security Incident
Response Simulations, & Incident Response
Nathan Case
Security Specialist SA – Incident Response and Threat Detection
AWS
S E C 3 5 9

Agenda
• Threat Detection
• Definitions
• Example Event
• The First Attempt

Breakout repeats
Tuesday, November 27
A DIY Guide to Runbooks, Security Incident Response Simulations, & Incident Response
Time –10:45 am | Aria East 2, Miraposa 8
Thursday, November 29
A DIY Guide to Runbooks, Security Incident Response Simulations, & Incident Response
Time –1:00 pm | Aria West 3, Ironwood 8

Infrastructure and Application Domains
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Security groups
Route table
NACLs
Internet Gateway
Instance compromise
Amazon
S3
Amazon
RDS
IAM
AWS
CloudHSM
AWS
Organization
s
AWSKMS
AWS
Directory
Service

Services Domain
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Security groups
Route table
NACLs
Instance compromise
Amazon
S3
Amazon
RDS
IAM
AWS
CloudHSM
AWS
Organization
s
AWSKMS
AWS
Directory
Service

All Domains
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Security groups
Route table
NACLs
Internet Gateway
Instance compromise
Amazon
S3
Amazon
RDS
IAM
AWS
CloudHSM
AWS
Organization
s
AWSKMS
AWS
Directory
Service

Infrastructure
VPC Resources
Connectivity
On-instance
...
Service
IAM
S3 buckets
Billing
...
Application
Patching
Coding hole
...
Other?

Definitions for today.
Runbooks
• Tactile review of a situation
• Description of situations that
may occur
• Steps to correct or enact a
desired outcome to said
situations
• Contact list for situation
Playbooks
• Strategic Review or Overview
of situational responses
• Strategic planning for future
• Generally non-technical
• C-Level or VP-level
information
• Potentially a RACI

© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Definitions for today.
Insider Threat
• Anyone, that is inside, or
included by your
organization.
• Intentional or
Unintentional
• Malicious or Accidental
Security Incident Response Simulations
A practice to Simulate a security failure
and evaluate how the company will
respond to this event.

Two Styles of Security Incident Response Simulations
Tabletop Exercise
• No hands on keyboards
• Role-play, follow incidents
from start to finish
• Suitable to involve non-
technical teams
• Legal
• PR
• Executive management
Technical Exercise
• Execute a technical action in an
environment
• Observe the response of the
organization
• Time to detect
• Time to respond
• Effectiveness of response
• Lessons learned

SIRS Introduction
Overview:
Review Game day scenarios to be
executed, identify feedback and halt
mechanism
Expected Results:
• Identify participants
• Determine delivery method as
needed
• Outline success criteria
Purpose: Introduction to scenario activities

Amazon
CloudWatch
AWS
CloudTrail
AWS Config
Lambda
function
AWS APIs
AWS WAF
AWS Shield
Detection
Alerting
Remediation
Countermeasures
Forensics
Team
collaboration
(Slack etc.)
Amazon GuardDuty
VPC Flow Logs
AWS Step Functions
Amazon EC2
Systems
Manager
Amazon EC2
Responding to Findings: Remediation

SSM
AWS Lambda
• Lambda Function:
• Removes instance from current Security
Group(s) and adds to one with all ingress
and egress blocked
• Snapshots EBS volume(s)
• Alerts Security Team
• SSM Document:
• Forensics can begin
• Network Capture
• Memory Dump
• Process review
• Internal Tools Amazon EC2
Systems Manager
Lambda
Lambda
AWS Step
Functions
Responding to Findings: Automation Example

• Step Function:
AWS Step Functions lets you coordinate multiple AWS services into
serverless workflows so you can build and update apps quickly.
Using Step Functions, you can design and run workflows that stitch
together services such as AWS Lambda and Amazon ECS into
feature-rich applications. Workflows are made up of a series of steps,
with the output of one step acting as input into the next. Application
development is simpler and more intuitive using Step Functions,
because it translates your workflow into a state machine diagram
that is easy to understand, easy to explain to others, and easy to
change. You can monitor each step of execution as it happens, which
means you can identify and fix problems quickly. Step Functions
automatically triggers and tracks each step, and retries when there
are errors, so your application executes in order and as expected.
AWS Step Functions

