SlideShare a Scribd company logo

SANS Cloud Security Summit 2018: Forensics as a Service

Download as PPTX, PDF
Toni de la Fuente
Toni de la Fuente

SANS Cloud Security Summit 2018: Forensics as a Service

Technology
1 of 33
Toni de la Fuente (@ToniBlyx :: blyx.com) Lead Security Operations / Senior Cloud Security Architect Digital Forensics as a Service: DFIR in the Cloud
Prowler / phpRADmin / Alfresco BART / Docs
Once upon a time… • Digital Forensics IN and OF the Cloud • Generic Challenges • Attacks • Incident Response • Hardening Security IN the Cloud!
AWS Region Amazon RDS MySQL Master Internet gateway Availability Zone 1 Availability Zone 2 Public subnet Public subnet NAT gateway EC2 Bastion 10.0.128.5 NAT gateway EC2 Bastion 10.0.144.5 Alfresco One Auto Scaling Group Elastic Load Balancing Amazon RDS MySQL Slave S3 for Shared Content Store 10.0.0.0/16 10.0.128.0/20 10.0.144.0/20 10.0.0.0/19 10.0.32.0/19 Alfresco Index Auto Scaling Group Private SubnetPrivate Subnet Alfresco Server Alfresco Server Alfresco ServerAlfresco Server Index Server Index Server Index Server Index Server * Immutable infrastructure
Generic Forensics Challenges
Disadvantages and Challenges Cloud Forensics and Operations Ubiquity Enumeration Legal jurisdiction Elasticity Preservation of evidence Data integrity Data persistence (replication) Chain of custody Evidence integrity Multi-tenancy Data attribution Chain of custody Abstract Determine the best evidence Preservation and visualization of evidence Quantity of data and Big Data Systems that cannot be investigated or managed in a traditional manner Knowledge Trained staff Continuous evolution and new features almost daily Providers Service level agreement / service level objectives Relationship client-provider / transparency
Service Level Objectives to Guarantee with Provider IaaS PaaS SaaS Provider’s network logs Web server logs Web server logs DNS providers logs Application server logs Application server logs Virtual machine hypervisor logs Tenant operating system logs Database logs Host logs Host access logs Host access logs API logs Virtualization platform logs Virtualization platform logs Management portal logs Management portal logs Management portal logs Packet capture logs Packet capture logs Packet capture logs Billing records Billing records Billing records
Traditional vs Cloud Forensics Processes Traditional Forensics Cloud Forensics Identification Identification of an event or incident Multiple tools Few tools Preservation Securitization and assessment of the scene Yes No Documentation of the scene Yes No Evidence collection: origin of the evidence Physical hardware Virtual hardware Evidence collection: location of the evidence Crime scene Provider’s data center Marking, packaging and transport Physical Digital through the Internet or physical media Acquisition / Extraction Acquisition time Slow Fast RAM acquisition Yes Dependant Hash Slow Fast Erased data recovery Possible Difficult Metadata acquisition Yes Yes Time stamp Precise Complex Installation (action) of forensic software Expensive Cheap Configuration and availability of forensic software Expensive Cheap Transport Yes No Analysis Analysis Slow Fast (potentially) Presentation Documentation of evidence Acquired evidence Data from many sources Declaration Common Difficult to explain to a judge
Storage Options Type AWS Azure GCP Objects S3 Object Storage • Buckets • 5TB max per object • Encryption In-flight and at-rest Azure Storage • Blob storage • 500TB limit per storage account • Encryption In-flight and at-rest Google Cloud Storage • Buckets • 5TB max per object • Encryption In-flight and at-rest SAN / Block EBS (Volumes) • Volume size: 1GB to 16TB (in 1GB increments) • Magnetic, SSD • Encryption available • Snapshots Azure Virtual Disks • Page blobs • Volume size: 32GB to 4TB • Standard (Magnetic), SSD premium • Snapshots • Encryption available Google Block Storage • Volume size: 1GB to 10TB • Magnetic, SSD • Snapshots • Encryption by default NAS Shared Storage (NFS4.0/4.2) • EFS File Storage (SMB3.0) Single Node File Server + Others Archive Glacier Azure Backup Google Cloud Storage Nearline Migration Import Export / Snowball Import Export Third Party Solution (Iron Mountain, etc.) CDN AWS CloudFront (CDN) Azure CDN Google Cloud CDN * Ephemeral, DBs, Queues, Caching and Storage GW not included
Common Attacks
Common incidents • Top 3: EC2, IAM, S3 – Access Keys compromise – Information leaks through misconfigured services or DNS – Phishing attacks – Compromised resources – Poisoned AMI – Application running in a role – Infection through 3rd party services – Hybrid attacks – Subdomain takeovers – Bitcoin mining – Did I say MISCONFIGURATIONS? • Other services (RDS, ES, Redshift) • What about targeted attacks?
