INCIDENT RESPONSE IN AWS CLOUD

Toni de la Fuente
Toni de la Fuente
Senior Security Consultant at AWS

▪️

March 7, 2021

About This Episode

Like this show? Please leave us a review here — even one sentence helps! Consider including your Twitter handle so we can thank you personally!

INCIDENT RESPONSE IN AWS CLOUD

March 7, 2021
Season 2
Toni de la Fuente

Toni de la Fuente

Senior Security Consultant at AWS

About this episode

Like this show? Please leave us a review here — even one sentence helps! Consider including your Twitter handle so we can thank you personally!

Episode Description

What We Discuss with Toni de la Fuente:

  • What is Cloud Security Assessment?
  • The story behind the creation of Prowler and what Prowler does?
  • How is Prowler different to CIS benchmark?
  • How to set up an effective incident response plan?
  • How to respond to forensic collection evidence?
  • And much more…

THANKS, Toni de la Fuente

If you enjoyed this session with Toni de la Fuente, let him know by clicking on the link below and sending her a quick shout out on Twitter:

Click here to thank Toni de la Fuente at Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Recommend a topic

Partner with us

Join the team

Share

Facebook
Twitter
LinkedIn
Pinterest
Reddit
WhatsApp
Email
Skype

Transcript

Ashish Rajan: Hello, and welcome to another episode of cloud security podcast. With Virtual Coffee with Ashish. I have a special guest, Toni de la Fuente , I said that right. Took me Two times, but I said that, right. But before I get into it, I just wanted to say welcome. So weekly podcasts, we go live stream on LinkedIn, YouTube, as well as our clubhouse.

So you can actually call in into the show as well if you want using clubhouse and for people who are coming in for the first time we talk about cloud security with different cloud security practitioners every week ranging from CISOs, as well as, senior leaders in the space,

now, without further ado, welcome to the show, my friend How are you

Toni de la Fuente: Thank you for having me.

Ashish Rajan: For people who are having really heard of you from before, I’m going to start with the obvious what got you into this space? Like cyber security and cloud security.

Like, what was your journey into this?

Toni de la Fuente: Well, it was a long journey. It was, I started pro in computers when I was a 19 after high school. I started building computers from scratch administering [00:01:00] windows, NT networks proxies and things like that. And after that, I moved from Granata in my hometown, in the South of Spain and to Madrid.

Then from Madrid to the U S Atlanta for a few years. And I started working in cloud security pretty much since I started in a working for a partner of AWS. and since 2014, more or less, I I’m doing different things around

AWS.

Ashish Rajan: Is that kind of the time when you started making Prowler as well, or I think where that came in before you kind of joined AWS and Jeff Barr tweeted about it for people who don’t know?

Toni de la Fuente: Well actually I took over a new position in Alfresco, the company I worked before joining AWS. that position was just taking care of their cloud security. And I said, well we have like 30 something accounts. And I had to take to look after those accounts. And I said, what can I do?

Where should I start looking at? Right. And I said by that time, the [00:02:00] CIS released security benchmark PDF. Yeah. And I say, okay, let’s do a tool that implements that CIS everybody loves CAS. I have done CIS related hardening or before in for Linux because I come from the sys admin side of things with Linux and I say, okay, let’s do a tool that does the same thing for AWS.

And I started a very small shell script. And after that I added more and more and more stuff. I split it in multiple. The script actually, because it’s a huge script and more checks or controls than the CAS. It is what it is now prowler yeah. So that was back in 2016, I think. And yeah, after four years, right.

Ashish Rajan: You almost developing for two years before you even presented that at black hat then yeah.

Toni de la Fuente: I made it open source from the beginning pretty much from even before it was called prowler because the first thing was yeah. Yes, AWS, whatever it

[00:03:00] is. Great. Yeah. Oh, right, right. Fair enough. Very interesting. Right.

Ashish Rajan: Because I’m going to take a step back here because. We’re talking about incident response as well. And a lot of people kind of. Find themselves lost in that definition, especially in the cloud context. So I’m going to start with the very simple version then from a cloud security assessment perspective, we had a episode earlier this season, which is great.