• Step Function:
AWS Step Functions lets you coordinate multiple AWS
services into serverless workflows so you can build and
update apps quickly. Using Step Functions, you can design and
run workflows that stitch together services such as AWS Lambda and
Amazon ECS into feature-rich applications. Workflows are made up
of a series of steps, with the output of one step acting as input into
the next. Application development is simpler and more intuitive
using Step Functions, because it translates your workflow into a
state machine diagram that is easy to understand, easy to explain to
others, and easy to change. You can monitor each step of execution
as it happens, which means you can identify and fix problems
quickly. Step Functions automatically triggers and tracks each step,
and retries when there are errors, so your application executes in
order and as expected.
AWS Step Functions

Problem description
[Your Enterprise Here ] is under a [Attack Type]
[Attack Description]
Data to gather for troubleshooting
[Evaluation of current data.]
Steps to troubleshoot and fix
1.Log in to AWS
2.Do stuff
3.Correct Issue
4.Jump to forensics environment?
Urgency category
[Critical, Important, moderate, informational]
Escalation path:
Unable to fix, escalate to these individuals or groups in this order:
1.Someone, email and phone number
2.Someone Else, email phone number
3.Distribution List/Slack?
4.CTO/CISO?
5.CEO?
Runbooks – Example

"type": "CryptoCurrency:EC2/BitcoinTool.B!DNS"
EC2 instance is communicating with Bitcoin mining pools.

Remediation - CryptoCurrency:EC2/BitcoinTool.B!DNS
[
{
"schemaVersion": "2.0",
"accountId": ”0123456789",
"region": "us-west-2",
"partition": "aws",
"id": ”[GUID]",
"arn": "arn:aws:guardduty:us-west-2:01234567890:detector/[GUID]/finding/[Finding GUID]",
"type": "CryptoCurrency:EC2/BitcoinTool.B!DNS",
"resource": {
"resourceType": "Instance",
"instanceDetails": {
"instanceId": "i-99999999",
"instanceType": "p2.xlarge",
"launchTime": "2017-12-20T23:46:44Z",
"platform": null,
"productCodes": [
{
"productCodeId": "GeneratedFindingProductCodeId",
"productCodeType": "GeneratedFindingProductCodeType"
}
Finding: [“type”]= “CryptoCurrency:EC2/BitcoinTool.B!DNS”
Instance: [“instanceDetails”][“instanceId”] = “i-99999999”

Problem description
CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in GuardDuty under this mean that we have an account or machine that has been compromised.
This finding informs you that an EC2 instance in your AWS environment is querying a domain name that is associated with Bitcoin-related activity. Bitcoin
is a worldwide cryptocurrency and digital payment system. Besides being created as a reward for Bitcoin mining, bitcoin can be exchanged for other
currencies, products, and services. Unless you use this EC2 instance to mine or manage cryptocurrency or your EC2 instance is involved in blockchain
activity, your EC2 instance might be compromised.
Account User ID, Role or Profile that was accessed
Instance ID , Subnet ID, VPC ID
Connectivity to other systems
Review of CloudTrail and VPC Flows to and around the specified instance.
1.Notify IR Team On call.
2.Run Automate instance quarantine
3.Role credentials associated with the above identity
4.Snapshot instance and VPC Flow Logs to forensics account
5.Validate that new Auto Scaling group created instance is working correctly
Urgency category
Critical
Escalation path:
1.Someone, email, and phone number
3.Distribution List
4.…
5.…
Finding: [“type”]= “CryptoCurrency:EC2/BitcoinTool.B!DNS”
Instance: [“instanceDetails”][“instanceId”] = “i-99999999”