S3 Leaks • Time Warner (BroadSoft) • Verizon • Auto Lender • U.S. Voters • And many others! https://github.com/nagwww /s3-leaks • Amazon Macie: Machine Learning, discover and classify sensitive data in AWS. PII or intellectual property.
Where to find AWS Access Keys… • UserData, CloudFormation, Metadata Server • Code: Github or other source code repositories, versions, commit history* • Public EBS volumes • Public AMIs • Public S3 buckets • Workstation or Server ~/.aws/credentials or C:UsersUSERNAME.awscredentials • Containers • Dev Tools: Vagrant images, Packer files, Bamboo, Jenkins… • Vim swap files • Service Providers (Slack bots, DataDog, CloudHealth, Okta, OneLogin, etc.) • Google… *See truffleHog from dxa4481 in Github
Some fun with Social Engineering… Change default Spotlight shortcut and don´t trust USBs!
Incident Response
• Notifications from AWS • Access activity (IAM) • Billing activity (Budget alerts) new cloud IDS! • API Logs • CloudWatch Events/Alarms • Service Specific Events • Dashboards • CloudWatch • Personal Health • Cost Explorer • Other • Third party (dedicated tools) • NIDS (Snort, Suricata, etc.) • HIDS (Wazuh/OSSEC, Osquery, rkhunter, Auditd) • ELK Incident Indicators https://cloudonaut.io/aws-monitoring-primer/
Cloud Incident Handling Workflow Instance Compromise Start Forensic Workstation Live or Dead Attach the Tools Volume Apply Isolation SG Credential Compromise Check new resources created Disable Keys Make API log report if enabled If found Isolate them Create a report Attach the Evidence Collection Volume Isolate it? Log in to the instance Perform Evidence Acquisition Take snapshot to all volumes Stop it Make Volumes to Snapshots Attach Volumes to Forensic Workstation Attach the Evidence Collection Volume Log in to the Forensic Workstation Analyze / Further Investigation Incident Live Dead Create Support Case with Provider Revoke Access Revoke Sessions Outside Info Acquisition (instance profile,endpo ints,metadat a, etc)_ Perform Timeline Pre-built Volatiliy frofile Pre-built LiME krnl mod RAM Acquisition Yes NIC Network Scan Create Internal Case Separate Network with Internet Access to Scan CAINE / SIFT / DEFT / FCCU / HELIX3 / FIRE Windows_Life_Response Sysinternals Nirsoft FTK Imager Autopsy Sleuthkit Trigger a Network Capture / VPC Logs TAG Resources under investigation * Hashing comparison-gold image, carving, cloud-init, search malware, IOC, etc
Assets Acquisition Specific to AWS Perform Evidence Acquisition AWS Infrastructure Logs: CloudTrail and VPC FlowLogs AWS Service Logs: S3 Logs, RDS Logs, Lambda, API Gateway, Route53, CloudFront, etc. Host Based Logs (volume snapshot) Messages/System, security, audit, applications, etc. Additional data from AWS view: instance profile, endpoints, syslogs, screen, metadata, etc More Outside: Limits, check resources creation from given date (all regions)
Digital Forensics as a Service? How to be Prepared • DFaaS: capabilities we can use from a cloud vendor to perform tasks related to Digital Forensics • Multi Account Strategy • Dedicated Account for Forensics • Dedicated Account for Security Operations • Acquisition tools ready to use • Live Data • Acquire data, what data?
• CIS Benchmark security assessment tool (52 checks + 20 additional) • New “forensics-ready” group of checks: • Checks if you are collecting all what you may need in case of an incident • Forensics as a Service helper • CloudTrail, S3, Config, VPCFlowlog, Macie, GuardDuty, CloudFront, ES, Lambda, ELB/ALB, Route53, Redshift and more • https://github.com/Alfresco/prowler
<DEMO> Prowler, specific group check for AWS forensics readiness
IRDF Automation Tools
Digital Forensics as a Service: Tools/Challenges • Userland / Process Memory Acquisition • AWS System Manager (ssm) • aws_ir, Margaritashotgun (LiME) • Volatility and Rekall automation • ECFS: extended core file snapshot format • Containers • Analysis process • IOC • Something like LibVMI: VM introspection would help (Volatility integration) • Storage Acquisition and Processing • Depends on the Storage used • Easier for EBS Snapshots  Volumes • DFTimewolf (Grr) • Multiple Account Tools, Resources and Vendors • We don’t capture just one resource! • Enterprise grade • Processing collected data • Turbinia • Plaso • Laika BOSS • BinaryAlert • Analyze data • Timeline with ALL ACQUIRED DATA? • Timesketch • EVERYTHING? Room to improve here! • Multiple data formats • Multiple sources • Correlation
