SlideShare ist ein Scribd-Unternehmen logo

Incident Response: Eyes Everywhere

Amazon Web Services
Amazon Web Services

Responding to an incident requires that you’re aware that an incident exists. To be aware that an incident exists, you have to know where to look and what to look for. In this session, you will learn the tools and techniques to take in the breadth of visibility that AWS offers to your environment as well as some ideas on how to inspect events of interest and identify indicators of compromise.

1 von 37
Downloaden Sie, um offline zu lesen
Incident Response Eyes Everywhere
Agenda • Definition of Incident Response • Different types of incidents • Event Management • SIRS AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
Goals • Become aware of indicators of security incidents • Classify incident types • Discover sources of information to respond to an incident • Understand incident response workflows • Learn to prepare for incidents AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
Definition Incident Response is an organized approach to addressing and managing the aftermath of a security breach or attack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
IR Principles • Establish Goals • Respond using the cloud • Know what you have and what you need • Do things that scale • Use redeployment mechanisms • Iteratively automate the mundane • Learn and improve your process AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
Finding the signal AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Incident: deviation from your [security] baseline
Understanding Normal AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
Indicators AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Logs and Monitors Billing Activity Threat Intelligence AWS Outreach Ad Hoc Contact
Response Time Comparison (example) time get logs analyze correlate trace origin locate remediate event delivered rule matched alert sent correlate check baseline remediate incidentdetected Traditional Datacenter Response AWS Response
Understand Your Attack Surface Infrastructure VPC Resources Connectivity On-instance ... Application Patching Issue Code Insecurity ... Incident Response Domains
Incidents in the Infrastructure Domain AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Bastion App App W eb W eb Security groups Route table NACLsInternet Gateway Instance compromise
Infrastructure VPC Resources Connectivity On-instance ... Service IAM S3 buckets Billing ... Application Patching Coding hole ... Understand Your Attack Surface Incident Response Domains
Incidents in the Service Domain AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Bastion App App W eb W eb Credentials S3 bucket policies Changes in permissions
Infrastructure VPC Resources Connectivity On-instance ... Service IAM S3 buckets Billing ... Application Patching Coding hole ... Other? Understand Your Attack Surface Incident Response Domains
Incidents in the Infrastructure Domain AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Bastion App App W eb W eb Security groups Route table NACLsInternet Gateway Instance compromise
Incidents in the Infrastructure Domain AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Bastion App App W eb W eb Security groups Route table NACLs Internet Gateway Instance compromise Amazon S3 Amazon RDS IAM AWS CloudHSM AWS Organizati ons AWS KMS AWS Directory Service
Types of Incidents Compliance variance Service disruption Unauthorized resources Unauthorized access Privilege escalation Persistence Excessive permissions Information exposure Credentials exposure AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
INCIDENT MANAGEMENT AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
Definition Incident Response is an organized approach to addressing and managing the aftermath of a security breach or attack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Establish control • Can I Log into the console • Can I log into the instance • Can I review/copy logs/Cloudtrail • Can I copy information to a forensics account • Can I rotate credentials • Can I review billing • Can I isolate the instance
IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Determine impact • Review logs/CloudTrail/VPC Flow for changes • Reviews Account resources • Review Billing • Review Access Permissions • Review Data Loss and targets
IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Recover as needed • Do I remove instances • Do I change security groups • Do I remove user • Do I change credentials • Do I recover security groups
IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Investigate root cause • How did this happen? • Why did this happen? • Who did it? • How can we stop it from happening again?
IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Improve • Improve our systems and processes • Iterate. Iterate. Iterate. Iterate.
AWS Support Escalation Path • In situations where an escalation is required, customers can follow a pre-defined escalation path: – Submit a Support Case – Technical Account Manager – On-call Operation Manager – Global Enterprise Support Manager – Director of Support Engineering – VP of AWS Support AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
Preparation • Keep a pre-configured forensics AMI on hand • Decide on the forensic procedure • Create IAM role for incident responders and for the forensic workstation AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
Third Party Tools Response • AWS IR (ThreatResponse) Case Management • Incident Pony (ThreatResponse) Networking • Moloch • Wireshark Enterprise • Mandiant • EnCase • Forensic Tool Kit • Google Rapid Response Memory Capture • Fastdump • FTK Imager • LiME • Margarita Shotgun (ThreatResponse)
SECURITY INCIDENT RESPONSE SIMULATIONS AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
What’s a SIRS? • Security Incident Response Simulations (SIRS) are internal events that provide a structured opportunity to practice your incident response plan during a realistic scenario. • SIRS events are fundamentally about being prepared and iteratively improving your response capabilities. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
Working back from customers • Customers voice the following reasons why they want to perform SIRS: – Validate readiness – Develop confidence – Learn from and train staff – Generate artifacts for accreditation – Be agile – Incremental improvement with laser focus – Become faster and improve tools – Refine escalation and communication – Develop comfort with the rare and the creative AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
Preparing for a simulation 1. Find an issue of importance. 2. Find skilled security geeks. 3. Build a realistic model system. 4. Build and test the scenario elements. 5. Invite other security geeks and real people. 6. Run the simulation live. 7. Get better and repeat. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
Key Simulation Elements AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Scenario Build Process Test Live Event
When should I contact AWS? • If you are planning SIRS: – Obtain permission to perform penetration testing/scanning. – Confirm the SIRS does not violate the AWS Acceptable Use Policy. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
AWS Security Partner Solutions
Any Questions?