I’ve definitely recommend people checking it out on the website, but what is cloud security assessment for you? What does that really mean? And I guess for you that you have anything about cloud security assessment from a cloud context, rather than running an, a security assessment on prem.

Toni de la Fuente: Well, when it comes to a cloud security assessment, you have to cover.

And the 360 degrees of the security posture of our organization in the cloud is not only about. One or two topics, or it’s not even only about technical assessment, you know, to say, okay, how do you have these configure is not only about that. This is good because it gives you context about what you have in the cloud, [00:04:00] but this more about.

what is your, your posture when it comes to incident to identity access management, or to detective controls or infrastructure security, data protection, what type of controls you have in place or incident response? What do you do , when you have an issue is an also. What type of services are you using or resources on how do you have those resources configured, because when know, in the in case of the shared responsibility model everything that the user has, or the customer has to configure in terms of security is your responsibility.

So how do you do that? Do you have policies? Do you have prevention

Ashish Rajan: Thats really interesting and if I add the layer of the whole incident response in there as well. So what, what is incident response from that perspective in cloud for you then?

Toni de la Fuente: Well it’s, if you are ready, prepared to respond to an incident, in terms of, if you have the proper education to know what to do in case of an incident response, , are you prepared to do different activities or to follow around [00:05:00] book?

You know, when something is going on, like if you have a credentials ex For whatever reason the bucket is open to public or things like that

it is yes to do, to be ready for, do you have to respond to an incident and in the cloud is it’s different because , when the infrastructure is deployed, as a software is automate it, you are creating your services around or your workloads are multiple AWS services.

For example you have to respond. Any incident in the same way, you know, I’m using the same wait box. Let’s say that way, the, that you use to, to build your infrastructure. Other ways you are lost you’re loosing time

Ashish Rajan: So how different is that to doing incident response on premise versus say doing in cloud or AWS specifically?

I guess?

Toni de la Fuente: Well you have the response has to be as fast as possible. I’ll automate, so to detect automatically and respond automatically to the event. So we have services, like for [00:06:00] example, is going to tell you is going to tell you, Hey, your DC two instance is mining Bitcoins or doing something that looks like it’s mining Bitcoins.

Right? So yeah, go automate the isolation and the prepare. And also the investigation and mitigation in case of digital forensics itself can be also very different to what it is. A forensics investigation in the traditional. Computers, right. Or physical computers, physical information, because you don’t have access to anything.

You don’t have to when it comes to identification, for example, so, or when it comes to preservation, you don’t preserve a hard drive. You know, when you are doing forensics, you don’t have to put a hard drive in a zip back

Ashish Rajan: yeah in cloud context where you have EC2 instance to just a server. EBS volume weight.

So that’s an interesting one to forensic as well. Are there enough forensic tools out there to help people do forensics in cloud or people are just making it up?

Toni de la Fuente: Well, in the open source world [00:07:00] are a few, probably not an in terms of, but it is actually, there’s a lot, lots of room to improve in terms of open source.

It’s giving you tools in general and for forensics as well. So we have AWS, IR, or margaritas, shotgun for a memory acquisition, but Many companies have their own, they don’t building house tools. Right. Because, because in a lot of cases, it depends on the best practices that you are following.

But if you have let’s talk only about

for those that are not familiar with AWS, they do this on machines where you spin out a separate, right? Yeah. So if you have an incident, a security incident, what did you do in traditional forensics let’s say. So you have to, isolate physically isolated, or you can even shut it down and do an analysis afterwards.

But in the cloud you can automate certain things, but actually you have to automate the steps in the activities like isolate [00:08:00] the network, isolation, even the, the memory acquisition, or if you have a golden AMI. Which is the mother of the, operating system and the application that you are running.

I have the baseline of the, all the packages, the files, et cetera, you can do a thief and you can, you can automate that difference analysis between the instance that has been hacked and your AMI, and if you do that automatically, or sort of automatically with a process that makes your life easier, but not everybody has that ready.

So we will share some links. For the, people to see how to make that happen, but yeah. Yeah, for sure. It’s different. Yeah. I mean, we are saying only in terms of analysis, but for acquisition or preservation use, there are some important defense.

