Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Automated Forensics and Incident Response on AWS - AWS Summit Sydney

159 vues

Publié le

This session will show how Telstra uplifted their forensics and incident response capabilities by using AWS services and automation to deliver a scalable forensics platform. You will learn how to use AWS to simplify forensics and incident response in the cloud. Come see how automation enables investigators to easily retrieve the data they need to make decisions and respond faster during security incidents.

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Automated Forensics and Incident Response on AWS - AWS Summit Sydney

  1. 1. S U M M I T SYDNEY
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Automated forensics and incident response on AWS Barry Conway AWS Cloud Architect Professional Services, Amazon Web Services Morgan Arundell Security Incident Senior Analyst Cyber Security Operations, Telstra
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Agenda Security automation How we got here Building a forensics platform on AWS Learning and benefits
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Security automation A must for every day security and cyber teams
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Security automation Consistency Reliability Closes the gaps Enables IT resources
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Security automation “It is the goal of every security organisation to build a system that, over time, maximises the delivered customer value while minimising the cost of delivery” Eric Brandwine AWS Philosophy of Security: re:Invent 2017 Session Link
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Building on a strategy and concept Automating Incident Response and Forensics Ben Potter, Security Lead, Well-Architected, Amazon Web Services - Session Link Telstra Forensics Strategy Redefined in 2017 Single, global approach for acquisitions and investigative processing +
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Identify Isolate Acquire Store Process Investigate Objectives for forensics and Incident Response (IR) Forensics: Preserve evidence to ensure integrity Incident Response: Accelerate investigation to minimise impact
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Challenges @ 2017 On premises capability reaching its limits Telstra significantly expanding its cloud footprint Minimal cloud capability Unable to scale as required
  10. 10. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Defined platform capabilities for success Using native AWS services to enable automated disk and memory acquisitions Deploy forensics application on AWS to enable network based acquisitions of on premises targets Enable 3rd parties to supply evidence for processing via the forensics platform AWS to AWS OnPrem to AWS 3rd Party
  11. 11. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing AWS Choosing AWS professional services Telstra already have a large AWS presence Largest and most experienced cloud provider Broadest range of services Experts in the platform Quicker decision times on approach, design & implementation Increase speed to market Bootstrap the existing forensics team
  12. 12. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Forensic platform key features File integrity – MD5 & SHA256 together CaseID traceability through AWS resources created and generated logs Automate common investigation processes, using SIFT Toolkit (Volatility, Plaso/Log to Timeline) and Encase
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Forensics platform process Triage Disk Acquisition Memory Acquisition Post Processing StorageState Tracking Notification
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Forensics platform on AWS Amazon SQSTriage Step Function Linux Tools EC2 AWS Lambda State Tracking Run command Disk Step Function Memory Step Function Post-Processing Step Function Windows IR Tools EC2 Run command Amazon SNS Amazon S3 Glacier Amazon S3 Amazon S3 Amazon S3 Glacier State Tracking
  15. 15. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. JSON Input – Triage to disk & memory Memory: Disk: TRIAGE:
  16. 16. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. JSON Input – Post processing
  17. 17. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. command1 = [ 'if [ `lsmod|grep lime|wc -l` -gt 0 ]; then rmmod lime; fi’, 'insmod /opt/lime.ko "path=tcp:4444 format=raw localhostonly=1”’ ] command2 = [ "cat < /dev/tcp/127.0.0.1/4444 | tee >(gzip | {0}.gz {1}) >(md5sum | {0}.md5 {1}) | sha256sum | {0}.sha256 {1}".format(s3,sizetag), 'rmmod lime.ko' ] Memory acquisition and streaming script
  18. 18. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  19. 19. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Demo overview AWS Cloud AWS Cloud Target AccountForensics Account Amazon EC2: Disk Acquisition Amazon EC2: Memory Acquisition Role Amazon S3 Triage Step Function Disk Step Function Memory Step Function Processing Step Function
  20. 20. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Decisions and lessons learned Containment only with consultation Prefer low operational overhead and high elasticity Engage and integrate operational process early
  21. 21. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Next steps for Telstra forensics Container based forensics and targeted file acquisitions Integrating with Telstra systems Expansion of processing capabilities
  22. 22. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key benefits ScaleSpeed Agility
  23. 23. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s recap Insight into Telstra’s approach to forensics How it was implemented on AWS & made easy The next stages of their journey Benefits
  24. 24. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How you can get started AWS Philosophy of Security: Eric Brandwine re:Invent 2017 EC2 Auto Clean Room Forensics - https://github.com/awslabs/aws-security automation/tree/master/EC2%20Auto%20Clean%20Room%20Forensics Sift TooKit - https://digital-forensics.sans.org/community/downloads LiME Agent - https://github.com/504ensicsLabs/LiME
  25. 25. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Morgan ArundellBarry Conway conwbarr@amazon.com

×