Weitere ähnliche Inhalte Ähnlich wie Incident Response: Eyes Everywhere (20) Mehr von Amazon Web Services (20) Incident Response: Eyes Everywhere2. Agenda
• Definition of Incident Response
• Different types of incidents
• Event Management
• SIRS
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
3. Goals
• Become aware of indicators of security incidents
• Classify incident types
• Discover sources of information to respond to an incident
• Understand incident response workflows
• Learn to prepare for incidents
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
4. Definition
Incident Response is an organized approach to addressing
and managing the aftermath of a security breach or attack, also
known as an IT incident, computer incident, or security incident.
The goal is to handle the situation in a way that limits damage and
reduces recovery time and costs.
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
5. IR Principles
• Establish Goals
• Respond using the cloud
• Know what you have and what you need
• Do things that scale
• Use redeployment mechanisms
• Iteratively automate the mundane
• Learn and improve your process
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
7. Finding the signal
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
Incident: deviation from your
[security] baseline
10. Response Time Comparison (example)
time
get logs
analyze
correlate
trace origin
locate
remediate
event delivered
rule matched
alert sent
correlate
check baseline
remediate
incidentdetected
Traditional Datacenter Response
AWS Response
11. Understand Your Attack Surface
Infrastructure
VPC Resources
Connectivity
On-instance
...
Application
Patching Issue
Code Insecurity
...
Incident Response Domains
12. Incidents in the Infrastructure Domain
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Bastion
App
App
W
eb
W
eb
Security groups
Route table
NACLsInternet Gateway
Instance compromise
14. Incidents in the Service Domain
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Bastion
App
App
W
eb
W
eb
Credentials
S3 bucket policies
Changes in permissions
16. Incidents in the Infrastructure Domain
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
Availability Zone C
Availability Zone B
VPC CIDR: 10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Bastion
App
App
W
eb
W
eb
Security groups
Route table
NACLsInternet Gateway
Instance compromise
17. Incidents in the Infrastructure Domain
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
Availability Zone C
Availability Zone B
VPC CIDR:
10.0.0.0/16
Availability Zone A
10.0.0.0/19
Public subnet
10.0.32.0/20
Private subnet
10.0.48.0/21
Sensitive subnet
Bastion
App
App
W
eb
W
eb
Security groups
Route table
NACLs
Internet Gateway
Instance compromise
Amazon
S3
Amazon
RDS
IAM
AWS
CloudHSM
AWS
Organizati
ons
AWS
KMS
AWS
Directory
Service
20. Definition
Incident Response is an organized approach to
addressing and managing the aftermath of a security breach or
attack, also known as an IT incident, computer incident, or
security incident. The goal is to handle the situation in a way that
limits damage and reduces recovery time and costs.
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
22. IR Lifecycle
Establish
control
Determine
impact
Recover as
needed
Investigate
root cause
Improve
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
Establish control
• Can I Log into the console
• Can I log into the instance
• Can I review/copy logs/Cloudtrail
• Can I copy information to a
forensics account
• Can I rotate credentials
• Can I review billing
• Can I isolate the instance
27. AWS Support Escalation Path
• In situations where an escalation is required, customers can
follow a pre-defined escalation path:
– Submit a Support Case
– Technical Account Manager
– On-call Operation Manager
– Global Enterprise Support Manager
– Director of Support Engineering
– VP of AWS Support
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
28. Preparation
• Keep a pre-configured forensics AMI on hand
• Decide on the forensic procedure
• Create IAM role for incident responders and for the forensic
workstation
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
29. Third Party Tools
Response
• AWS IR (ThreatResponse)
Case Management
• Incident Pony (ThreatResponse)
Networking
• Moloch
• Wireshark
Enterprise
• Mandiant
• EnCase
• Forensic Tool Kit
• Google Rapid Response
Memory Capture
• Fastdump
• FTK Imager
• LiME
• Margarita Shotgun (ThreatResponse)
31. What’s a SIRS?
• Security Incident Response Simulations (SIRS) are internal
events that provide a structured opportunity to practice your
incident response plan during a realistic scenario.
• SIRS events are fundamentally about being prepared and
iteratively improving your response capabilities.
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
32. Working back from customers
• Customers voice the following reasons why they want to
perform SIRS:
– Validate readiness
– Develop confidence – Learn from and train staff
– Generate artifacts for accreditation
– Be agile – Incremental improvement with laser focus
– Become faster and improve tools
– Refine escalation and communication
– Develop comfort with the rare and the creative
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
33. Preparing for a simulation
1. Find an issue of importance.
2. Find skilled security geeks.
3. Build a realistic model system.
4. Build and test the scenario elements.
5. Invite other security geeks and real people.
6. Run the simulation live.
7. Get better and repeat.
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
34. Key Simulation Elements
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0
Scenario Build Process Test
Live
Event
35. When should I contact AWS?
• If you are planning SIRS:
– Obtain permission to perform penetration testing/scanning.
– Confirm the SIRS does not violate the AWS Acceptable Use Policy.
AMAZON CONFIDENTIAL
Copyright ©2018 Amazon Web Services. All Rights Reserved
Incident Response v4.0