Ashish Rajan: Yeah. Because I feel like the other difference also is that depending on how mature you are in cloud, that instance, that you’re working with other servers that you’re working with.

That may die before you even get to it. [00:09:00] Like, you’ve got an incident response, you may use something like a prowler than to get a response, but before you even get to it, the server doesn’t even exist anymore. Right. You know what I mean? Like if they would like the whole ephemerial concept cloud has given,

Toni de la Fuente: exactly.

This is, this is why I said before that you have to fight an incident the same way that you build your infrastructure. So if you have a of the scaling group one of those instances or all of them having compromised in 10 minutes or less, those resources are no longer, no longer available, what do you

Ashish Rajan: Yeah, that’s right. Yeah. So I mean, if there’s something that you can do though,

Toni de la Fuente: You can trigger different actions. You see guard duty, for example and to do the different actions in the EDS volumes or even in the instance, running instance itself.

Ashish Rajan: Yeah. Because to your point if there’s an incident and you lose the server, but at least there has been some breadcrumbs left behind whether in guard duty or cloud trail or something on the other, there’s something left behind actually for your dependent trace back what would have happened.

So at least you can have it, stop it from [00:10:00] happening again. Exactly. If

Toni de la Fuente: it’s doing something around the API, the AWS API, you will see for show something in cloudtrail. If it’s using DNS or a network, you know, the DNS is trying to resolve name using well-known or ineffable in a thread. That debate is you can detect that in guard duty or even some IP addresses based on the different attacks that are existing in threat or the basis.

Ashish Rajan: Right? So maybe this is a good time for me to introduce Prowler as well then. So for people who don’t know Prowler and probably have never heard of Toni what’s Prowler. And why should they even think about using prowler in AWS? I guess.

Toni de la Fuente: Well , let me describe prowler a little bit, like if I have to tell my mom what

Ashish Rajan: prowler is.

Toni de la Fuente: We all have a car or pretty much everybody has a car, right? So when you take your car to the garage, pretty much any, any modern cars, you can connect it to a laptop [00:11:00] and see, yeah. What’s going on in the car if it’s has all the fluids. So that liquids the, the, you know, the brakes, everything is working properly.

It has like 10, 20, 40 checkpoints in your car.

Ashish Rajan: Yeah.

Toni de la Fuente: what prowler does is exactly the same for your AWS cloud. For your account or your multiple accounts in AWS? It has today 182 checkpoints, but the growing, because there is a vibrant community creating new checks. I do checks write checks also.

Pretty much every week, just because I want to do checks, but because I need them or because somebody asked me to, to write any new check point, but yeah, if you don’t know what to do in your AWS cloud, in terms of security, you run prowler and you get reds. If you have to fix something and green your good to go, basically.

Ashish Rajan: Actually thats an interesting one. It’s kind of like a checkpoint for. Maybe if you don’t know what to start off with, you know, how a lot of people say start the CIS benchmark, but it’s not really [00:12:00] automated. You kind of have to figure it out. And I feel CIS benchmark is not really effective for like a multi account.

Like if you have a large AWS landscape, the CIS kind of falls apart really quickly because even with the, I’ll probably give one straight example, which is that root account with MFA. But for people who use multi account, the child account doesn’t really have an MF, the root account that you access, unless you reset the password and go through that whole ordeal.

So that’s prowler kind of work in that multi account space as well.

Toni de la Fuente: You can run prowler in just one account or multiple accounts. Something that is in the roadmap is to tell you best practices around AWS organizations. Okay. But, but in terms of multi account, best practices, it goes beyond CIS. But let me tell you something.

CIS If everybody goes through CIS, it’s good. Hopefully everybody is complaint with CIS. Yeah. Not only in AWS, but in everything in the Linux or windows or anything else, but I prowler [00:13:00] covers more than CIS. But and tells you from specific services to general configuration, I mean, everything, our services from IAM to.

