Four free tools for handling Amazon Web Services security incident response

Researchers presented four tools at Black Hat 2016 that they wrote specifically to deal with incident response in AWS.

Responding to security incidents that involve deployments within Amazon Web Services is a lot different from responding to incidents that happen on corporate-owned gear, and two researchers have come up with free tools to make that process easier.

Obtaining forensic evidence is different, primarily because security pros can’t obtain physical access to the machines on which their AWS instances are running.

+More on Network World: Black Hat: 9 free security tools for defense & attacking+

But using AWS’s API software developer’s kit or its command line interface, customers can write their own tools for creating forensic images of disk instances that have been compromised, say Andrew Krug and Alex McCormack. The pair of researchers presented four tools at Black Hat 2016 that they wrote specifically to deal with incident response in AWS.

The important thing, they say, is to have a response plan in place, and the tools they’ve written can implement major portions of it, removing a lot of manual forensics work that can slow things down and give attackers more time to do damage. It frees humans from performing tasks where they could make errors, they say.

It can be difficult to locate AWS instances, making response more complicated. “AWS is global so it’s hard to find an instance that’s compromised,” McCormack says.

Here’s a brief description of the four tools. You can download them here.

Margarita Shotgun: This tool automates gathering memory from remote systems whether they are owned by the enterprise or are provided through AWS. It streams the captured memory via SSH to the work station of the security pro investigating the incident. The data can be saved to disk or diverted to an AWS s3 storage bucket. The process is done in parallel using the Python multiprocessing library so the data can be acquired as quickly as possible, reducing the time that compromised instances remain active.

The idea is to have a plan for reacting to an incident and to have it automated so valuable evidence isn’t accidentally lost in the heat of the moment.

AWS-IR: This automates gathering of evidence in an incident and mitigates the attack and has three distinct commands. The first, host compromise, assigns the compromised instance to a very secure group, which cuts any active links to the attacker. It takes a snapshot of attached volumes, captures memory, collects instance metadata and gathers console output. Once the data is gathered, it shuts down the instance.

The second command, key compromise, triggers the disabling of a compromised AWS access key. The third command, create workstation, creates a separate workstation instance for analyzing what actions attackers might have taken by using the key.

ThreatResponse Web: This tool can gather and analyze data relevant to incidents, and, if it seems that other instances are involved in an incident, can pull in information from them as well. The tool provides both a memory view and a disk-analysis view that are available on the workstation designated to perform the investigation.

The ThreatResponse Web dashboard shows which geographic region of the AWS global network relevant instances are running in and what types of Amazon Machine Images they are running.

ThreatPrep: Designed to help better defend AWS instances, this tool finds places where security could be improved and areas where the amount of forensic evidence that is routinely gathered should be increased. It checks things including whether s3 storage buckets have logging and versioning enabled and whether public reading and writing are disallowed. It determines whether multi-factor authentication is turned on for identity and access management associated with the AWS account. And it looks at whether flow logs are enabled for virtual private clouds.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Amazon Web Servicesblack hat

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?