HI All,
As you all know the significance of security in cloud environment is growing day-by-day,Even though we are implementing proper security standards sometimes we face unexpected threats from cyber attackers in multiple ways.so in this article i would like to give a brief explanation about how to respond to security Incidents in AWS environments.
We are going to discuss a sequence of steps which we need to follow for a quick security issue resolution as well as for Highly secured infrastructure, In simple words we can call it as “SECURITY INCIDENT RESPONSE FRAMEWORK”.
Phases
1.Readiness
2.Detection
3.Containment
4.Troubleshooting
5.Remediation
6.Recovery
7.Follow-up
Readiness Phase
1.In this phase we need to identify what are the possible risk areas in the existing environment.
2.Tag all the resources properly so in case of incident we don’t need to waste time on identifying the owners.
3.Reduce unnecessary permissions
4.Use multiple regions and accounts to reduce the blast radius.
5.Enable centralized logging to collect information about our environment.
6.Encrypt the data using server side and client side encryption mechanisms.
Detection Phase
1.We need to identify the intention of the attack/incident and identify the compromised resources and blast radius.
2.We need to identify the compromised resources which need to be cleaned up to fix the issue.
Containment Phase
1.In this phase we need to remove the threat and automate using scripts to deploy the solutions
2.Security group that restricts egress traffic and allows only management ports we need to keep in place.
3. Subnets with restricted NACL we can move the resources too.
4. Explicit deny policy to be created in IAM.
5.We need to change route53 record sets, disable encryption kys and stopping compromised instances etc.
Troubleshooting phase
1.In this phase we need to identify exactly what happened and when happened.
2.We need to determine the threat is still viable.
3.We can use services like VPC Flow Logs,Cloud Trail and Cloud Watch logs.
Remediation Phase
1.In this phase we will remove all the infections and compormises in our resources
2.Delete/Disable any KMS Kets
3.Delete the spilled files for EBS and objects for S3 Managed encryption
4.If we have backups restore the files with last know good backups
Recovery Phase
1.In this phase we need to verify eradicated resources and restoring the resources to previous state.
2.Restore resources one at a time.
3.Use new encrypted keys.
4.Restore network issues.
5.Monitor and have containment tools ready.
6.Services like KMS, S3 Encryption, VPC can be used here.
Follow-up Phase
1.In this phase we will be evaluating what happened and identifying what are the policies to be followed for better security.
2.Testing and simulations are vital.
Conclusion
In order to create a solution which is highly secure we need to be pro-active and avoid being compromised by following proper practices like Strong Password/MFA/roles/encryption etc.
The founder of TacoBIG.com.He is a Cloud Architect from Bangalore interested in contributing guidance to Cloud related communities. He loves to read books and share knowledge with others. He is keen on understanding Financial wisdom and sharing thoughts on how to achieve financial freedom.
