Cloud Incident Response in AWS
Details
Cloud Incident Response in AWS delivered by Mark O'Halloran who is a Security Operations Analyst @ Huntress.
💻This will be interactive so bring your laptops if you have one!
Description of the event from Mark
TLDR Version:
- A foundational understanding of AWS services relevant to attackers and defenders.
- Real-world examples of how cloud environments are abused.
- How to triage GuardDuty alerts and pivot into a detailed CloudTrail investigation.
- A walkthrough on investigating a simulated incident, building timelines and mapping activity to the MITRE Cloud Matrix.
- Hands on exercise with CloudTrail and Athena.
If possible, please have an AWS account already set up before the workshop.
Descriptive Version
With many organisations shifting the vast majority of their infrastructure to cloud platforms, security teams are being forced to adapt to an entirely new paradigm. Cloud environments operate on fundamentally different principles than traditional on-premises networks by introducing new services, new configurations, and unfortunately, new opportunities for attackers.
This rapid shift often leads to misconfigurations and visibility gaps, and when a breach occurs, traditional security teams are often left asking: Where do we even begin?
In my talk, I’ll guide the audience through a practical, experience-driven look at incident response in AWS. We’ll start with a brief introduction to AWS , what it is, the core services defenders need to understand and why attackers would even care targeting it. I’ll share some real world examples of AWS compromises that I’ve encountered in my work as a Cloud Detection and Response Analyst at Rapid7, including SES hijacking, data destruction in S3 buckets and cryptomining.
The main focus of the session is the actual investigation phase rather than security best practices/hardening. We’ll look at how incidents are typically discovered with a focus on AWS GuardDuty and how to use those alerts as a starting point for deeper investigation. I will share how to pivot into AWS CloudTrail and use tools like Amazon Athena to build a timeline of attacker activity across services.
We'll map findings to the MITRE ATT&CK framework for cloud environments, helping investigators identify tactics like privilege escalation, credential access, and lateral movement. I will also touch on the business impact both financially and reputationally cloud compromises can entail.
The talk will eventually lead into the hands-on portion of the workshop, in this section attendees will download Cloudtrail logs, upload them to their personal AWS account in S3 and then utilize Athena themselves to investigate a series of simulated incidents.
Attendees must have their own AWS Account to partake in the hands-on investigation portion of the workshop. Setting up an AWS Account is very quick and easy and can be done in under 5 minutes.