Ec2 security groups, et cetera. And also it goes through everything. For example, in AWS, Google or SageMaker, or even RDS,

Ashish Rajan: Oh, actually, that’s a great point. Me to, for me to bring the question from Anika, I think she’s she’s been following us for some time as well in Anika.

So her question is how is Prowler different from the CIS benchmark?

Toni de la Fuente: Actually it’s not different is a Prowler includes CIS benchmark, and has CIS benchmark. If I remember correctly are like around 50 checks and prowler includes the CIS plus 120 or something, or 130 more. So

Ashish Rajan: it

Toni de la Fuente: goes , through the entire infrastructure and tells you what you have to fix.

Ashish Rajan: Yeah. And I think to your point, I think which you’ve already covered already. I think the difference between a CIS benchmark, I probably want another one is the fact that it’s just a list, right? [00:14:00] It’s not implemented in your AWS account, whereas Prowler is that almost like a framework that you can put around your AWS account and use that to automatically, you know, I think kind of where we started this conversation, where, how do I detect something automatically?

you take your car to the garage? Like I think that’s where, like the true value of Prowler is. Cause it’s nothing from your cloud provider, like an AWS at this point in time for this,

Toni de la Fuente: Yeah, the CIS is at the end of the day, it’s a document that tells you, Hey, this is a best practice that a few people said that

Ashish Rajan: are the best practice.

That’s great. And that was spoke to us, but they think it’s a good practice.

Toni de la Fuente: Yeah. And what I did with prowler is to automate that checkpoint, that those best practices that tells you without you to having to go, you know, click or go to run any command or anything, it tells you what you have properly configure or not.

But yeah, the longest story short, yeah. Prowler includes CIS plus many other checkpoints

Ashish Rajan: all right. So moving [00:15:00] forward with this. So now I’ve kind of, we’ve spoken about work prowler is, but out of curiosity, what’s the origin story? Like why do this in the first place? I guess.

Toni de la Fuente: Yeah. As I said, back in 2016, I took over the security in my previous company cloud security. It was just me and well, we were 2 insecurity, but for cloud security just me, by that time and that we had almost hundred engineers working in 36.

AWS accounts. And I said, okay, what can I do here? I said, I have to. Automate this, I cannot be account by account region by region service, by service, looking at the best practices. If everybody has everything good, no public packets, not public EC2 instances or whatever it all service. And I wrote a very simple script to tell them and to ask them, Hey, run this script.

And if you see anything rare, Fix it. I’m not going to fix it for you. You have to fix it. And after that, I, yeah, I make it [00:16:00] all open source. And it became very popular friendly and our people is using it is it’s very easy to use. You don’t have to do much more than, you know, having all only the AWS CLI there all by that time.

Also we have, I mean, there was a cloud suite, nothing else I think by that time. Yeah. So now we have a bunch of all the tools. Which is great. So if you are in cloud security rank all of them and you realize what do you have to fix? But by that time it was prowler and it’s got weight probably.

Ashish Rajan: I love that about you because I mean, because I think it’s all about the community with you as well. You know, you’re not there just to Like, Oh, cause you know, prowler itself has about 3.9 K I believe stars on GitHub more than 500 forks as well. So people are definitely finding prowler to be quite valuable for their day-to-day activity in terms of making sure that they are, have some visibility as a security posture.

So. [00:17:00] Yeah, man. I’m glad you did what you did as well. So yeah, I’m sure the community is quite grateful based on how much it is shared and how much he will talk about it. I think not sure if people know about this, but Jeff Barr, the guy from AWS who talks about every product release tweeted about it as well that, Hey, you should check out prowler

so yeah, it’s, it’s definitely known in the AWS space as well, but because we are talking about incident response as well, I’m keen to know from your side. That we spoke about forensic and how forensic analysis is different in cloud. We spoke about incident response, how that’s different, like, because isolation is quite different at that point as well.

for people who are building an incident response plan right now, they’re listening to this and going, Oh what happens if my EC2 instance just disappears or my server disappears and my services just to be a, we spoke with a little breadcrumbs as well for people who are starting today.

Other than incident response plan. What are the first basic steps that you would do to set them up for success so that they can do it at scale when they have to appoint 56 year AWS accounts as well?