Empfohlen

Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
Amazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access Management
Amazon Web Services
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes Everywhere
Amazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
Amazon Web Services
 
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Amazon Web Services
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Amazon Web Services
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...
Amazon Web Services
 

Empfohlen

Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
Amazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access Management
Amazon Web Services
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes Everywhere
Amazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
Amazon Web Services
 
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Amazon Web Services
 
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Root CA hierarchies for AWS Certificate Manager (ACM) Private CA - FND320 - A...
Amazon Web Services
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...
Amazon Web Services
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Amazon Web Services
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Amazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
Amazon Web Services
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
Amazon Web Services
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
Amazon Web Services
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Amazon Web Services
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
Amazon Web Services
 
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Amazon Web Services
 
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019 Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Amazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Amazon Web Services
 
An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...
Amazon Web Services
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Amazon Web Services
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
Amazon Web Services
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
Amazon Web Services
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Amazon Web Services
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...
Amazon Web Services
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
Amazon Web Services
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Amazon Web Services
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes Everywhere
Amazon Web Services
 
Incident Response: Eyes Everywhere
Incident Response: Eyes EverywhereIncident Response: Eyes Everywhere
Incident Response: Eyes Everywhere
Amazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Amazon Web Services
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
Amazon Web Services
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Amazon Web Services
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Amazon Web Services
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
Amazon Web Services
 

Was ist angesagt? (20)

Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
 
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
 
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019 Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
 
An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019
 

Ähnlich wie Incident Response: Eyes Everywhere

Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and Remediation
Amazon Web Services
 
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Amazon Web Services
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
Amazon Web Services
 
Accelerating Enterprise Cloud Adoption: Automate Security to Migrate Faster
Accelerating Enterprise Cloud Adoption: Automate Security to Migrate FasterAccelerating Enterprise Cloud Adoption: Automate Security to Migrate Faster
Accelerating Enterprise Cloud Adoption: Automate Security to Migrate Faster
Amazon Web Services
 
Container Security and Avoiding the 2 A.M. Call (CON303-R1) - AWS re:Invent 2018
Container Security and Avoiding the 2 A.M. Call (CON303-R1) - AWS re:Invent 2018Container Security and Avoiding the 2 A.M. Call (CON303-R1) - AWS re:Invent 2018
Container Security and Avoiding the 2 A.M. Call (CON303-R1) - AWS re:Invent 2018
Amazon Web Services
 

Ähnlich wie Incident Response: Eyes Everywhere (20)

Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes Everywhere
 
Incident Response: Eyes Everywhere
Incident Response: Eyes EverywhereIncident Response: Eyes Everywhere
Incident Response: Eyes Everywhere
 
Incident Response: Eyes Everywhere
Incident Response: Eyes EverywhereIncident Response: Eyes Everywhere
Incident Response: Eyes Everywhere
 
AWS Security Week: Incident Response
AWS Security Week: Incident ResponseAWS Security Week: Incident Response
AWS Security Week: Incident Response
 
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and Remediation
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
 
Enhancing your Cyber Skills through a Cyber Range
Enhancing your Cyber Skills through a Cyber RangeEnhancing your Cyber Skills through a Cyber Range
Enhancing your Cyber Skills through a Cyber Range
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Automating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWSAutomating Incident Response and Forensics in AWS
Automating Incident Response and Forensics in AWS
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
 
Accelerating Enterprise Cloud Adoption: Automate Security to Migrate Faster
Accelerating Enterprise Cloud Adoption: Automate Security to Migrate FasterAccelerating Enterprise Cloud Adoption: Automate Security to Migrate Faster
Accelerating Enterprise Cloud Adoption: Automate Security to Migrate Faster
 
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
Designing for Operability: Getting the Last Nines in Five-Nines Availability ...
 
Container Security and Avoiding the 2 A.M. Call (CON303-R1) - AWS re:Invent 2018
Container Security and Avoiding the 2 A.M. Call (CON303-R1) - AWS re:Invent 2018Container Security and Avoiding the 2 A.M. Call (CON303-R1) - AWS re:Invent 2018
Container Security and Avoiding the 2 A.M. Call (CON303-R1) - AWS re:Invent 2018
 
Come Out From Behind Your Firewall
Come Out From Behind Your FirewallCome Out From Behind Your Firewall
Come Out From Behind Your Firewall
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Incident Response: Eyes Everywhere

