Incident response in AWS
In this two-day course, you’ll experience in real-time a cloud incident and subsequent data breach, simulated in a vulnerable-by-design application. Students will act as our fictional company’s incident response team, and experience the various phases of the IR lifecycle. As an adversary compromises our simulated application we’ll cover detection, conduct a forensic investigation of the cloudTrail logs to determine what the attacker did, execute containment activities, and then perform an analysis to see if a data breach occurred. Students will then be let loose to track down a parallel incident and find the key indicators of cloud compromise in a CTF-like fashion.
The class is targeted toward SOC analysts and security engineers who are new to AWS and need a crash course in Cloudtrail, S3, IAM, serverless, and the many ways the public cloud changes the incident response process. Students need only a basic understanding of AWS and their laptops, as the entire cloud environment will be pre-built for our incident.
The class is taught by Chris Farris who has a long career in IT and cloud security. He is a AWS Security Hero, an organizer of the fwd:cloudsec conference and has presented at several AWS conferences.
Target Audience
Security operations analysts, incident responders, security engineers & architects who want to experience an incident in AWS before it happens to them for real.
Prerequisites
The class is targeted toward SOC analysts and security engineers who are new to AWS and need a crash course in CloudTrail, S3, IAM, Serverless, and the many ways the public cloud changes the incident response process. This class doesn’t teach you to be an incident responder; it will teach an incident responder how to respond in AWS. Students need only a basic understanding of AWS and their laptops, as the entire cloud environment will be pre-built for our incident.
Day 1
- Introduction to AWS & Cloud Security
- How Cloud is different from On-prem
- AWS IAM Essentials
- Primer on AWS Services
- EC2
- S3
- Serverless
- Networking
- Lab 1 – Introduction to Fooli
- Preparation
- CloudTrail
- GuardDuty
- Contacts
- Visibility/Roles/Security Account
- VPC Flow Logs
- Inventory
- CloudTrail Detections
- Investigations in CloudTrail
- What to look for
- Lateral vs Vertical movement
- Priv Esc
- Lab 2 – Investigating a CryptoMining Incident
- Running the Fooli Investigation
- Containment Strategies
- Access key disable
- Role Invalidation
- IMDSv2
- Security Group Isolation
- WAF
- Lab 3 – Containing the Fooli Breach
Day 2
- Ransomware on AWS
- Cloud vs Traditional Ransomware
- Ransomware prevention
- Ransomware Recovery
- AWS Backup
- Investigate the Ransomware attack that happened overnight
- Forensics on EC2
- How it’s different from on-prem
- How to capture and preserve disk snapshots
- Where to find artifacts for other services
- Lab 4 – EC2 Forensics
- Determining a Data Breach
- S3 Data Events
- Athena
- Macie
- Lab 5 – CloudTrail & Athena
- Incident Review & Lessons Learned
- Review the Incident from the Attacker’s perspective