Toni de la Fuente: Well, first of all, Learn and understand your [00:18:00] infrastructure.

So you mentioned also before prowler something that we do also internally is the, to run prowler when incidents happening, because you can see what you have, what type of services are you using in the AWS cloud? And eventually you can realize what is the attack, what could be the attack vector.

Right. So first of all, is. To understand and and know what you have in your hands. Right. And in general then of course, we’ll be ready. Be ready if you don’t play, you don’t have tags yourself, somebody, somebody else is going to do it. Right. So how do you have to be ready? So that’s the big, the five more important or common, eh, security incidents play with.

Play with those run books, prepare those rambles, but where they automation around that in AWS, we have documentation for pretty much everything. So it’s sometimes it’s harder to, to not, to find the documentation, but to find the right documentation. Right. [00:19:00] And there is automation and the window to know what to do when it comes to for example, Credentials.

If somebody exposed the grand shots in GitHub for example, what you should do, you as a company, you need to know what to do in that case. Not only in technical space, which is fine, you need to, to contain the incident. Right. But also what else, what else in legal or something else, if you expose PII in a S3 bucket, what should you do?

Or if, if, if you get any mail from AWS have use. That two instance that is doing SSH brute force to a bunch of IP addresses, for example, what should you do for the containment and things like that?

Ashish Rajan: That’s pretty awesome. And I’ve worked a crystal here as well. She’s got a question. I’ve had so many conversations with the Crystal about zero trust and very, very interesting person.

So, Hey crystal, welcome to the show. Did you have a question for Tony?

Toni de la Fuente: This is such a great conversation, and I’m just so interested in [00:20:00] how this would be done with this segregated. When you have multiple segregated networks within AWS. I come from a company where we separate multiple. We have about three or multiple environments and run under AWS under separate Accounts, if you were so just how would that look like?

And is there a way to streamline that so that they can all kind of work together?

Ashish Rajan: Awesome. Great question, crystal. What’d you think Tony?

Toni de la Fuente: Well, so when it comes to the cloud, we have like Two ways to see the infrastructure. One is the infrastructure itself. As you see the AWS API, right.

And the networking itself. So they are kind of connected, but you can take advantage of infrastructure. The AWS infrastructure to fix any networking issue, for example. So if you have multiple accounts or whatever, network between multiple accounts, let’s say Account workload a in one account [00:21:00] workload B in other accounts, they are talking to each other.

So you can play with the play between quotes, right? Between those accounts with, eh, with the AWS API and the services. So if you have, for example, guard duty, because guardduty is going to look after the traffic that is. Around the BPCs and I’ll put, the BPC is going to tell you, is that is something that looks like a threat.

You can’t detect that no matter what is the number of accounts, if it’s inside the VPC. I don’t know if that is clear,

Ashish Rajan: To your point, sort of the segmentation side is more. probably harder to predict, but at least having tools like guard duty, maybe security hub, which kind of brings all of it together.

Is that, is that how you would approach it? Is that what you meant?

Toni de la Fuente: Well, in, in terms of threats in the network,guardduty is a tool in terms of security, best practices, security hub is, is the, sentence that you, I said told by these are actually both [00:22:00] services, AWS

Ashish Rajan: service. Sweet. I’ve got a few more questions coming in as well. I’m going to say that Caitlyn.

You saw his comment is you can detect automatically using the AWS security hub. You can use config to automate, to remediation for AWS. I use Prowler at the time when there is no CIS benchmark in AWS, but now they have it. Wow. There you go, man. You have someone who used it before the CIS existed. So yeah.

Pretty awesome. Yeah. And I’ve got another comment from Danica seeing prowler AWS security tool. Does GDPR and HIPAA checks any plans for NIST SP 800, 53 controls checking the C FISMA, FedRAMP check. Is there any work going on for that?

Toni de la Fuente: Let me say something that

Ashish Rajan: is

Toni de la Fuente: Prowler is integrated natively to Security Hub So you can send findings from prowler to security. Hub of course you have CIS in SecurityHub. You don’t have to send the CAS.