Threat Response Tools • Incident Response Tool for AWS • http://threatresponse.cloud/ • Compromised AWS API credentials (Access Keys) • Mitigate compromise: Lock • Compromised EC2 instance • Mitigate compromise • Isolation • Collect evidence • Memory acquisition • Plugins • gather_host (metadata, screen, console) • tag_host • examineracl_host • get_memory • isolate_host • stop_host
<DEMO> ThreatResponse: aws_ir, margaritashotgun • Instance compromise https://youtu.be/-dnljYRMMsU
SANS Reading Room: DF Analysis of an EC2 Instance Kudos! Ken Hartman https://www.kennethghartman.com
Hardening
Instance / Network / Provider • Put all what you need in your well known AMI (gold image): • Hardening applied / Tested (Packer/Vagrant) • CIS Benchmark! • No configuration or access needed • Local tools • Osquery / Wazuh-OSSEC / rkhunter / grr • Update rules / serverless • local configuration (SELinux/AppArmour) • AuditD • Collect telemetry host network data (Snort/Suricata) • Collect everything your provider allows you • Networking • APIs / Accesses (AWS API Call Limit) • Red Team / Third party pentesting*
Auditing, Assessment and Hardening Tools • AWS • Amazon GuardDuty • Amazon Macie • AWS Trusted Advisor • AWS CloudTrail • Amazon Inspector • AWS Organizations • AWS Config Rules • Alfresco: Prowler • Wazuh (wodle) • Nccgroup: Scout2 • Netflix: SecurityMonkey • Capital One: CloudCustodian • AWS CIS Benchmark Python code and Lambda functions • CloudSploit • Widdix Hardening Templates • Awslimitchecker • Git Secrets (AWS) • Azure • Security Center • OMS Security & Compliance • Azure logs Analitics • Windows Defender • Azure Op Insights • MWR Azurite • AzSDK • AzureStackTools • GCP • Spotify: gcp-audit • SecurityMonkey • ALL: • Analytics (ELK, Splunk, etc)
Takeaways This presentation and some bits already available at: https://github.com/toniblyx/SANSCloudSecuritySummit2018
Thanks! Special Thanks to: Ismael Valenzuela @aboutsecurity Andrew K. @andrewkrug & ThreatResponse.cloud Team Alex Maestretti @maestretti Lorenzo Martinez @lawwait Lórien Domenech @loriendr Open Source Community improving Prowler!
Questions? toni@blyx.com - @ToniBlyx
References • Cloud Security Alliance, Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing, June 2013 • Dr. Keyun Ruan University College Dublin, Designing a Forensic-enabling Cloud Ecosystem, 2013 • International Standard ISO/IEC 27037, Information technology — Security techniques — Guidelines for identification, collection, acquisition, and preservation of digital evidence, October 2012 • Josiah Dykstra, Digital Forensics for IaaS Cloud Computing, June 2012 • Keyun Ruan, Ibrahim Baggili (PhD), Prof Joe Carthy, Prof Tahar Kechadi University College Dublin, Zayed University, Survey on Cloud forensics and critical criteria for Cloud forensic capability: A preliminary analysis • Keyun Ruan, Joe Carthy, Tahar Kechadi and Mark Crosbie, Cloud Forensics • Keyun Ruan, University College Dublin, Cloud Forensics: challenges & opportunitiess, 2010 • NIST Cloud Computing Forensic Science Working Group Information Technology Laboratory, NIST Cloud Computing Forensic Science Challenges, June 2014 • Peter Mell Timothy Grance, NIST Special Publication 800-145, The NIST Definition of Cloud Computing, September 2011 • Report From the First Digital Forensic Research Workshop (DFRWS), A Road Map for Digital Forensic Research, August 2001 • Forensics-as-a-Service (FaaS): Computer Forensic Workflow Management and Processing Using Cloud. Yuanfeng Wen, Xiaoxi Man, Khoa Le and Weidong Shi • http://static1.squarespace.com/static/5417f7f9e4b0b77770545590/t/56f3c598906340a7f6e78dbd/1458816415654/AWS_Cloud_and_Security.pdf • https://www.blackhat.com/docs/us-16/materials/us-16-Amiga-Account-Jumping-Post-Infection-Persistency-And-Lateral-Movement-In-AWS-wp.pdf • https://alestic.com/2015/10/aws-iam-readonly-too-permissive/ • Backdooring an AWS account • Exploring an AWS account post-compromise • Disrupting AWS logging • AWS IAM "ReadOnlyAccess" Managed Policy is Too Permissive (For Us) • Access Keys will kill you before you kill the password • Account Jumping Post Infection Persistency and Lateral Movement in AWS • Disrupt CloudTrail and pwning automation tools • RSA 2017 talk: Cloud Security Automate or Die, same tittle as mine but a bit different approach • RSA 2017 talk: Securing Serverless applications in the Cloud • RSA 2017 talk: DevSecOps on the Offense: Automating Amazon Web Services Account Takeover • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/when-a-web-application-ssrf-causes-the-cloud-to-rain-credentials-and-more/ • https://www.sans.org/reading-room/whitepapers/cloud/digital-forensic-analysis-amazon-linux-ec2-instances-38235

