Detection and Analysis
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:02
>> You are massively prepared for anything at this point.
00:02
Now, let's go through what it takes to
00:02
detect problems and examine them.
00:02
Specifically, we will talk about building alerts,
00:02
responding to alerts, and analyzing the attack.
00:02
When building alerts you want to know your data sources.
00:02
Keep in mind there are things that provider will not give
00:02
you at the risk of exposing other tenants.
00:02
But instrumenting your application code can give
00:02
you extra insights to fill that gap.
00:02
Don't forget to monitor the management plane itself,
00:02
even if an attacker doesn't get
00:02
full control of your management plane,
00:02
they may get partial control and modify
00:02
firewall rules or they may not get any control
00:02
but you'll see repeated failures in
00:02
their attempts to access
00:02
the management plan and gain control.
00:02
Establish automated alerting on
00:02
unexpected events or behaviors.
00:02
Integrate with existing monitoring tools
00:02
or may require new monitoring.
00:02
When it comes to monitoring
00:02
VMs built in an iOS environment,
00:02
your existing tools who are likely to work,
00:02
but monitoring the management plane or the PaaS and SaaS
00:02
services probably won't work with
00:02
the traditional monitoring tools.
00:02
Validate alerts and escalations,
00:02
look out for false positives,
00:02
too many false positives,
00:02
and you'll overlook the real problems when they occur.
00:02
It's basically a Cloud security version
00:02
of the boy who cried wolf.
00:02
Leverage automated incident response
00:02
workflows when possible,
00:02
take advantage that the metal structure
00:02
is often API driven.
00:02
This means you can automate
00:02
your standard response protocols.
00:02
For example, creating a snapshot
00:02
of a virtual machine disk,
00:02
which can be used later for forensic review and then
00:02
automatically replacing that compromised VM.
00:02
When you find an event,
00:02
you may also want to copy
00:02
certain logs off to a safe location.
00:02
There's a lot more examples and
00:02
I'm sure you'll be able to think of
00:02
if you examine your incident response possibilities.
00:02
But the key point here is automate wherever possible,
00:02
make your lives easier.
00:02
Once you have this great alerting in place,
00:02
how do you respond to it?
00:02
First thing you want to do is
00:02
estimate the scope of impact.
00:02
Keep in mind at this point you
00:02
haven't done a thorough analysis,
00:02
but you want to have some rough feel for the impact.
00:02
You can certainly revise
00:02
this estimate as you learn more about the incident,
00:02
but you have to start somewhere.
00:02
Assign an incident manager to coordinate further.
00:02
This is your point person for the event.
00:02
If there's a flurry of events within a certain timeframe,
00:02
you may build a small team,
00:02
but you still want somebody to be the appointed leader.
00:02
Designate communication handlers to
00:02
provide containment and recovery status.
00:02
This is the person that needs to partner
00:02
with the incident manager but not
00:02
overburden the incident manager with
00:02
constant hounding for status updates.
00:02
Alerts fired, now you're responding to it.
00:02
Next thing to do is start analyzing the attack.
00:02
Collect logs and if you're in
00:02
the IS model machine images.
00:02
Many IS providers give you
00:02
the ability to pause a machine,
00:02
thereby taking it offline,
00:02
but keeping volatile memory
00:02
around for more thorough forensics later.
00:02
Be aware of chain of custody when handling forensic data.
00:02
We talked about chain of custody in
00:02
earlier modules about legal matters.
00:02
In the event of legal prosecution,
00:02
the information you are analyzing may
00:02
become evidence and you want to make sure
00:02
it's held appropriately so they can be
00:02
submitted into the court of law.
00:02
Build a timeline for the attack.
00:02
Determine the extent of potential data loss.
00:02
Makes sure the network isolation and
00:02
firewall rules you expect it to be in place still are.
00:02
This is where your infrastructure as code is very handy.
00:02
See if any similar Cloud resources were attacked,
00:02
even if you didn't get alerts about them.
00:02
Storage access logs and management plane logs
00:02
will be invaluable to you in this situation.
00:02
In summarizing, we've covered building alerts,
00:02
responding to alerts, and then getting
00:02
your arms around the problem by analyzing the attack.
Up Next
Similar Content