Problem description
This finding informs you that an EC2 instance in your AWS environment is querying a domain name that is associated with Bitcoin-related activity. Bitcoin is a worldwide cryptocurrency and
digital payment system. Besides being created as a reward for Bitcoin mining, bitcoin can be exchanged for other currencies, products, and services. Unless you use this EC2 instance to mine or
manage cryptocurrency or your EC2 instance is involved in blockchain activity, your EC2 instance might be compromised.
4.Snapshot instance and VPC Flow logs to forensics account
5.Validate that new ASG created instance is working correctly
Urgency category
Critical
Escalation path:
3.Distribution List
4.…
5.…
5.Validate that new Auto Scaling group created instance is
working correctly

Problem description
This finding informs you that an EC2 instance in your AWS environment is querying a domain name that is associated with Bitcoin-related activity. Bitcoin is a worldwide
cryptocurrency and digital payment system. Besides being created as a reward for Bitcoin mining, bitcoin can be exchanged for other currencies, products, and services. Unless you
use this EC2 instance to mine or manage cryptocurrency or your EC2 instance is involved in blockchain activity, your EC2 instance might be compromised.
Urgency category
Critical
Escalation path:
3.Distribution List
4.…
5.…
Items to Code:
1. CloudWatch filter to trap a finding from GuardDuty, with:
[“type”]= “CryptoCurrency:EC2/BitcoinTool.B!DNS”
2. Step Functions Start
a. SNS Fires to notify Ops of an issue
b. Lambda function is fired to run SSM
i. Finished and a Lambda function is fired to
quarantine the instance
c. Lambda function is fired to snapshot the instance
d. Step function checks responses
3. Lambda is fired to stop and destroy the instance.

Problem description
Urgency category
Critical
Escalation path:
3.Distribution List
4.…
5.…
Items to Code:
1. Actual Coding to occur later in the talk.

Problem description
Urgency category
Critical
Escalation path:
3.Distribution List
4.…
5.…
Escalation path:
3.Distribution List
4.…
5.…

Problem description
CryptoCurrency:EC2/BitcoinTool.B!DNS has been found in Amazon GuardDuty under this means that we have an account or machine that has been compromised.
John, our lead developer add his AWS Key and Secret key to his most recent git post. This was found and then sold to a Crypto Mining company in another country.
We had bad threat detection and the account was utilized for a couple of days before we found out.
-or-
John had his laptop stolen and didn’t encrypt his hard drive. Because he kept every thing in his local Git Repo his user was compromised.
Postmortem
Utilize good development practices. Adding static variables that contain access keys to a git, causes long-term issues for a cloud account.
- Utilize git-secrets
- Attend a workshop at re:Invent discussing use of open source dev tools
- Limit blast radius
- Enjoy one of the multi account sessions at re:Invent
The loss of corporate resources that were unencrypted.
- Encrypt hard Drives going forward
- Limit account activities of humans for threat detection
- Limit account access of people in production and test environments
Postmortem - CryptoCurrency:EC2/BitcoinTool.B!DNS
Members of the Postmortem Team:
Developers
Operations
Security Operations
Management ?
Leadership Level ?

Problem description
John, our lead developer add his AWS Key and Secret key to his most recent git post. This was found and then sold to a Crypto Mining company in another country.
We had bad threat detection and the account was utilized for a couple of days before we found out.
-or-
John had his laptop stolen and didn’t encrypt his hard drive. Because he kept every thing in his local Git Repo his user was compromised.
Postmortem
Utilize good development practices. Adding static variables that contain access keys to a git, causes long-term issues for a cloud account.
- Utilize git-secrets
- Attend a workshop at re:Invent discussing use of open source dev tools
- Limit blast radius
- Enjoy one of the multi account sessions at re:Invent
The loss of corporate resources that were unencrypted.
- Encrypt hard Drives going forward
- Limit account activities of humans for threat detection
- Limit account access of people in production and test environments
Postmortem - CryptoCurrency:EC2/BitcoinTool.B!DNS
Aws_labs repos.
https://github.com/awslabs

Possible Game #1- "CryptoCurrency:EC2/BitcoinTool.B!DNS"
Accidental exposure of host access
credentials.
Objective: Test response in
determining if customer data was
exposed, and actions taken to
rotate access keys.
Imagine developer committed ssh
private key to GitHub
What was changed?
How?
When was the issue contained?

