Responding to security incidents that involve deployments within Amazon Web Services is a lot different from responding to incidents that happen on corporate-owned gear, and two researchers have come up with free tools to make that process easier.
Obtaining forensic evidence is different, primarily because security pros can’t obtain physical access to the machines on which their AWS instances are running.
But using AWS’s API software developer’s kit or its command line interface, customers can write their own tools for creating forensic images of disk instances that have been compromised, say Andrew Krug and Alex McCormack. The pair of researchers presented four tools at Black Hat 2016 that they wrote specifically to deal with incident response in AWS.
The important thing, they say, is to have a response plan in place, and the tools they’ve written can implement major portions of it, removing a lot of manual forensics work that can slow things down and give attackers more time to do damage. It frees humans from performing tasks where they could make errors, they say.
It can be difficult to locate AWS instances, making response more complicated. “AWS is global so it’s hard to find an instance that’s compromised,” McCormack says.
Here’s a brief description of the four tools.
Margarita Shotgun: This tool automates gathering memory from remote systems whether they are owned by the enterprise or are provided through AWS. It streams the captured memory via SSH to the work station of the security pro investigating the incident. The data can be saved to disk or diverted to an AWS s3 storage bucket. The process is done in parallel using the Python multiprocessing library so the data can be acquired as quickly as possible, reducing the time that compromised instances remain active.
The idea is to have a plan for reacting to an incident and to have it automated so valuable evidence isn’t accidentally lost in the heat of the moment.
AWS-IR: This automates gathering of evidence in an incident and mitigates the attack and has three distinct commands. The first, host compromise, assigns the compromised instance to a very secure group, which cuts any active links to the attacker. It takes a snapshot of attached volumes, captures memory, collects instance metadata and gathers console output. Once the data is gathered, it shuts down the instance.
The second command, key compromise, triggers the disabling of a compromised AWS access key. The third command, create workstation, creates a separate workstation instance for analyzing what actions attackers might have taken by using the key.
ThreatResponse Web: This tool can gather and analyze data relevant to incidents, and, if it seems that other instances are involved in an incident, can pull in information from them as well. The tool provides both a memory view and a disk-analysis view that are available on the workstation designated to perform the investigation.
Sign up for CIO Asia eNewsletters.