Findings from prowler , you can just run the excess. Any other check that you want to do? For the question

Ashish Rajan: it’s probably [00:23:00] maybe it is not a question. I think it’s just more like maybe more. I actually out of curiosity cause it’s an open source solutions.

Because it’s an open source tool. Anyone can add more checks into it as well. Right. So it’s not just a matter of I guess like we do so many to wait for NIST or FISMA FedRAMP, is that right?

Toni de la Fuente: Exactly. So actually most of the groups that we have in prowler have been done by the community. So PCI HIPAA, et cetera.

I mean, I’m not a compliance expert. I know a little bit about AWS security. I know about security best practices, but I don’t really know about, I mean, a little bit about NIST, but to do that mapping like the BCA might be no, we have in prowler or many others, you need to really understand the framework side and a little bit of prowler

so you can list the prowler checks and say, okay, this is, is for that, this for that. So with that said, To do the NIST SB 853 or FISMA or FedRAMP is a matter of time. I mean, I, I’m not expert [00:24:00] off federal for example, but if I can help anyone to explain how to do that mapping because to create a group or in prowler if you want to run Prowler, FedRAMP is it’s very easy.

You have to is a comma separated. Number of checks is so is. I think it’s

Ashish Rajan: yeah. Sorry. I was about to say is what’s you calling out the fact that just because there’s a particular kind of, I guess checklist, cause I mean, what Annika mentioned is FedRAMP FISMA nest, but you could have other ones as well, which are relevant for your industry. But you need to apply them in AWS.

You can totally make that checklist yourself and contribute back into the prowler Github, which is an open-source. So others can benefit from it as well. So hopefully, I guess that was a question or comment, but I think I got my answer as well. So thanks for that, man. I’ve got one more here from Jefferson.

Do you recommend any SOAR platform? Oh, SOAR is an interesting one. I’m curious to know your response, man. Do you recommend any SOAR platform to automated response? We had a whole comversations for half an hour about [00:25:00] SOAR on clubhouse, the other day. So

Toni de la Fuente: yeah. First of all, I don’t know if I want to respond this question.

Ashish Rajan: Let’s just say if it it’s still evolving, I guess say, cause I, and I think though the conclusion was the fact that SOAR is probably not a blanket I guess thing that you can apply everywhere because it depends on I I want to share what I’ve worked for the conclusion of the last conversation was, and maybe you can share your thoughts on this as well.

Like the SOAR platform is great for non essential. Non-production resources to begin with because you don’t want to do auto remediation in production because you don’t want to switch off services just because I think there’s a red flag here because it could be false positive. That’s kind of what the conclusion we landed at, but don’t not show where you stand on this Toni at this point in time.

Toni de la Fuente: Well, in my experience with prowler I have been asked many times about auto remediation. I can think about that later, but in terms of, of security, orchestration, automation, and response I have seen, using security have integration, probably. It’s not exactly a [00:26:00] sore, but very helpful for sure.

Yeah, flying integration. What prowler to sending findings to Splunk is that was probably the first things type type of integrations I saw in prowler a long time ago with wazoo we’ve less success on Kibana. To be honest, I don’t have experience enough to recommend any, any platform other than GitHub

cause I have been working with that for long. Okay. Of course, internally in AWS as well, but yeah, but in terms of outdoor remediation in this is something that a lot of people having asked has about in program. You know, when, when you have to remediate something, you need to have a different set of permissions.

Yeah. That is dangerous as well. So I prefer all those. Those are the same. I mean, you have to greet, you can create good config rules to do that. You can create SSM document to that as well in AWS. Who knows eventually a product can do some remediations, but for sure prowler is going to tell you what to do [00:27:00] to remediate the findings.

And this is going to be probably very soon.

Ashish Rajan: This is a world exclusive there for you prowler hopefully we answer your question Jefferson, and but if you have any recommendation of yourself for both Toni and myself, we’ll be open to that as well, man. Thanks Jefferson for that question.