  • 2. Agenda • Definition of Incident Response • Different types of incidents • Event Management • SIRS AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 3. Goals • Become aware of indicators of security incidents • Classify incident types • Discover sources of information to respond to an incident • Understand incident response workflows • Learn to prepare for incidents AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 4. Definition Incident Response is an organized approach to addressing and managing the aftermath of a security breach or attack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 5. IR Principles • Establish Goals • Respond using the cloud • Know what you have and what you need • Do things that scale • Use redeployment mechanisms • Iteratively automate the mundane • Learn and improve your process AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 6. IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 7. Finding the signal AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Incident: deviation from your [security] baseline
  • 8. Understanding Normal AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 9. Indicators AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Logs and Monitors Billing Activity Threat Intelligence AWS Outreach Ad Hoc Contact
  • 10. Response Time Comparison (example) time get logs analyze correlate trace origin locate remediate event delivered rule matched alert sent correlate check baseline remediate incidentdetected Traditional Datacenter Response AWS Response
  • 11. Understand Your Attack Surface Infrastructure VPC Resources Connectivity On-instance ... Application Patching Issue Code Insecurity ... Incident Response Domains
  • 12. Incidents in the Infrastructure Domain AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Bastion App App W eb W eb Security groups Route table NACLsInternet Gateway Instance compromise
  • 14. Incidents in the Service Domain AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Bastion App App W eb W eb Credentials S3 bucket policies Changes in permissions
  • 16. Incidents in the Infrastructure Domain AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Bastion App App W eb W eb Security groups Route table NACLsInternet Gateway Instance compromise
  • 17. Incidents in the Infrastructure Domain AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Availability Zone C Availability Zone B VPC CIDR: 10.0.0.0/16 Availability Zone A 10.0.0.0/19 Public subnet 10.0.32.0/20 Private subnet 10.0.48.0/21 Sensitive subnet Bastion App App W eb W eb Security groups Route table NACLs Internet Gateway Instance compromise Amazon S3 Amazon RDS IAM AWS CloudHSM AWS Organizati ons AWS KMS AWS Directory Service
  • 19. INCIDENT MANAGEMENT AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 20. Definition Incident Response is an organized approach to addressing and managing the aftermath of a security breach or attack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 21. IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 22. IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Establish control • Can I Log into the console • Can I log into the instance • Can I review/copy logs/Cloudtrail • Can I copy information to a forensics account • Can I rotate credentials • Can I review billing • Can I isolate the instance
  • 23. IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Determine impact • Review logs/CloudTrail/VPC Flow for changes • Reviews Account resources • Review Billing • Review Access Permissions • Review Data Loss and targets
  • 24. IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Recover as needed • Do I remove instances • Do I change security groups • Do I remove user • Do I change credentials • Do I recover security groups
  • 25. IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Investigate root cause • How did this happen? • Why did this happen? • Who did it? • How can we stop it from happening again?
  • 26. IR Lifecycle Establish control Determine impact Recover as needed Investigate root cause Improve AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Improve • Improve our systems and processes • Iterate. Iterate. Iterate. Iterate.
  • 27. AWS Support Escalation Path • In situations where an escalation is required, customers can follow a pre-defined escalation path: – Submit a Support Case – Technical Account Manager – On-call Operation Manager – Global Enterprise Support Manager – Director of Support Engineering – VP of AWS Support AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 28. Preparation • Keep a pre-configured forensics AMI on hand • Decide on the forensic procedure • Create IAM role for incident responders and for the forensic workstation AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 29. Third Party Tools Response • AWS IR (ThreatResponse) Case Management • Incident Pony (ThreatResponse) Networking • Moloch • Wireshark Enterprise • Mandiant • EnCase • Forensic Tool Kit • Google Rapid Response Memory Capture • Fastdump • FTK Imager • LiME • Margarita Shotgun (ThreatResponse)
  • 30. SECURITY INCIDENT RESPONSE SIMULATIONS AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 31. What’s a SIRS? • Security Incident Response Simulations (SIRS) are internal events that provide a structured opportunity to practice your incident response plan during a realistic scenario. • SIRS events are fundamentally about being prepared and iteratively improving your response capabilities. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 32. Working back from customers • Customers voice the following reasons why they want to perform SIRS: – Validate readiness – Develop confidence – Learn from and train staff – Generate artifacts for accreditation – Be agile – Incremental improvement with laser focus – Become faster and improve tools – Refine escalation and communication – Develop comfort with the rare and the creative AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 33. Preparing for a simulation 1. Find an issue of importance. 2. Find skilled security geeks. 3. Build a realistic model system. 4. Build and test the scenario elements. 5. Invite other security geeks and real people. 6. Run the simulation live. 7. Get better and repeat. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 34. Key Simulation Elements AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0 Scenario Build Process Test Live Event
  • 35. When should I contact AWS? • If you are planning SIRS: – Obtain permission to perform penetration testing/scanning. – Confirm the SIRS does not violate the AWS Acceptable Use Policy. AMAZON CONFIDENTIAL Copyright ©2018 Amazon Web Services. All Rights Reserved Incident Response v4.0
  • 36. AWS Security Partner Solutions