Outcomes
Increased capability to respond to security incidents
By testing incident response triggers
SOC / SIEM detection
Operational support requests
External triggers such as communications from AWS Abuse Team
By testing incident response tools and processes
Practice using the response and investigation tools
Test the processes and procedures to ensure they help rather than get in the way
By planning and iterating on the tools and the processes based on what was learned
from the game day
By identifying opportunities to automate parts of the process

Your Turn!
"type": "UnauthorizedAccess:IAMUser/UnusualASNCaller"
An API was invoked from an IP address of an unusual network.

Problem description
[Your Enterprise Here ] is under a [Attack Type]
[Attack Description]
[Evaluation of current data.]
1.Log in to AWS
2.Do stuff
3.Correct Issue
4.Jump to forensics environment?
Urgency category
[Critical, Important, moderate, informational]
Escalation path:
3.Distribution List/Slack?
4.CTO/CISO?
5.CEO?
UnauthorizedAccess:IAMUser/UnusualASNCaller

Remediation
[
{
"schemaVersion": "2.0",
"accountId": ”1234567890",
"region": "us-east-2",
"partition": "aws",
"id": "12b2c8c3d5aec3406737c61d0935b322",
"arn": "arn:aws:guardduty:us-east-2: 1234567890:detector/ceb20cc8177a06c5e775adac2e0606a7/finding/12b2c8c3d5aec3406737c61d0935b322",
"type": "UnauthorizedAccess:IAMUser/UnusualASNCaller",
"resource": {
"resourceType": "AccessKey",
"accessKeyDetails": {
"accessKeyId": "GeneratedFindingAccessKeyId",
"principalId": "GeneratedFindingPrincipalId",
"userType": "IAMUser",
"userName": "GeneratedFindingUserName"
}
},
"service": {
"serviceName": "guardduty",
"detectorId": "ceb20cc8177a06c5e775adac2e0606a7",
"action": {
"actionType": "AWS_API_CALL",
"awsApiCallAction": {
Finding: [“type”]= “UnauthorizedAccess:IAMUser/UnusualASNCaller”
[”username”]: "GeneratedFindingUserName"

Problem description
UnauthorizedAccess:IAMUser/UnusualASNCaller. An API was invoked from an IP address of an unusual network.
This finding informs you that certain activity was invoked from an IP address of an unusual network. This network was never observed throughout the AWS usage history of the
described user. This activity can include a console login, an attempt to launch an EC2 instance, create a new IAM user, modify your AWS permissions, etc. This can indicate
unauthorized access to your AWS resources.
Account User Name, Role or Profile that was used
Review of CloudTrail for specified around actions taken from user.
2.Rotate User Credentials, terminate active sessions
4.Review CloudTrail in Splunk or SumoLogic
5.Redeploy active account, remove any non-sanctioned constructs from the account. Or deploy to a new account, burning the compromised account
Urgency category
Critical
Escalation path:
3.Distribution List
4.…
5.…
Runbooks – UnauthorizedAccess:IAMUser/UnusualASNCaller
Finding: [“type”]= “UnauthorizedAccess:IAMUser/UnusualASNCaller”
[”username”]: "GeneratedFindingUserName"

