Containment, Eradication and Recovery
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:02
>> At this point in the incident response life cycle,
00:02
we've done our preparation.
00:02
We have alerting in place,
00:02
we've been alerted to a problem.
00:02
We've analyzed the problem,
00:02
given it a rough impact assessment.
00:02
Now, let's talk about methods for containing,
00:02
eradicating, and recovering from the problem at hand.
00:02
In this video, we'll talk about step 1 in that process
00:02
and describe follow-on tactics
00:02
for achieving this in the Cloud.
00:02
First and foremost, we want to make sure that
00:02
the attacker is no longer on the Cloud management plane.
00:02
This is step 1.
00:02
You're going to take advantage of
00:02
that master Cloud account.
00:02
We've talked about this in the past.
00:02
You have this master root account for
00:02
your Cloud and nobody is really using it.
00:02
It's been tucked away in a safe place.
00:02
You've been assigning other accounts to
00:02
different individuals and using
00:02
the principle of least privileges,
00:02
but now it's time to break out
00:02
the big guns because you're under
00:02
attack and you want to make sure that
00:02
nobody else is on the management plane.
00:02
This master account gives you that full of visibility,
00:02
full capabilities to do
00:02
all sorts of things across the Cloud management plane.
00:02
It's very likely you're going to lock out a lot of
00:02
other accounts within your organization
00:02
on the Cloud management plane.
00:02
But this is an important step
00:02
to make sure that when you're doing
00:02
the subsequent methods of
00:02
containing and eradicating that attacker,
00:02
they don't still have the keys to
00:02
then perform additional actions,
00:02
like initiate a massive number of
00:02
deletes or things like that to punish you or
00:02
send a message and try to deter you and
00:02
distract you and make the situation a whole lot worse.
00:02
Once you know that the attacker is
00:02
no longer on the management plane,
00:02
there's some tactics that you can start employing.
00:02
Let's cover some of these tactics that are
00:02
particular to working in the Cloud.
00:02
One approach is to rebuild your SDN
00:02
and Cloud assets and restore from backups.
00:02
In effect, this is isolating the attackers' foothold on
00:02
those Cloud resources by
00:02
creating a completely new network
00:02
and essentially rebuilding
00:02
your infrastructure very similar to
00:02
the disaster recovery method in a regional outage.
00:02
As a note, your new network may have
00:02
the same vulnerabilities as the old one.
00:02
So it will only deter the attacker and delay them,
00:02
but it's not necessarily resolving the core problem.
00:02
Other things we'll want to do are
00:02
isolating the virtual machines,
00:02
and this is particular to an IaaS model.
00:02
You can create extensive firewall rules
00:02
to minimize the ingress and
00:02
egress traffic all going
00:02
into and coming out of that virtual machine.
00:02
Then this also allows you to keep the virtual machine
00:02
around as well for better analysis of understanding,
00:02
what was the exploit used,
00:02
how did the attacker do these,
00:02
those third-party intelligence services
00:02
are invaluable here.
00:02
To let you know a bit more about
00:02
the attacker whether is it just
00:02
a bot and automated script
00:02
or malware kind of spreading itself,
00:02
or was it potentially some sort of
00:02
a more organized and orchestrated attack.
00:02
Could this have been just some initial probing
00:02
and testing of your system with
00:02
the intention to come back to your system
00:02
and do something much more malicious?
00:02
The Cloud provider themselves may
00:02
take action at your expense.
00:02
So keep in mind that
00:02
tenant isolation is a top priority of the Cloud provider
00:02
and if the attack on
00:02
your resources are creating problems for other tenants,
00:02
starving them of resource pools.
00:02
The provider may contain things on your behalf.
00:02
This is why communication
00:02
both ways between the Cloud provider
00:02
and the customer is important early on in the attack.
00:02
Let's take a little quiz on some of
00:02
the things we learned in this section.
00:02
In an IaaS environment,
00:02
how can you quickly quarantine a server?
00:02
Create a snapshot of the disk,
00:02
log onto the server and log out other users' sessions,
00:02
change the SDN firewall rules to restrict
00:02
ingress-egress to the investigators' station only.
00:02
Pause the server to retain volatile memory.
00:02
Only one of these answers is correct.
00:02
It's kind of a judgment call.
00:02
It's kind of a tricky question,
00:02
but something you can do quickly
00:02
to retain it is answer C,
00:02
creating that firewall rules and just
00:02
minimizing and just isolating that virtual machine.
00:02
The other options described are all
00:02
valid actions to take when responding to an attack.
00:02
However, C is the best way to go
00:02
about quarantining the server.
00:02
This video was focused on taking action to contain,
00:02
eradicate, and recover your system.
00:02
It was really just an overview and there's going to be
00:02
a lot of specific methods
00:02
and techniques you're going to use.
00:02
It's going to depend on the Cloud provider,
00:02
is going to depend on the model IaaS,
00:02
PaaS, SaaS that you're using.
00:02
But important globally considerations
00:02
were taken into account.
00:02
So first and foremost,
00:02
clearing that management plane,
00:02
it doesn't matter which model you're in.
00:02
That's step number 1.
00:02
Then we went over containment and
00:02
eradication and recovery methods that
00:02
the CSA talks about and
00:02
the CCSK exam is going to be focused on.
Up Next
Similar Content
