Cloud Host Base Strategy by Staging Defensive Tools for Threat Hunting and Forensics - Michael Mimo

Blog: https://www.securitydevops.us.com/post/cloud-host-base-strategy-by-staging-defensive-tools-for-threat-hunting-and-forensics

Speaker: Michael Mimo is the Chief Security officer at Copyright Clearance Center Inc. Prior to his current role, he was a lead Incident Response and Forensics investigator for a large major USA bank. He has been an Incident Responder in several major incidents. He is currently focused on Cloud Cyber Security research.

https://www.linkedin.com/in/michael-mimo-79a12b6/
Holds certifications in GCIH, GCFA, GCFE, GPEN
+ 5 Chief Security Officer at Copyright Clearance Center
+ 20 years in various Forensic and Cyber security roles.

Presentation Engagements:
1. FireEye Cyber Defense Summit 2019 Keynote “Securing the Cloud” https://summit.fireeye.com/learn/mainstage.html#cloud
2. Information Security Summit MassBay Community college 2019 "Discussing Advanced Threat Detection & Vulnerability Management"
3. Information Security Summit MassBay Community college 2017 “Third Party Risk”

Twitter: https://twitter.com/securitydevops

Abstract: Cloud instance forensic acquisition presents certain challenges to forensics teams. Traditional forensic methods usually are not effective in the cloud. Access and networks are designed differently than in an on-premise Data Center. Forward thinking strategies need to be implemented so that Incident Response Cyber teams can effectively use forensically sound methods to examine artifacts on hosts.

My talk is about how to prepare your organization for forensic acquisitions in a cloud infrastructure. I will quickly cover how to prepare a fleet of systems for memory and physical disk forensics. The targets are AWS EC2 instances but could be applied to any other cloud providers host provisioning infrastructure. I will focus on the process and infrastructure required to do this level of inspection. By the end you will be able to apply these strategies to activities such as Threat Hunting.

Many organizations struggle with implementing Threat Hunting programs with orchestration in mind to capture memory and disk level forensics. How does a Cyber team respond to an alert they receive from a cloud host? How can they quickly collect artifacts for further forensic inspection? Last, how can you best secure the forensics infrastructure from where you launch the orchestrated forensic examiner systems?

The first part of my talk will describe the infrastructure required to be in the place to support forensic orchestration. I will outline a strategy: servers, tools, storage, and protective measures to ensure that forensic activities are conducted behind a cloud of secrecy. Maintaining stealth mode is critically important to enabling the forensic team to do their job while the business is not impacted by the investigative activities.

In the second part, we will examine the pipeline process to implement solutions in EC2 instances with per-configured memory and acquisition tools ready to be tapped into by the forensic team. I will discuss some of the challenges encountered when conducting forensics with the different AWS hypervisor solutions.

As a result, testing each design of the Linux instances with your forensics tools is an important part of the process. Do not expect the forensic tools to work seamlessly when the architecture teams switch fundamental infrastructure designs. Each phase of the AMI delivery pipeline needs to be tested and verified that the Cyber team can continue to perform their investigations without running into challenges during a real incident. Do not wait until forensics is really needed to only find out that the tools designed did not perform their job.
--

Cloud village is an open space to meet folks interested in offensive and defensive aspects of cloud security. The village is home to various activities like talks, workshops, CTFs and discussions targeted around cloud services.

If you are a professional who is looking to gain knowledge on securely maintaining the cloud stack and loves to be around like-minded security folks who share the similar zeal towards the community, Cloud Village is the perfect place for you.

Website: https://cloud-village.org/
Twitter: https://twitter.com/cloudvillage_dc

Видео Cloud Host Base Strategy by Staging Defensive Tools for Threat Hunting and Forensics - Michael Mimo канала Cloud Village