10. Shamelessly borrowed from Dino Dai Zovi https://www.youtube.com/watch?v=86oTJjEnNEI
Corollary Corollary Corollary
Overly focused
OS-Level protection
misses avenues for cloud
level priv-esc attacks.
Overly focused
security of one service /
product misses avenues
for cloud level
compromise.
Overly focused
Devops and cattle class
environments miss
avenues for persistence.
Attackers exploit new frontiers
...defenders are still fighting the last war.
22. Common EC2 Incidents
● Cryptojacking
● Information Disclosure via
Vulnerability
● Pivot via Vulnerability
● AMI Poisoning
● Account Jumping
23. Common IAM Incidents
● Credential Leak - Access Keys
● Temporary Session Token Attacks
● Role Attacks (unintended access)
● Backdooring Roles for Persisting via
STSToken
● Persistance via Typo Squatting
24. Common S3 Incidents
● Data leaks
● Website defacement
● Subdomain Takeovers
● Hosting malicious files
25. ● Create Internal Case File
● Create Support Case with AWS
○ Need to suppress AUP?
● Tag Resources under investigation
● Internal Disclosure
● Check Logging / Adjust
● Trigger Network Capture - VPC Logs
Incident Response
Basic first steps
28. Additional Evaluation
Lateral Movement Potential
● Assess other systems running in the
same VPC
● Was the instance running in a role?
● Were there keys on the box?
29. Additional Evaluation
Evidence Preservation
● Do we have flow logs we can grab and
archive for the incident?
● Do we need to do live response?
● Do we need to preserve a snapshot
for offline forensics?
35. S3 Compromises
What besides configuration?
Code Corruption Attacks
● Malicious Code in Pipeline
● Replacing Signatures Hosted in S3
Web Hosting Attacks
● Defacement
● Subdomain takeovers
● Malicious Download Hosting
Logs
● Attacks on CloudTrail Buckets via
lifecycle manipulation
36. Having a tough day in the cloud
Soft-Issues
● Cease and desist goes to account owner
● No response role
● Gaining necessary access
● Lack of uniformity
● Lack of familiarity on side of responder
● What is normal?
Technical Issues
● Failed containment
● Destruction / Mishandling of evidence
● Involves lots of instances ( Maybe )
● No auditd
● No syslogs
42. How does it work?
● SSH into target
● Interrogates system
● Fetches kernel module from
repository
● Inserts that into system
● Delivers memory to
○ s3
○ local disk
43. What’s new?
10x Faster with compression support at
endpoint.
Jump Box Support
Auto module resolution with Lime
Compiler
Props to @joelferrier!
59. Alex McCormack
Joel Ferrier
Graham Jones
Toni de la Fuente
Jeff Parr
Jeff Bryner
Daniel Hartnell
Kevin Hock
Julien Vehent
Gene Wood
Henrik Johansson
Beetle Bailey
Rich Jones
Greg Guthe
Vegard Vaage
Contributors: