awstoolsguys100676445orig
Security

Four free tools for handling Amazon Web Services security incident response

Responding to security incidents that involve deployments within Amazon Web Services is a lot different from responding to incidents that happen on corporate-owned gear, and two researchers have come up with free tools to make that process easier.

Obtaining forensic evidence is different, primarily because security pros can’t obtain physical access to the machines on which their AWS instances are running.

+More on Network World: Black Hat: 9 free security tools for defense & attacking+

But using AWS’s API software developer’s kit or its command line interface, customers can write their own tools for creating forensic images of disk instances that have been compromised, say Andrew Krug and Alex McCormack. The pair of researchers presented four tools at Black Hat 2016 that they wrote specifically to deal with incident response in AWS.

The important thing, they say, is to have a response plan in place, and the tools they’ve written can implement major portions of it, removing a lot of manual forensics work that can slow things down and give attackers more time to do damage. It frees humans from performing tasks where they could make errors, they say.

It can be difficult to locate AWS instances, making response more complicated. “AWS is global so it’s hard to find an instance that’s compromised,” McCormack says.

Here’s a brief description of the four tools. You can download them here.

Margarita Shotgun: This tool automates gathering memory from remote systems whether they are owned by the enterprise or are provided through AWS. It streams the captured memory via SSH to the work station of the security pro investigating the incident. The data can be saved to disk or diverted to an AWS s3 storage bucket. The process is done in parallel using the Python multiprocessing library so the data can be acquired as quickly as possible, reducing the time that compromised instances remain active.

The idea is to have a plan for reacting to an incident and to have it automated so valuable evidence isn’t accidentally lost in the heat of the moment.

AWS-IR: This automates gathering of evidence in an incident and mitigates the attack and has three distinct commands. The first, host compromise, assigns the compromised instance to a very secure group, which cuts any active links to the attacker. It takes a snapshot of attached volumes, captures memory, collects instance metadata and gathers console output. Once the data is gathered, it shuts down the instance.

The second command, key compromise, triggers the disabling of a compromised AWS access key. The third command, create workstation, creates a separate workstation instance for analyzing what actions attackers might have taken by using the key.

ThreatResponse Web: This tool can gather and analyze data relevant to incidents, and, if it seems that other instances are involved in an incident, can pull in information from them as well. The tool provides both a memory view and a disk-analysis view that are available on the workstation designated to perform the investigation.

The ThreatResponse Web dashboard shows which geographic region of the AWS global network relevant instances are running in and what types of Amazon Machine Images they are running.

ThreatPrep: Designed to help better defend AWS instances, this tool finds places where security could be improved and areas where the amount of forensic evidence that is routinely gathered should be increased. It checks things including whether s3 storage buckets have logging and versioning enabled and whether public reading and writing are disallowed. It determines whether multi-factor authentication is turned on for identity and access management associated with the AWS account. And it looks at whether flow logs are enabled for virtual private clouds.

IDG Insider

PREVIOUS ARTICLE

« Intel's new Atom chips for cars and IoT could shed ugly mobile past

NEXT ARTICLE

LG announces the V20, a phone squarely targeted at audiophiles »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

Poll

Do you think your smartphone is making you a workaholic?