Four free tools for handling Amazon Web Services security incident response

Researchers presented four tools at Black Hat 2016 that they wrote specifically to deal with incident response in AWS.

Responding to security incidents that involve deployments within Amazon Web Services is a lot different from responding to incidents that happen on corporate-owned gear, and two researchers have come up with free tools to make that process easier.

Obtaining forensic evidence is different, primarily because security pros can’t obtain physical access to the machines on which their AWS instances are running.

+More on Network World: Black Hat: 9 free security tools for defense & attacking+

But using AWS’s API software developer’s kit or its command line interface, customers can write their own tools for creating forensic images of disk instances that have been compromised, say Andrew Krug and Alex McCormack. The pair of researchers presented four tools at Black Hat 2016 that they wrote specifically to deal with incident response in AWS.

The important thing, they say, is to have a response plan in place, and the tools they’ve written can implement major portions of it, removing a lot of manual forensics work that can slow things down and give attackers more time to do damage. It frees humans from performing tasks where they could make errors, they say.

It can be difficult to locate AWS instances, making response more complicated. “AWS is global so it’s hard to find an instance that’s compromised,” McCormack says.

Here’s a brief description of the four tools. You can download them here.

Margarita Shotgun: This tool automates gathering memory from remote systems whether they are owned by the enterprise or are provided through AWS. It streams the captured memory via SSH to the work station of the security pro investigating the incident. The data can be saved to disk or diverted to an AWS s3 storage bucket. The process is done in parallel using the Python multiprocessing library so the data can be acquired as quickly as possible, reducing the time that compromised instances remain active.

The idea is to have a plan for reacting to an incident and to have it automated so valuable evidence isn’t accidentally lost in the heat of the moment.

AWS-IR: This automates gathering of evidence in an incident and mitigates the attack and has three distinct commands. The first, host compromise, assigns the compromised instance to a very secure group, which cuts any active links to the attacker. It takes a snapshot of attached volumes, captures memory, collects instance metadata and gathers console output. Once the data is gathered, it shuts down the instance.

The second command, key compromise, triggers the disabling of a compromised AWS access key. The third command, create workstation, creates a separate workstation instance for analyzing what actions attackers might have taken by using the key.

ThreatResponse Web: This tool can gather and analyze data relevant to incidents, and, if it seems that other instances are involved in an incident, can pull in information from them as well. The tool provides both a memory view and a disk-analysis view that are available on the workstation designated to perform the investigation.

The ThreatResponse Web dashboard shows which geographic region of the AWS global network relevant instances are running in and what types of Amazon Machine Images they are running.

ThreatPrep: Designed to help better defend AWS instances, this tool finds places where security could be improved and areas where the amount of forensic evidence that is routinely gathered should be increased. It checks things including whether s3 storage buckets have logging and versioning enabled and whether public reading and writing are disallowed. It determines whether multi-factor authentication is turned on for identity and access management associated with the AWS account. And it looks at whether flow logs are enabled for virtual private clouds.

Join the PC World newsletter!

Error: Please check your email address.

Tags Amazon Web Servicesblack hat

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?