Dredge: A Open Source Framework for Cloud Incident Response (Santiago Abastante)
| August 12th, 2024Level: Technical
Abstract:
Cloud incident response can be daunting, requiring a plethora of tools and skills, while most Cloud Based Startups can’t allocate budget for preventive controls, there is less space for them to understand what to do if they are hacked.
That’s why I created Dredge, an Open Source framework designed to streamline cloud incident investigations, by allowing Cloud Engineers and Incident Responders to execute non-trivial response tasks effortlessly, irrespective of your familiarity with specific cloud platforms nor incident response tactics.
The main idea is to empower Engineers to respond to attacks no matter what preparation they had before, taking advantage of most of the out-of-the box security features cloud providers offer but not everybody is aware, like being able to retrieve a forensic image from a running server or getting logs that they didn’t know they had.
- Some Key Features that differentiate Dredge from existing tooling:
- Python-based CLI
- Retrieve logs seamlessly from Github, Kubernetes, AWS, GCP or Azure.
- Take action: whether it’s blocking an IP in an AWS tenant, disabling an AccessKey, isolating an EC2 instance, or strategically extracting crucial post-compromise user data.
- Identify tactical misconfigurations that can be exploited by an attacker.
- Create an attack timeline based on IOCs.
- Analyze retrieved data effortlessly within your terminal, utilizing built-in capabilities from VirusTotal and Shodan.
- Cloud Incident Response Guidelines for companies to embrace and build their playbooks.
Repo: https://github.com/solidarity-labs/dredge-mvp
I am going to present two common Cloud Based Attacks based on real case scenarios, and show how I can execute incident response tasks to address them:
- Admin Service Account Compromise and privilege elevation for account takeover
- EC2 Server compromised with malware
I am going to create a demo lab for the session, the presentation will be mostly technical, going through the main complexities that incident response in cloud environments presents, like the non-trivial execution of a server network isolation and how Dredge takes care of the small steps required to achieve this. Always based on real examples that I had to overcome in the past.
Bio:
Santiago Abastante – Ex-Police Officer from Argentina, Cloud Incident Responder and Security Engineer with 10+ years of IT experience.