Recommended

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyphort
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Secure Computer Forensics and its tools
Secure Computer Forensics and its toolsSecure Computer Forensics and its tools
Secure Computer Forensics and its toolsKathirvel Ayyaswamy
 
Stuxnet
StuxnetStuxnet
StuxnetShishir Aryal
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 

Recommended

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyphort
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Secure Computer Forensics and its tools
Secure Computer Forensics and its toolsSecure Computer Forensics and its tools
Secure Computer Forensics and its toolsKathirvel Ayyaswamy
 
Stuxnet
StuxnetStuxnet
StuxnetShishir Aryal
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxGaganvirKaur
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovComputer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovEric Vanderburg
 
Cloud Computing Forensic Science
Cloud Computing Forensic Science Cloud Computing Forensic Science
Cloud Computing Forensic Science David Sweigert
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
The Trouble with Cloud Forensics
The Trouble with Cloud ForensicsThe Trouble with Cloud Forensics
The Trouble with Cloud ForensicsSharique Rizvi
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Detecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEMDetecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEMJustin Henderson
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsGovind Maheswaran
 
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)festival ICT 2016
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessToni de la Fuente
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 

More Related Content

What's hot

Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxGaganvirKaur
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovComputer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovEric Vanderburg
 
Cloud Computing Forensic Science
Cloud Computing Forensic Science Cloud Computing Forensic Science
Cloud Computing Forensic Science David Sweigert
 
The Trouble with Cloud Forensics
The Trouble with Cloud ForensicsThe Trouble with Cloud Forensics
The Trouble with Cloud ForensicsSharique Rizvi
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Detecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEMDetecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEMJustin Henderson
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsGovind Maheswaran
 
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)festival ICT 2016
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 

What's hot (20)

Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensics
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptx
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatility
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovComputer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnov
 
Cloud Computing Forensic Science
Cloud Computing Forensic Science Cloud Computing Forensic Science
Cloud Computing Forensic Science
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
The Trouble with Cloud Forensics
The Trouble with Cloud ForensicsThe Trouble with Cloud Forensics
The Trouble with Cloud Forensics
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Detecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEMDetecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEM
 
Cloud Computing : Security and Forensics
Cloud Computing : Security and ForensicsCloud Computing : Security and Forensics
Cloud Computing : Security and Forensics
 
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT)
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 

Similar to SANS Cloud Security Summit 2018: Forensics as a Service

Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessToni de la Fuente
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Toni de la Fuente
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
Cloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for PartnersCloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for PartnersAmazon Web Services
 
Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Tom Laszewski
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Kristana Kane
 
Cloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for PartnersCloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for PartnersAmazon Web Services
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureDevSecCon
 
Securing your content and media workflows on AWS
Securing your content and media workflows on AWSSecuring your content and media workflows on AWS
Securing your content and media workflows on AWSAmazon Web Services
 
AWS Tips for LAUNCHing Your Infrastructure in the Cloud
AWS Tips for LAUNCHing Your Infrastructure in the CloudAWS Tips for LAUNCHing Your Infrastructure in the Cloud
AWS Tips for LAUNCHing Your Infrastructure in the CloudAmazon Web Services
 
Case Studies A Kubernetes DFIR investigation.pdf
Case Studies A Kubernetes DFIR investigation.pdfCase Studies A Kubernetes DFIR investigation.pdf
Case Studies A Kubernetes DFIR investigation.pdfChristopher Doman
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloudPriyanka Aash
 

Similar to SANS Cloud Security Summit 2018: Forensics as a Service (20)

Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Cloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit PlanningCloud Breach - Forensics Audit Planning
Cloud Breach - Forensics Audit Planning
 
Cloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for PartnersCloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for Partners
 
Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Cloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for PartnersCloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for Partners
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
 
Securing your content and media workflows on AWS
Securing your content and media workflows on AWSSecuring your content and media workflows on AWS
Securing your content and media workflows on AWS
 
AWS Tips for LAUNCHing Your Infrastructure in the Cloud
AWS Tips for LAUNCHing Your Infrastructure in the CloudAWS Tips for LAUNCHing Your Infrastructure in the Cloud
AWS Tips for LAUNCHing Your Infrastructure in the Cloud
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
Case Studies A Kubernetes DFIR investigation.pdf
Case Studies A Kubernetes DFIR investigation.pdfCase Studies A Kubernetes DFIR investigation.pdf
Case Studies A Kubernetes DFIR investigation.pdf
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloud
 
SIEM.pdf
SIEM.pdfSIEM.pdf
SIEM.pdf
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 

More from Toni de la Fuente

OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceToni de la Fuente
 
Alfresco DevCon 2018: From Zero to Hero Backing up Alfresco
Alfresco DevCon 2018: From Zero to Hero Backing up AlfrescoAlfresco DevCon 2018: From Zero to Hero Backing up Alfresco
Alfresco DevCon 2018: From Zero to Hero Backing up AlfrescoToni de la Fuente
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Toni de la Fuente
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
From zero to hero Backing up alfresco
From zero to hero Backing up alfrescoFrom zero to hero Backing up alfresco
From zero to hero Backing up alfrescoToni de la Fuente
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 
Seguridad en Internet para todos los públicos
Seguridad en Internet para todos los públicosSeguridad en Internet para todos los públicos
Seguridad en Internet para todos los públicosToni de la Fuente
 
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYAlfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYToni de la Fuente
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices GuideToni de la Fuente
 
Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Toni de la Fuente
 
Alfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperAlfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperToni de la Fuente
 
Alfresco One (Enterprise) vs Alfresco Community 2014
Alfresco One (Enterprise) vs Alfresco Community 2014Alfresco One (Enterprise) vs Alfresco Community 2014
Alfresco One (Enterprise) vs Alfresco Community 2014Toni de la Fuente
 
Alfresco Backup and Recovery Tool: a real world backup solution for Alfresco
Alfresco Backup and Recovery Tool: a real world backup solution for AlfrescoAlfresco Backup and Recovery Tool: a real world backup solution for Alfresco
Alfresco Backup and Recovery Tool: a real world backup solution for AlfrescoToni de la Fuente
 
Comparativa entre Alfresco Enterprise vs Community
Comparativa entre Alfresco Enterprise vs Community Comparativa entre Alfresco Enterprise vs Community
Comparativa entre Alfresco Enterprise vs Community Toni de la Fuente
 
Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Toni de la Fuente
 
Monitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/IcingaMonitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/IcingaToni de la Fuente
 
Nuevo Alfresco Records Management 2.0
Nuevo Alfresco Records Management 2.0Nuevo Alfresco Records Management 2.0
Nuevo Alfresco Records Management 2.0Toni de la Fuente
 
Consejos de seguridad con Alfresco
Consejos de seguridad con AlfrescoConsejos de seguridad con Alfresco
Consejos de seguridad con AlfrescoToni de la Fuente
 
Alfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en españolAlfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en españolToni de la Fuente
 

More from Toni de la Fuente (20)

OWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a ServiceOWASP Atlanta 2018: Forensics as a Service
OWASP Atlanta 2018: Forensics as a Service
 
Alfresco DevCon 2018: From Zero to Hero Backing up Alfresco
Alfresco DevCon 2018: From Zero to Hero Backing up AlfrescoAlfresco DevCon 2018: From Zero to Hero Backing up Alfresco
Alfresco DevCon 2018: From Zero to Hero Backing up Alfresco
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
From zero to hero Backing up alfresco
From zero to hero Backing up alfrescoFrom zero to hero Backing up alfresco
From zero to hero Backing up alfresco
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
Seguridad en Internet para todos los públicos
Seguridad en Internet para todos los públicosSeguridad en Internet para todos los públicos
Seguridad en Internet para todos los públicos
 
Storage and Alfresco
Storage and AlfrescoStorage and Alfresco
Storage and Alfresco
 
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYAlfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLY
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices Guide
 
Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014
 
Alfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperAlfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White Paper
 
Alfresco One (Enterprise) vs Alfresco Community 2014
Alfresco One (Enterprise) vs Alfresco Community 2014Alfresco One (Enterprise) vs Alfresco Community 2014
Alfresco One (Enterprise) vs Alfresco Community 2014
 
Alfresco Backup and Recovery Tool: a real world backup solution for Alfresco
Alfresco Backup and Recovery Tool: a real world backup solution for AlfrescoAlfresco Backup and Recovery Tool: a real world backup solution for Alfresco
Alfresco Backup and Recovery Tool: a real world backup solution for Alfresco
 
Comparativa entre Alfresco Enterprise vs Community
Comparativa entre Alfresco Enterprise vs Community Comparativa entre Alfresco Enterprise vs Community
Comparativa entre Alfresco Enterprise vs Community
 
Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012Alfresco Security Best Practices 2012
Alfresco Security Best Practices 2012
 
Monitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/IcingaMonitoring Alfresco with Nagios/Icinga
Monitoring Alfresco with Nagios/Icinga
 
Nuevo Alfresco Records Management 2.0
Nuevo Alfresco Records Management 2.0Nuevo Alfresco Records Management 2.0
Nuevo Alfresco Records Management 2.0
 
Consejos de seguridad con Alfresco
Consejos de seguridad con AlfrescoConsejos de seguridad con Alfresco
Consejos de seguridad con Alfresco
 
Alfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en españolAlfresco y SOLR, presentación en español
Alfresco y SOLR, presentación en español
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

SANS Cloud Security Summit 2018: Forensics as a Service

  • 1. Toni de la Fuente (@ToniBlyx :: blyx.com) Lead Security Operations / Senior Cloud Security Architect Digital Forensics as a Service: DFIR in the Cloud
  • 2. Prowler / phpRADmin / Alfresco BART / Docs
  • 3. Once upon a time… • Digital Forensics IN and OF the Cloud • Generic Challenges • Attacks • Incident Response • Hardening Security IN the Cloud!
  • 4. AWS Region Amazon RDS MySQL Master Internet gateway Availability Zone 1 Availability Zone 2 Public subnet Public subnet NAT gateway EC2 Bastion 10.0.128.5 NAT gateway EC2 Bastion 10.0.144.5 Alfresco One Auto Scaling Group Elastic Load Balancing Amazon RDS MySQL Slave S3 for Shared Content Store 10.0.0.0/16 10.0.128.0/20 10.0.144.0/20 10.0.0.0/19 10.0.32.0/19 Alfresco Index Auto Scaling Group Private SubnetPrivate Subnet Alfresco Server Alfresco Server Alfresco ServerAlfresco Server Index Server Index Server Index Server Index Server * Immutable infrastructure
  • 6. Disadvantages and Challenges Cloud Forensics and Operations Ubiquity Enumeration Legal jurisdiction Elasticity Preservation of evidence Data integrity Data persistence (replication) Chain of custody Evidence integrity Multi-tenancy Data attribution Chain of custody Abstract Determine the best evidence Preservation and visualization of evidence Quantity of data and Big Data Systems that cannot be investigated or managed in a traditional manner Knowledge Trained staff Continuous evolution and new features almost daily Providers Service level agreement / service level objectives Relationship client-provider / transparency
  • 7. Service Level Objectives to Guarantee with Provider IaaS PaaS SaaS Provider’s network logs Web server logs Web server logs DNS providers logs Application server logs Application server logs Virtual machine hypervisor logs Tenant operating system logs Database logs Host logs Host access logs Host access logs API logs Virtualization platform logs Virtualization platform logs Management portal logs Management portal logs Management portal logs Packet capture logs Packet capture logs Packet capture logs Billing records Billing records Billing records
  • 8. Traditional vs Cloud Forensics Processes Traditional Forensics Cloud Forensics Identification Identification of an event or incident Multiple tools Few tools Preservation Securitization and assessment of the scene Yes No Documentation of the scene Yes No Evidence collection: origin of the evidence Physical hardware Virtual hardware Evidence collection: location of the evidence Crime scene Provider’s data center Marking, packaging and transport Physical Digital through the Internet or physical media Acquisition / Extraction Acquisition time Slow Fast RAM acquisition Yes Dependant Hash Slow Fast Erased data recovery Possible Difficult Metadata acquisition Yes Yes Time stamp Precise Complex Installation (action) of forensic software Expensive Cheap Configuration and availability of forensic software Expensive Cheap Transport Yes No Analysis Analysis Slow Fast (potentially) Presentation Documentation of evidence Acquired evidence Data from many sources Declaration Common Difficult to explain to a judge
  • 9. Storage Options Type AWS Azure GCP Objects S3 Object Storage • Buckets • 5TB max per object • Encryption In-flight and at-rest Azure Storage • Blob storage • 500TB limit per storage account • Encryption In-flight and at-rest Google Cloud Storage • Buckets • 5TB max per object • Encryption In-flight and at-rest SAN / Block EBS (Volumes) • Volume size: 1GB to 16TB (in 1GB increments) • Magnetic, SSD • Encryption available • Snapshots Azure Virtual Disks • Page blobs • Volume size: 32GB to 4TB • Standard (Magnetic), SSD premium • Snapshots • Encryption available Google Block Storage • Volume size: 1GB to 10TB • Magnetic, SSD • Snapshots • Encryption by default NAS Shared Storage (NFS4.0/4.2) • EFS File Storage (SMB3.0) Single Node File Server + Others Archive Glacier Azure Backup Google Cloud Storage Nearline Migration Import Export / Snowball Import Export Third Party Solution (Iron Mountain, etc.) CDN AWS CloudFront (CDN) Azure CDN Google Cloud CDN * Ephemeral, DBs, Queues, Caching and Storage GW not included
  • 11. Common incidents • Top 3: EC2, IAM, S3 – Access Keys compromise – Information leaks through misconfigured services or DNS – Phishing attacks – Compromised resources – Poisoned AMI – Application running in a role – Infection through 3rd party services – Hybrid attacks – Subdomain takeovers – Bitcoin mining – Did I say MISCONFIGURATIONS? • Other services (RDS, ES, Redshift) • What about targeted attacks?
  • 12. S3 Leaks • Time Warner (BroadSoft) • Verizon • Auto Lender • U.S. Voters • And many others! https://github.com/nagwww /s3-leaks • Amazon Macie: Machine Learning, discover and classify sensitive data in AWS. PII or intellectual property.
  • 13. Where to find AWS Access Keys… • UserData, CloudFormation, Metadata Server • Code: Github or other source code repositories, versions, commit history* • Public EBS volumes • Public AMIs • Public S3 buckets • Workstation or Server ~/.aws/credentials or C:UsersUSERNAME.awscredentials • Containers • Dev Tools: Vagrant images, Packer files, Bamboo, Jenkins… • Vim swap files • Service Providers (Slack bots, DataDog, CloudHealth, Okta, OneLogin, etc.) • Google… *See truffleHog from dxa4481 in Github
  • 14. Some fun with Social Engineering… Change default Spotlight shortcut and don´t trust USBs!
  • 16. • Notifications from AWS • Access activity (IAM) • Billing activity (Budget alerts) new cloud IDS! • API Logs • CloudWatch Events/Alarms • Service Specific Events • Dashboards • CloudWatch • Personal Health • Cost Explorer • Other • Third party (dedicated tools) • NIDS (Snort, Suricata, etc.) • HIDS (Wazuh/OSSEC, Osquery, rkhunter, Auditd) • ELK Incident Indicators https://cloudonaut.io/aws-monitoring-primer/
  • 17. Cloud Incident Handling Workflow Instance Compromise Start Forensic Workstation Live or Dead Attach the Tools Volume Apply Isolation SG Credential Compromise Check new resources created Disable Keys Make API log report if enabled If found Isolate them Create a report Attach the Evidence Collection Volume Isolate it? Log in to the instance Perform Evidence Acquisition Take snapshot to all volumes Stop it Make Volumes to Snapshots Attach Volumes to Forensic Workstation Attach the Evidence Collection Volume Log in to the Forensic Workstation Analyze / Further Investigation Incident Live Dead Create Support Case with Provider Revoke Access Revoke Sessions Outside Info Acquisition (instance profile,endpo ints,metadat a, etc)_ Perform Timeline Pre-built Volatiliy frofile Pre-built LiME krnl mod RAM Acquisition Yes NIC Network Scan Create Internal Case Separate Network with Internet Access to Scan CAINE / SIFT / DEFT / FCCU / HELIX3 / FIRE Windows_Life_Response Sysinternals Nirsoft FTK Imager Autopsy Sleuthkit Trigger a Network Capture / VPC Logs TAG Resources under investigation * Hashing comparison-gold image, carving, cloud-init, search malware, IOC, etc
  • 18. Assets Acquisition Specific to AWS Perform Evidence Acquisition AWS Infrastructure Logs: CloudTrail and VPC FlowLogs AWS Service Logs: S3 Logs, RDS Logs, Lambda, API Gateway, Route53, CloudFront, etc. Host Based Logs (volume snapshot) Messages/System, security, audit, applications, etc. Additional data from AWS view: instance profile, endpoints, syslogs, screen, metadata, etc More Outside: Limits, check resources creation from given date (all regions)
  • 19. Digital Forensics as a Service? How to be Prepared • DFaaS: capabilities we can use from a cloud vendor to perform tasks related to Digital Forensics • Multi Account Strategy • Dedicated Account for Forensics • Dedicated Account for Security Operations • Acquisition tools ready to use • Live Data • Acquire data, what data?
  • 20. • CIS Benchmark security assessment tool (52 checks + 20 additional) • New “forensics-ready” group of checks: • Checks if you are collecting all what you may need in case of an incident • Forensics as a Service helper • CloudTrail, S3, Config, VPCFlowlog, Macie, GuardDuty, CloudFront, ES, Lambda, ELB/ALB, Route53, Redshift and more • https://github.com/Alfresco/prowler
  • 21. <DEMO> Prowler, specific group check for AWS forensics readiness
  • 23. Digital Forensics as a Service: Tools/Challenges • Userland / Process Memory Acquisition • AWS System Manager (ssm) • aws_ir, Margaritashotgun (LiME) • Volatility and Rekall automation • ECFS: extended core file snapshot format • Containers • Analysis process • IOC • Something like LibVMI: VM introspection would help (Volatility integration) • Storage Acquisition and Processing • Depends on the Storage used • Easier for EBS Snapshots  Volumes • DFTimewolf (Grr) • Multiple Account Tools, Resources and Vendors • We don’t capture just one resource! • Enterprise grade • Processing collected data • Turbinia • Plaso • Laika BOSS • BinaryAlert • Analyze data • Timeline with ALL ACQUIRED DATA? • Timesketch • EVERYTHING? Room to improve here! • Multiple data formats • Multiple sources • Correlation
  • 24. Threat Response Tools • Incident Response Tool for AWS • http://threatresponse.cloud/ • Compromised AWS API credentials (Access Keys) • Mitigate compromise: Lock • Compromised EC2 instance • Mitigate compromise • Isolation • Collect evidence • Memory acquisition • Plugins • gather_host (metadata, screen, console) • tag_host • examineracl_host • get_memory • isolate_host • stop_host
  • 25. <DEMO> ThreatResponse: aws_ir, margaritashotgun • Instance compromise https://youtu.be/-dnljYRMMsU
  • 26. SANS Reading Room: DF Analysis of an EC2 Instance Kudos! Ken Hartman https://www.kennethghartman.com
  • 28. Instance / Network / Provider • Put all what you need in your well known AMI (gold image): • Hardening applied / Tested (Packer/Vagrant) • CIS Benchmark! • No configuration or access needed • Local tools • Osquery / Wazuh-OSSEC / rkhunter / grr • Update rules / serverless • local configuration (SELinux/AppArmour) • AuditD • Collect telemetry host network data (Snort/Suricata) • Collect everything your provider allows you • Networking • APIs / Accesses (AWS API Call Limit) • Red Team / Third party pentesting*
  • 29. Auditing, Assessment and Hardening Tools • AWS • Amazon GuardDuty • Amazon Macie • AWS Trusted Advisor • AWS CloudTrail • Amazon Inspector • AWS Organizations • AWS Config Rules • Alfresco: Prowler • Wazuh (wodle) • Nccgroup: Scout2 • Netflix: SecurityMonkey • Capital One: CloudCustodian • AWS CIS Benchmark Python code and Lambda functions • CloudSploit • Widdix Hardening Templates • Awslimitchecker • Git Secrets (AWS) • Azure • Security Center • OMS Security & Compliance • Azure logs Analitics • Windows Defender • Azure Op Insights • MWR Azurite • AzSDK • AzureStackTools • GCP • Spotify: gcp-audit • SecurityMonkey • ALL: • Analytics (ELK, Splunk, etc)
  • 30. Takeaways This presentation and some bits already available at: https://github.com/toniblyx/SANSCloudSecuritySummit2018
  • 31. Thanks! Special Thanks to: Ismael Valenzuela @aboutsecurity Andrew K. @andrewkrug & ThreatResponse.cloud Team Alex Maestretti @maestretti Lorenzo Martinez @lawwait Lórien Domenech @loriendr Open Source Community improving Prowler!
  • 33. References • Cloud Security Alliance, Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing, June 2013 • Dr. Keyun Ruan University College Dublin, Designing a Forensic-enabling Cloud Ecosystem, 2013 • International Standard ISO/IEC 27037, Information technology — Security techniques — Guidelines for identification, collection, acquisition, and preservation of digital evidence, October 2012 • Josiah Dykstra, Digital Forensics for IaaS Cloud Computing, June 2012 • Keyun Ruan, Ibrahim Baggili (PhD), Prof Joe Carthy, Prof Tahar Kechadi University College Dublin, Zayed University, Survey on Cloud forensics and critical criteria for Cloud forensic capability: A preliminary analysis • Keyun Ruan, Joe Carthy, Tahar Kechadi and Mark Crosbie, Cloud Forensics • Keyun Ruan, University College Dublin, Cloud Forensics: challenges & opportunitiess, 2010 • NIST Cloud Computing Forensic Science Working Group Information Technology Laboratory, NIST Cloud Computing Forensic Science Challenges, June 2014 • Peter Mell Timothy Grance, NIST Special Publication 800-145, The NIST Definition of Cloud Computing, September 2011 • Report From the First Digital Forensic Research Workshop (DFRWS), A Road Map for Digital Forensic Research, August 2001 • Forensics-as-a-Service (FaaS): Computer Forensic Workflow Management and Processing Using Cloud. Yuanfeng Wen, Xiaoxi Man, Khoa Le and Weidong Shi • http://static1.squarespace.com/static/5417f7f9e4b0b77770545590/t/56f3c598906340a7f6e78dbd/1458816415654/AWS_Cloud_and_Security.pdf • https://www.blackhat.com/docs/us-16/materials/us-16-Amiga-Account-Jumping-Post-Infection-Persistency-And-Lateral-Movement-In-AWS-wp.pdf • https://alestic.com/2015/10/aws-iam-readonly-too-permissive/ • Backdooring an AWS account • Exploring an AWS account post-compromise • Disrupting AWS logging • AWS IAM "ReadOnlyAccess" Managed Policy is Too Permissive (For Us) • Access Keys will kill you before you kill the password • Account Jumping Post Infection Persistency and Lateral Movement in AWS • Disrupt CloudTrail and pwning automation tools • RSA 2017 talk: Cloud Security Automate or Die, same tittle as mine but a bit different approach • RSA 2017 talk: Securing Serverless applications in the Cloud • RSA 2017 talk: DevSecOps on the Offense: Automating Amazon Web Services Account Takeover • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/when-a-web-application-ssrf-causes-the-cloud-to-rain-credentials-and-more/ • https://www.sans.org/reading-room/whitepapers/cloud/digital-forensic-analysis-amazon-linux-ec2-instances-38235

