Page 1
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
October 2015
SEC316
Hardening Your Architecture with
Security Incident Response SimulationsArmando Leite, AWS Professional Services
Jon Miller, AWS Security Technical Program Manager
Rob Witoff, Coinbase Director
Page 2
Here is what you get today…
• SIRS: What is it?
• Demo
• Case study
• How to engage AWS
• Get your game on
Page 3
SIRS: What is it?
Inspiration-
“Nothing gives one person so much
advantage over another as to remain
always cool and unruffled under all
circumstances.”
-Thomas Jefferson
Page 4
Ariana Grande speaks to simulation
“Dancing in high heels is kind of tough. I learn the
dances without the heels, and then we add them.
We just practice, and I get used to it. My feet hurt
really badly at the end of the shows, but it’s fun.
While it’s happening it’s fun. I feel tall.”
Did she get it right?
Quote from https://www.brainyquote.com/quotes/quotes/a/arianagran571274.html
Page 5
Working backward…what customers want?
1. Validate readiness
2. Generate artifacts for accreditation
3. Be agile – Incremental with laser focus
4. Get faster and improve tools
5. Refine escalation and communication
6. Get confident – Learn from and train staff
7. Get comfort with the rare and the creative
Page 6
Security Incident Response Simulations
1. Find an issue of importance.
2. Find skilled security geeks.
3. Build a realistic model system.
4. Build and test the scenario elements.
5. Invite other security geeks and real people.
6. Run the simulation live.
7. Get better and repeat.
Page 7
Key simulation elements
Scenario Build ProcessLive
eventTest
Page 11
SIRS setup
Scenario:
• Unauthorized modification of content on public facing website.
Core participants:
• Application engineer
• Implementer
• Responder
Key events/injects:
• Inject 1: External-facing website is modified.
• Inject 2: Abuse notification received.
• Inject 3: Unauthorized resources spun up.
Page 12
Process under test
Establish control
Determine impact
Recover as needed
Investigate root cause
Improve
Page 13
Let the games begin!
Page 15
Actions taken
Gather information about affected instance:aws ec2 describe-instances –filters “Name=ip-address,Values=xx.xx.xx.xx”
Deploy “block” security group:aws ec2 modify-instance-attribute –instance-id i-25xxxxfe –groups sg-
27xxxx43
Tag instance to mark it as under investigation:aws ec2 create-tags –resources i-xxxxxxxx –tags Key=Environment,
Value=Quarantine:REFERENCE-ID”
Create snapshot of volume for forensic analysis:aws ec2 create-snapshot –volume vol-xxxx –description “IR-ResponderName-
Date-REFERENCE-ID”
Page 16
Process under test
Establish control
Determine impact
Recover as needed
Investigate root cause
Improve
Page 18
Actions taken
Imaging instance memory:
LiME - https://github.com/504ensicslabs/lime
AWS CodeDeploy:
Page 20
Investigation – Check instance access logs1
2
4 11:01 PM 24 JUN 20153
Page 21
Investigation – Check AWS CloudTrail API logs
?
Page 22
Investigation – Correlate events
match!
Page 23
Investigation – Blocked successfully
Page 24
Wrap up simulation
Handoff correspondence
Capture artifacts, logs,
communications
Page 25
Event
retrospective
Continue…start...stop.
Page 26
Game
retrospective
Continue…start...stop.
Page 28
SIRS works in all industries
Enterprise Government Startup
Page 29
Coinbase
Scenario
• Advanced threat with
escalated privileges
• Rapid and adversarial
• Crypto-ransom
Outcome
Successful
• Rapid response and
recovery
• Data protection
• Root cause investigation
• Risk elimination
Page 32
WHAT I’M ABOUT TO SHOW YOU WAS
A CONTAINED SIMULATION.
NO CUSTOMER DATA, FUNDS OR
SERVICES WERE, OR EVER WILL BE,
AT INCREASED RISK.
Page 40
Observe
Orient
Decide
Act
Page 44
Observe
Orient
Decide
Act
scanning | servers | ssh
snapshots | aws
Page 45
Observe
Orient
Decide
Act
scanning | servers | ssh
snapshots | aws | ???
Page 47
Observe
Orient
Decide
Act
Team #1
CloudTrail Pipeline
Page 48
CloudTrail Amazon S3 AWS Lambda Amazon Kinesis
→ → → →
Page 50
Observe
Orient
Decide
Act
scanning | servers | ssh
snapshots | aws | ???
Page 51
Observe
Orient
Decide
Act
scanning | |
|
servers ssh
snapshots aws
Page 52
scanning | serversssh
snapshots
aws
Observe
Orient
Decide
Act
Page 53
scanning | serversssh
snapshots
aws
Observe
Orient
Decide
Act team #2 team #3
Page 55
team #2 team #3
snapshot
stop
d2.8xlarge
mount
grep
Page 67
Thanks, Coinbase!
Page 69
When should I engage AWS Support?
Engage AWS Support any time an event might be
occurring that affects your ideal operational state.
Page 70
When should I contact AWS Security?
If you are planning SIRS:
• Obtain permission to perform penetration testing/scanning.
• Confirm the SIRS does not violate the AUP.
Page 72
Engaging human support
Cloud support engineer (CSE)
Technical account manager (TAM)
Subject matter experts (SME)
You
Relationship POC
Available with enterprise support
Available with support
Page 73
Go here…https://aws.amazon.com/contact-us/
Page 75
Is your architecture built for IR?
• Real-time monitoring
• Logs at the ready
• Tagged for escalation
• Rapid recovery
• Rapid data preservation
• Forensic instances
• Late binding privileges for responders
Page 76
Key simulation elements
Scenario Build ProcessLive
eventTest
No worries
Page 77
Pick a scenario to try and get started
1. Web server application layer issue recovery
2. Log dive for artifacts
3. Data preservation
4. Credential rotation
5. Responding to alerts
6. Some sort of insider threat
7. Business owner and external communications
Page 78
https://aws.amazon.com/professional-services/
Page 79
Remember to complete
your evaluations!
Page 80
Thank you!
Josh du Lac, Hart Rossman, Don Bailey, Khaja, Graham, AWS Support, AWS Abuse team, EC2 Security team, and many more who
helped make these events possible