Problem description
This finding informs you that certain activity was invoked from an IP address of an unusual network. This network was never observed throughout the AWS usage history of the described user.
This activity can include a console login, an attempt to launch an EC2 instance, create a new IAM user, modify your AWS privileges, etc. This can indicate unauthorized access to your AWS
resources.
Urgency category
Critical
Escalation path:
3.Distribution List
4.…
5.…
1. Notify IR Team On call.
2. Rotate User Credentials, terminate active sessions
3. Role credentials associated with the above identity
4. Review CloudTrail in Splunk or SumoLogic
5. Redeploy active account, remove any non-sanctioned
constructs from the account. Or deploy to a new account,
burning the compromised account

Problem description
described user. This activity can include a console login, an attempt to launch an EC2 instance, create a new IAM user, modify your AWS privileges, etc. This can indicate unauthorized
access to your AWS resources.
Urgency category
Critical
Escalation path:
3.Distribution List
4.…
5.…
Items to Code:
1. Cloud Watch Filter to trap a finding from GuardDuty, with:
[“type”]=
“UnauthorizedAccess:IAMUser/UnusualASNCaller”
2. Step Functions Start
a. SNS Fires to notify Ops of an issue
b. Lambda function is fired to:
i. Rotate Keys, User Passwords
ii. Revoke sessions
c. Lambda to list actions taken by User
a. Remediate any that can be and Messaged items
that can’t be.

Problem description
described user. This activity can include a console login, an attempt to launch an EC2 instance, create a new IAM user, modify your AWS privileges, etc. This can indicate unauthorized
access to your AWS resources.
Urgency category
Critical
Escalation path:
3.Distribution List
4.…
5.…
Escalation path:
3.Distribution List
4.…
5.…

Thank you!
Nathan Case
Contact information

Sample code slide
var pd = require('pretty-data').pd;
var xml_pp = pd.xml(data);
var xml_min = pd.xmlmin(data [,true]);
var json_pp = pd.json(data);
var json_min = pd.jsonmin(data);
var css_pp = pd.css(data);
var css_min = pd.cssmin(data [, true]);
var sql_pp = pd.sql(data);

Sample code slide

“Lorem ipsum dolor sit amet,
consectetuer adipiscing elit.
Maecenas porttitor congue massa.”
Quotation Author
Title

Click to add slide title (size 48)

Main topic 1 (size 32)
Subtopic copy goes here (size 24)

• Main topic 1 (size 32)
• Subtopic copy goes here (size 24)

Lorem ipsum dolor sit amet, error
possim abhorreant vix ne, ne mel
debitis iudicabit voluptatibus. Affert
timeam debitis no nam. Sint
democritum complectitur his an.
Ex mei admodum inciderint, cum cu
nihil commune atomorum. Vix ea
possit similique elaboraret.

Click to add slide title
(size 48)

Screenshot
Place a screenshot
behind the image of a
laptop or smartphone
to show it on a device.
1. Place the screenshot on
the slide.
2. Use the Alignment tools or
Selection Pane to place
the screenshot behind the
device. For more
information on how to use
the alignment tools and
Selection Pane, refer to
slides 58 and 59.
3. Resize and/or crop the
screenshot to fit
the device.

Using videos
To keep the file size small enough to upload to
the SRC, please wait until you get onsite to embed
videos in the speaker-ready room.
To embed a video, you can use the Embed_Video
slide layout. You can also add a video to a slide by
doing the following:
1. On the Insert tab, select Video.
2. Choose either an online video or a video you have
saved to your machine.
3. On the Video Tools menu, go to the Playback
options to make the video play full screen,
automatically or on-click, loop, hide when not
playing, or rewind after playing.

How to apply the template
Apply the template to an
existing PowerPoint presentation
1. Save this template to your Desktop.
2. Open an existing PowerPoint file that you want
to update.
3. Select Design, scroll down, and select Browse
for Themes.
4. Browse to the template file (.potx) you saved to your
Desktop, and select Open.
5. Under Layout, right-click on the slide thumbnail, and
select the layout you want to use (Title_#Speaker and
Title_and_Content will be the most common).
6. Some things will shift when you do this. Adjust
accordingly to get the slide how you want it.

Theme colors
R: 0
G: 0
B: 0
R: 255
G: 255
B: 255
The PowerPoint palette for this template has
been built for you and is shown below.
Limit color usage to two colors per slide.
Choose one main color and one accent color
from the first four colors of the template
(limit use of yellow and green).
Do not use different shades of a color.

Text
Accessibility
Do not use dark colored
text on dark backgrounds or
light colored text on light
backgrounds.
Large text (above 24pt) and
icons must have a contrast
ratio of 3 or above.
Text Text
TextText Text

Typography
Amazon Ember Light should be used for titles
Titles should be sentence case.
Hyperlink example Hyperlink example

Typography continued
Select the appropriate font weight from the list of fonts.
These are all the usable fonts in the Amazon Ember family:
Amazon Ember
Amazon Ember Heavy
Amazon Ember Light
Amazon Ember Medium
Amazon Ember Thin
Amazon Ember Italic

Grid/guidelines
To view the grid, in the View
tab, select Guides.
Or press Alt+F9. To turn it off,
press Alt+F9 again.

Quick Access Toolbar
PowerPoint has a toolbar populated with icons that
perform common tasks. This can be a great way to save
time, removing the need to repeatedly navigate through
menus.
You can customize your Quick Access Toolbar to add
buttons for alignment, formatting, and other
adjustments you’ll be making frequently. To do this, on
the far right of the Quick Access Toolbar, select the down
arrow, and select More Commands.
Here, you can browse dozens of different commands, add
and remove commands, and even export a Quick Access
Toolbar to open it on another machine.

Easy to use alignment tools

Selection and formatting panes
To view an itemized list of objects on the slide
and their order of appearance, under the File
tab, in the Editing section, click Select, and
then click Selection Pane.
To view the formatting options pane for
objects on the slide, right-click the object,
and select Format Shape.

Animation options
The four options of animation are:
Entrance animations (green) which
describe the animations that bring
an object onto the slide.
Exit animations (red) which describe
the animations that take an object
off the slide.
Emphasis animations (yellow) which
affect objects but don’t bring them in
or move them off the slide.
Motion paths (line) move the object
around the slide. In addition to speed,
motion paths also have “easing,” which defines
how quickly the object begins or ends moving.
The following animations are acceptable to use:
Fade in/Fade out
Grow/shrink
Lines

Animation pane
The Animation Pane
provides a detailed
view of all the
animations happening
within your slide.
This includes the slide element's
name, the duration of its
animation, and when the
animation will start.
To access the Animation Pane,
select the Animations tab, and
click Animation Pane.

Photography
1. The point of view should be top down, ground up,
or human sight line.
2. Color aligns with the overall AWS palette. Black and white
is not approved.
3. Don’t add gradients over photography.
4. Conceptual/abstract/pattern photos can be used but need to
reference characteristics of a product or service that doesn’t have
a specific physical metaphor (i.e., speed, security, AR/VR).
5. We do not show servers, databases, racks, or
infrastructure hardware.
6. Licensing images is often not as expensive as you may think for a
single use in a PowerPoint presentation. If you are looking for
unique images or photographs for your slides, try some of these
options to legally license use of the image:
Getty Images
Shutterstock
Creative Commons

Table 1
Placeholder Placeholder
Placeholder Placeholder Placeholder

Table 2
Placeholder Placeholder

Table 3
Placeholder Placeholder Placeholder Placeholder

Charts
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Category 1 Category 2
Chart Title
Series 1 Series 2 Series 3

AWS product and resource icons
(Updates coming August 2018)
Download icons to use in
your presentation here:
https://aws.amazon.com/
architecture/icons/

A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC359-R1) - AWS re:Invent 2018

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC359-R1) - AWS re:Invent 2018

Ähnlich wie A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC359-R1) - AWS re:Invent 2018 (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC359-R1) - AWS re:Invent 2018