Editor's Notes

  1. Contents: Dealing with Incidents AWS specifics Attacks Incident Response Assessment and Hardening
  2. PCI-DSS compliance other for NIST, etc. Kinda Immutable infrastructure / instances (bastion) Logging externally, config management, monitoring Blue-green upgrades Canary upgrades
  3. x1.32xlarge = $13.338 hourly 1952.0 GB RAM 128 vCPUs 3840.0 GB (2 * 1920.0 GB SSD) 25 Gigabit Network
  4. Amazon Macie
  5. Bamboo, Jenkins…
  6. https://gist.github.com/toniblyx/d2cae4f4b4cb74524dc1f7b198d024c2 How to prevent this hack?? Change spotlight keys shortcut and don´t trust USBs!
  7. https://cloudonaut.io/aws-monitoring-primer/
  8. Assess other systems running in the same VPC Was the instance running in a role? Do we have flow logs we can grab and archive for the incident? Do we need to do live response? Do we need to preserve a snapshot for offline forensics?
  9. Many companies like Netflix, Google, Facebook, AirBnB or Adobe are working in cloud forensics automation
  10. Low hanging fruit
  11. Guardduty (CloudTrail, VPCFlowLogs and DNS queries) git-secrets (git hooks) AZURE: Azure logs Analitics (https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/log-analytics/log-analytics-overview.md) AZURE: Azurite (https://github.com/mwrlabs/Azurite) AzSDK (https://github.com/azsdk/azsdk-docs) AzureStack (https://github.com/Azure/AzureStack-Tools)