Four free tools for handling Amazon Web Services security incident response

Researchers presented four tools at Black Hat 2016 that they wrote specifically to deal with incident response in AWS.

Responding to security incidents that involve deployments within Amazon Web Services is a lot different from responding to incidents that happen on corporate-owned gear, and two researchers have come up with free tools to make that process easier.

Obtaining forensic evidence is different, primarily because security pros can’t obtain physical access to the machines on which their AWS instances are running.

+More on Network World: Black Hat: 9 free security tools for defense & attacking+

But using AWS’s API software developer’s kit or its command line interface, customers can write their own tools for creating forensic images of disk instances that have been compromised, say Andrew Krug and Alex McCormack. The pair of researchers presented four tools at Black Hat 2016 that they wrote specifically to deal with incident response in AWS.

The important thing, they say, is to have a response plan in place, and the tools they’ve written can implement major portions of it, removing a lot of manual forensics work that can slow things down and give attackers more time to do damage. It frees humans from performing tasks where they could make errors, they say.

It can be difficult to locate AWS instances, making response more complicated. “AWS is global so it’s hard to find an instance that’s compromised,” McCormack says.

Here’s a brief description of the four tools. You can download them here.

Margarita Shotgun: This tool automates gathering memory from remote systems whether they are owned by the enterprise or are provided through AWS. It streams the captured memory via SSH to the work station of the security pro investigating the incident. The data can be saved to disk or diverted to an AWS s3 storage bucket. The process is done in parallel using the Python multiprocessing library so the data can be acquired as quickly as possible, reducing the time that compromised instances remain active.

The idea is to have a plan for reacting to an incident and to have it automated so valuable evidence isn’t accidentally lost in the heat of the moment.

AWS-IR: This automates gathering of evidence in an incident and mitigates the attack and has three distinct commands. The first, host compromise, assigns the compromised instance to a very secure group, which cuts any active links to the attacker. It takes a snapshot of attached volumes, captures memory, collects instance metadata and gathers console output. Once the data is gathered, it shuts down the instance.

The second command, key compromise, triggers the disabling of a compromised AWS access key. The third command, create workstation, creates a separate workstation instance for analyzing what actions attackers might have taken by using the key.

ThreatResponse Web: This tool can gather and analyze data relevant to incidents, and, if it seems that other instances are involved in an incident, can pull in information from them as well. The tool provides both a memory view and a disk-analysis view that are available on the workstation designated to perform the investigation.

The ThreatResponse Web dashboard shows which geographic region of the AWS global network relevant instances are running in and what types of Amazon Machine Images they are running.

ThreatPrep: Designed to help better defend AWS instances, this tool finds places where security could be improved and areas where the amount of forensic evidence that is routinely gathered should be increased. It checks things including whether s3 storage buckets have logging and versioning enabled and whether public reading and writing are disallowed. It determines whether multi-factor authentication is turned on for identity and access management associated with the AWS account. And it looks at whether flow logs are enabled for virtual private clouds.

Join the CSO newsletter!

Error: Please check your email address.

Tags Amazon Web Servicesblack hat

More about Amazon Web ServicesAWSIRSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place