Bruges, Belgium from the top of the Belfort - June 2023

Incident Response in AWS

Last year, I did a two-day training at BSides Augusta focused on conducting incident response in AWS. I had fun, the students gave me positive feedback, and BSides Augusta has invited me back to do it again.

The scenario is a multi-pronged attack against Fooli. Fooli and the Fooli meme factory are the fake company and applications I’ve created and used for a few scenarios and demos, including the last two years of the SE CCDC. For this class, I expanded it to resemble a real startup with multiple meme factory accounts for dev, test, and production, a developer sandbox, AWS Organizations, and a dedicated security account. This allows me to set up a semi-enterprise configuration for Fooli and allows us to track an attacker as they pivot across accounts.

We cover using CloudTrail, CloudTrail data events, VPC Flowlogs, GuardDuty, Athena, Splunk, IAM Access Analyzer, Macie, and last year I threw in Steampipe as a way to gather inventory across the org and generate lookup tables for Splunk. There are also sections on forensics for EC2, containers, and AWS Lambda. We cover the IR phases of preparation, identification, containment, and eradication.

This year, I want to introduce another SIEM (maybe OpenSearch, Matano, or Panther). I want to make the class more interactive by adding a CTF around multiple unrelated compromises. As a vulnerable-by-design application, I want to show how to close the exploited security misconfigurations via CI/CD. Much of Fooli was converted to terraform and ported to CodePipeline as part of the SECCDC work.

I envision this class as a way to help folks working in incident response prepare for and respond to an AWS compromise. It’s not intended to teach you how to set everything up, although I will refer to blog posts and IaC artifacts where appropriate. We cover the services from the perspective of why you need them, when to use them, and the cost/efficacy tradeoffs involved.

The training is on October 4th and 5th at the Georgia CyberCenter in Augusta, GA. The cost is $899, which includes my class, a ticket to BSides Augusta on October 7th, and the Security Onion conference on October 6th. Here are the links to the full course description and sign up page.