I wanted to go over building an incident response process using the AWS Security tools but before we can get into that what exactly is incident response 🤔 well let's say you have a city to protect and enemy attackers have infiltrated behind your walls how would you respond to such an attack? Incident response is your safety net, your secret weapon against the unexpected! It ensures that when trouble strikes, you're prepared to handle it like a pro. They are four steps in the incident response cycle: Preparation, Detection & Analysis, Containment Eradication & Recovery, and Post-incident Activity. I will go over each step with the service that can help in the process.
In this phase, organizations create a plan to detect attacks and make sure they have the proper tools to remediate such attacks. One AWS service that comes to mind in helping identify the incident management plan is AWS CloudTrail.
The first service I want to bring out is CloudTrail. CloudTrail takes center stage, capturing every thrilling moment of management event API calls. It unveils the secrets of who made the call, the exact timing of the action, the action itself, and even the resources that felt the impact. It's like having a front-row seat to the captivating drama unfolding behind the scenes of your AWS account.
Note that only management events are captured, if you want to keep track of data sources like Lambda functions, you have to turn on the data events. Having a logging system of what transpired in your environment is the best possible answer in cloud security. You can even integrate Cloudtrail with Cloudwatch.
Enter AWS CloudWatch, the unsung hero of your cloud journey! It's not just a data collector for your AWS resources; it plays a crucial role in the preparation phase, actively monitoring and storing valuable information about your compute instances, databases, storage, and more. But here's the exciting part: CloudWatch doesn't stop at passive observation; it leaps into action with its alarm superpower! By seamlessly integrating CloudTrail logs with CloudWatch, you can set up alarms that trigger based on specific thresholds or conditions, ensuring that you stay one step ahead of any potential issues or disruptions in your cloud environment.
Now that you have an awesome understanding of preparation let's continue to Detection & Analysis 🔎!
Detection & Analysis
Now, let's dive into the thrilling second step of the incident response cycle. As a Level 2 SOC analyst, our mission is to detect those sneaky attacks in progress and gather the critical data needed to fight back. Picture us as digital detectives, we need to hunt for clues like the elusive Indicators of Compromise (IOCs) that reveal the nature of the attack and its impact on our precious systems to know how to remediate the attack!
AWS GuardDuty 💂🏾♀️
If you're looking for a way to improve the security of your AWS environment, I highly recommend giving GuardDuty a try. GuardDuty is like a security guard for your AWS account. It's always watching for suspicious activity, and it will let you know if it sees anything out of the ordinary. This way, you can take action to protect your account before any damage is done. It uses machine learning, anomaly detection, and threat intelligence to identify and prioritize potential threats. GuardDuty can detect a wide range of threats, including:
Unauthorized access attempts
When GuardDuty detects a threat, it generates a security finding. Security findings include information about the threat, such as the source IP address, the destination IP address, and the time of the event. You can use security findings to investigate threats and take corrective action.
Containment Eradication & Recovery
Ladies and gentlemen, gather around for this is the main performer in our show! We have containment which uses its method to prevent the spread of chaos from happening, Eradication who removes the malware and prevent any future incidents, and last but not least, Recovery, the resilient tag teamer that rebuilds our systems from trusted backups, restoring order and triumphantly bringing us back to business. Now, there isn't exactly an AWS Service, from my knowledge, that helps in this part of the cycle but there are multiple guides and labs that can help you create a plan/playbook. One lab I recently went over during my studies for the AWS Specality Security exam is:
It gives a little walkthrough that guides me to:
Detach the compromised instance from the auto-scaling group and tag it.
Removing the security group of the EC2 and adding a new NSG that denies all traffic to the EC2.
Remove the IAM role from that EC2.
Create an AMI of the EC2 and a snapshot of the EC2 root volume for later analysis.