(SEC316) Harden Your Architecture w/ Security Incident Response Simulations

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

October 2015

SEC316

Hardening Your Architecture with

Security Incident Response SimulationsArmando Leite, AWS Professional Services

Jon Miller, AWS Security Technical Program Manager

Rob Witoff, Coinbase Director

Here is what you get today…

• SIRS: What is it?

• Demo

• Case study

• How to engage AWS

• Get your game on

SIRS: What is it?

Inspiration-

“Nothing gives one person so much

advantage over another as to remain

always cool and unruffled under all

circumstances.”

-Thomas Jefferson

Ariana Grande speaks to simulation

“Dancing in high heels is kind of tough. I learn the

dances without the heels, and then we add them.

We just practice, and I get used to it. My feet hurt

really badly at the end of the shows, but it’s fun.

While it’s happening it’s fun. I feel tall.”

Did she get it right?

Quote from https://www.brainyquote.com/quotes/quotes/a/arianagran571274.html

Working backward…what customers want?

1. Validate readiness

2. Generate artifacts for accreditation

3. Be agile – Incremental with laser focus

4. Get faster and improve tools

5. Refine escalation and communication

6. Get confident – Learn from and train staff

7. Get comfort with the rare and the creative

Security Incident Response Simulations

1. Find an issue of importance.

2. Find skilled security geeks.

3. Build a realistic model system.

4. Build and test the scenario elements.

5. Invite other security geeks and real people.

6. Run the simulation live.

7. Get better and repeat.

Key simulation elements

Scenario Build ProcessLive

eventTest

Prevent spoilers

Finish at the end

Demo

SIRS setup

Scenario:

• Unauthorized modification of content on public facing website.

Core participants:

• Application engineer

• Implementer

• Responder

Key events/injects:

• Inject 1: External-facing website is modified.

• Inject 2: Abuse notification received.

• Inject 3: Unauthorized resources spun up.

Process under test

Establish control

Determine impact

Recover as needed

Investigate root cause

Improve

Let the games begin!

Actions taken

Gather information about affected instance:aws ec2 describe-instances –filters “Name=ip-address,Values=xx.xx.xx.xx”

Deploy “block” security group:aws ec2 modify-instance-attribute –instance-id i-25xxxxfe –groups sg-

27xxxx43

Tag instance to mark it as under investigation:aws ec2 create-tags –resources i-xxxxxxxx –tags Key=Environment,

Value=Quarantine:REFERENCE-ID”

Create snapshot of volume for forensic analysis:aws ec2 create-snapshot –volume vol-xxxx –description “IR-ResponderName-

Date-REFERENCE-ID”

Process under test

Establish control

Determine impact

Recover as needed

Investigate root cause

Improve

Actions taken

Imaging instance memory:

LiME - https://github.com/504ensicslabs/lime

AWS CodeDeploy:

Postmortem…

Investigation – Check instance access logs1

2

4 11:01 PM 24 JUN 20153

Investigation – Check AWS CloudTrail API logs

?

Investigation – Correlate events

match!

Investigation – Blocked successfully

Wrap up simulation

Handoff correspondence

Capture artifacts, logs,

communications

Event

retrospective

Continue…start...stop.

Game

retrospective

Continue…start...stop.

Case study

SIRS works in all industries

Enterprise Government Startup

Coinbase

Scenario

• Advanced threat with

escalated privileges

• Rapid and adversarial

• Crypto-ransom

Outcome

Successful

• Rapid response and

recovery

• Data protection

• Root cause investigation

• Risk elimination

WHAT I’M ABOUT TO SHOW YOU WAS

A CONTAINED SIMULATION.

NO CUSTOMER DATA, FUNDS OR

SERVICES WERE, OR EVER WILL BE,

AT INCREASED RISK.

Observe

Orient

Decide

Act

Observe

Orient

Decide

Act

scanning | servers | ssh

snapshots | aws

Observe

Orient

Decide

Act

scanning | servers | ssh

snapshots | aws | ???

Observe

Orient

Decide

Act

Team #1

CloudTrail Pipeline

CloudTrail Amazon S3 AWS Lambda Amazon Kinesis

→ → → →

coinbase.com

Observe

Orient

Decide

Act

scanning | servers | ssh

snapshots | aws | ???

Observe

Orient

Decide

Act

scanning | |

|

servers ssh

snapshots aws

scanning | serversssh

snapshots

aws

Observe

Orient

Decide

Act

scanning | serversssh

snapshots

aws

Observe

Orient

Decide

Act team #2 team #3

team #2 team #3

team #2 team #3

snapshot

stop

d2.8xlarge

mount

grep

team #2 team #3

team #2 team #3

team #2 team #3

team #2 team #3

team #2 team #3

team #2 team #3

coinbase.com

Thanks, Coinbase!

Engage AWS

When should I engage AWS Support?

Engage AWS Support any time an event might be

occurring that affects your ideal operational state.

When should I contact AWS Security?

If you are planning SIRS:

• Obtain permission to perform penetration testing/scanning.

• Confirm the SIRS does not violate the AUP.

Engage support

Engaging human support

Cloud support engineer (CSE)

Technical account manager (TAM)

Subject matter experts (SME)

You

Relationship POC

Available with enterprise support

Available with support

Go here…https://aws.amazon.com/contact-us/

Get your game on

Is your architecture built for IR?

• Real-time monitoring

• Logs at the ready

• Tagged for escalation

• Rapid recovery

• Rapid data preservation

• Forensic instances

• Late binding privileges for responders

Key simulation elements

Scenario Build ProcessLive

eventTest

No worries

Pick a scenario to try and get started

1. Web server application layer issue recovery

2. Log dive for artifacts

3. Data preservation

4. Credential rotation

5. Responding to alerts

6. Some sort of insider threat

7. Business owner and external communications

https://aws.amazon.com/professional-services/

Remember to complete

your evaluations!

Thank you!

Josh du Lac, Hart Rossman, Don Bailey, Khaja, Graham, AWS Support, AWS Abuse team, EC2 Security team, and many more who

helped make these events possible