Digital Forensics and Incident Response in The Cloud
- 1. Digital Forensics and
Incident Response in the
Cloud
Dr. Michael Cohen
Velocidex Innovations.
https://www.velocidex.com/
Slides and materials on
https://tinyurl.com/Auscert2018cloud
- 2. Outline
9am - 9:45am: Get Cloud Console working, create first project.
10am - 10:45am: Explore the cloud APIs.
11am - 12pm: Build and deploy first Kubernetes App.
12pm - 1pm: Lunch
1pm - 1:45pm: Respond to Kubernetes application compromise.
2pm - 2:45pm: Deploy GRR/Velociraptor everywhere.
3pm - 3:45pm: Hunt with GRR.
- 4. Moving to the cloud!
Your company decided to deploy their business to
the cloud…..
- 5. Non-cloud environments
✘ Deploying compute
resources takes
weeks
✘ Central security
administration
✘ Central inventory
✘ Standard Operating
Environment.
Cloud Security
Cloud Environments
✘ Teams can create
and destroy
compute resources
in minutes
✘ Typically no central
control - VMs are
provided by third
parties.
- 8. What is a project?
What is a resource hierarchy?
- 9. What is a security policy?
How is the security policy used in Google cloud?
What is a resource hierarchy?
- 10. What is a cloud bucket?
What would you use it for?
What operations can cloud storage perform?
- 11. What is a service account?
✘ How can we authenticate a service account?
(2 main ways)
✘ What permissions does a SA have?
✘ What would we use a SA for?
- 14. What is a project?
A project is a container of
cloud resources:
✘ Virtual Machines
✘ Cloud SQL
✘ Containers
✘ Cloud Storage
✘ Load Balancers
✘ A project has an owner.
✘ A project has a billing
account.
✘ A project may reside
inside a folder.
✗ Folders belong to
an Organization.
- 15. Two types of hierarchy - Collaborative vs Enterprise
Each project may have a
different owner.
Follow the
Money!
Billing
Account
- 16. Security challenges
You are a security admin for a cloud organization
and the bosses told you we will be moving
everything to the cloud!
✘ What do we have to worry about?
- 22. GCP security policies and IAM
✘ Attach a policy to a
resource in the
hierarchy
✘ Roles are collection of
permissions
✘ Permissions allow a
user to do something
on a resource
- 26. ✘ Find the parent of a folder
✘ Find the projects inside a folder.
- 28. Cloud Forensics - Brainstorm
Capture the state of
the system
Analyze the data Follow the evolution
of the system with
time.
- 30. ✘ We have already experienced three different
tools for gathering information about the
state of the cloud deployment:
a. The cloud console UI
b. The gcloud command line tool.
c. The API and API explorer.
How to collect data
- 31. Which one do you think is useful for what type of
collection?
Cloud console Gcloud CLI API Explorer
- 33. Using the API
Using the API Explorer we can
map the entire IAM policy
hierarchy - programmatically.
✘ List all the projects I have
access to.
- 36. What buckets do I have?
✘ Bucket names are in a
flat namespace.
✘ There are 2 separate
ACL mechanisms:
✗ Bucket level ACLs
✗ Object level ACLs.
- 39. storage.objects.getiampolicy
✘ We need to check the ACL of every
object individually to ensure they are
not overriding the bucket ACL!
✘ NOTE: Cloud audit logging is
disabled when objects have public
access!
- 40. Why is cloud audit disabled on
public object dangerous?
https://cloud.google.com/storage/docs/audit-logs
- 44. Show me all my VMs
✘ Enumerate a lot of interesting
information about VMs:
✗ Network interfaces
✗ External IP addresses
✗ Accessible ports
✘ Turn to your partner and
come up with a scenario
where each of these is
important.
- 45. Instance metadata
✘ Metadata may contain
configuration
(passwords)
✘ Can force a startup
script to run on
machine startup.
✗ Excellent
persistence
mechanism!
- 47. Security challenges
✘ What projects do I even have in my org?
✘ What resources (VMs/SQL/Buckets) are my
users using?
✘ What permissions are they setting on these?
✘ How do I secure my data?
✘ How do I make sure my VMs are patched?
- 49. Cloud Forensics
Capture the state of
the system
The state consists of
relevant configuration
and code:
✘ Cloud Security
policies
✘ VM system
configurations
✘ Software
versions.
Analyze the data
There is overlap with
security:
✘ Identify mis-
configurations
✘ Is there
adequate
logging?
✘ Threat modeling
and forensic
preparedness.
Follow the evolution
of the system with
time.
Cloud environments
are fluid:
✘ Typically we are
at the mercy of
cloud providers
✘ Access to
configuration
history is limited.
- 50. Cloud Console
✘ Easy
introduction to
GCP
✘ A little confusing
for serious work
✘ Really geared at
an introductory
level.
✘ Pretty slow and
inefficient
How to collect data
Gcloud
✘ Command line
interface (CLI)
✘ Relatively easy
to authenticate.
✘ Wraps around
the cloud APIs
✘ Simplifies and
omits much of
the available
information.
Cloud APIs
✘ Really the
source of truth
for data
✘ All other tools
are just proxies
to the API.
✘ APIs provide full
information
available.
✘ Easy to script.
✘ Easy to explore.