Title: Cloud host base strategy by staging defensive tools for Threat Hunting and Forensics

Cloud instance forensic acquisition presents certain challenges to forensics teams. Traditional forensic methods usually are not effective in the cloud. Access and networks are designed differently than in an on-premise Data Center. Forward thinking strategies need to be implemented so that Incident Response Cyber teams can effectively use forensically sound methods to examine artifacts on hosts.

My talk is about how to prepare your organization for forensic acquisitions in a cloud infrastructure. I will quickly cover how to prepare a fleet of systems for memory and physical disk forensics. The targets are AWS EC2 instances but could be applied to any other cloud providers host provisioning infrastructure. I will focus on the process and infrastructure required to do this level of inspection. By the end you will be able to apply these strategies to activities such as Threat Hunting.

Many organizations struggle with implementing Threat Hunting programs with orchestration in mind to capture memory and disk level forensics. How does a Cyber team respond to an alert they receive from a cloud host? How can they quickly collect artifacts for further forensic inspection? Last, how can you best secure the forensics infrastructure from where you launch the orchestrated forensic examiner systems?

The first part of my talk will describe the infrastructure required to be in the place to support forensic orchestration. I will outline a strategy: servers, tools, storage, and protective measures to ensure that forensic activities are conducted behind a cloud of secrecy. Maintaining stealth mode is critically important to enabling the forensic team to do their job while the business is not impacted by the investigative activities.

In the second part, we will examine the pipeline process to implement solutions in EC2 instances with pre-configured memory and acquisition tools ready to be tapped into by the forensic team. I will discuss some of the challenges encountered when conducting forensics with the different AWS hypervisor solutions.

As a result, testing each design of the Linux instances with your forensics tools is an important part of the process. Do not expect the forensic tools to work seamlessly when the architecture teams switch fundamental infrastructure designs. Each phase of the AMI delivery pipeline needs to be tested and verified that the Cyber team can continue to perform their investigations without running into challenges during a real incident. Do not wait until forensics is really needed to only find out that the tools designed did not perform their job.


YouTube: https://www.youtube.com/watch?v=DSipgVlsAfo

#cloudv-general-text: https://discord.com/channels/7082082...33373172285520

Speaker(s): Michael Mimo

Location: Cloud Vlg

Discord: https://discord.com/channels/7082082...33373172285520

Event starts: 2020-08-09 11:00 (11:00 AM) PDT (UTC -07:00)

Event ends: 2020-08-09 11:45 (11:45 AM) PDT (UTC -07:00)

For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-08T05:43 (UTC).