I’ve got a fan comment for you, man. Alex Ray, we’re using prowler at scale. It’s been a huge help in both teaching developer teams in their development phases, and also auditing regularly in a centralized fashion. Huge kudos to you. Thank you, Alex. That’s pretty awesome. That’s pretty awesome, man. I think there goes, people are already using prowler at scale and trying to see or seek benefit from it as well.

Thanks for that comment, Alex, by the way, I’m sure you get messages like this quite often, considering the 4,000 plus people who actually consume that and the ones who haven’t really started over there, but I’m pretty sure you get some of these quite often. I want to spin this around a bit more because we spoke about incident response and doing the scale.

We touched on forensics earlier as well. in the whole incident response plan that we kind of spoke about, what kind of role would [00:28:00] you say forensic would have? Like how, how do you plan for forensic in the beginning when you’re setting up? Like, I took your advice. I went guard duty.

I took ADF security hub as well of what the setup. , how would I respond to forensic evidence collection if I need to? What’s your thoughts on that?

Toni de la Fuente: I want to share some documentation about that for the show, but when it comes to a concession, for example, there are a few, a few this, this tuitions, a living situation, I was like catching or saved that can help.

So good practice is to have an, or, or a dedicated AWS account for forensics or have a separate DC. I come from forensics or, or a confirmation template that can build that environment in the, in a given account. And I give him a point in time. Right.

Ashish Rajan: Okay, cool. Perfect. So you can

Toni de la Fuente: spin up a new instance inside that specific VPC or isolated the PC, where you can start your investigation.

That is going to save you a lot of time. So not to be playing something new when you don’t have to do, you don’t know [00:29:00] what to do, but having that really isolated, dedicated account. Or in their particular account using confirmation, for example, you can spin up everything automatically and having that ready, but all the automation around, for example, to analyze the snapshot, the EBS volume snapshot.

Running the tools. It depends because I, I mean, I don’t want to mention any specific tool that can be for, so you have windows can be different, but to look, find any evidence , in the file system, or you can find any well-known or indicator of compromise , in memory, things like that.

So the. Yeah. Long story short to have the automation around the preparation, then you can do the analysis, the forensics hopefully automatic as well. It depends on your maturity, but if not, at least the baseline is right.

Ashish Rajan: Interesting. I always find that there’s one [00:30:00] element and kind of, we touched on this earlier as well, the whole connectivity to the instance or connectivity to that resource.

I love the cloud formation. Good idea. Because then you’re able to spin it up. Inside that account where the compromise may have happened as well. So that’s pretty awesome. Suggestion. I’ll definitely encourage people to check that out as well.

Toni de la Fuente: Something, because we are talking about the kind of a traditional incident with digital machines, right.

With a certain word, but unfortunately, nowadays we have more than that. We have server less. We have also Kubernetes, Containers so what is the best practice here is to have a trace from, we can say bumper to bumper control, right? So , from the cloud front to the database and everything in between and how to do the correlation across all the locks, you know, to have a proper policy log retention and lock collection is key.

In this case, we can help him get on the ass to do that, but the customer that is the customer’s responsibility to have those logs [00:31:00] in a place where they can do some analysis.

Ashish Rajan: Interesting. And so would that all going to security hub or like a SEAM

Toni de la Fuente: Well, when it comes to all the services logs, so you have, you don’t have locks since if you have, you have as practices, write checks that you can get strong.

in guard duty, you have threats. Detection of threats, right? I’m talking more about if you have a, whatever it is that you have, make sure in production, at least make sure this logging properly, then you can correlate it across the entire stack.

Can be called a watch or can be a third

Ashish Rajan: party. Right? Cause I mean, there could be so many like, Oh, it depends on what you have. So I didn’t want to give people a consultant answer or I think what you said is very apt as well.

I’ll definitely encourage people who may have any follow-up questions to tap the hand icon and clubhouse, or probably leave a question there, but that’s great advice. My friend. The switching gears because we’ve been talking about prowler and calling it. And I know you do you work for AWS as well?

Basin. This is a non AWS tool. This is an open source community too, [00:32:00] for people who are, I guess, more for, or is there a cloud version to this, I guess, where do you stand in the whole. I mean, I personally think the right tool for the right job, but what are your thoughts on people who are thinking, well, I shouldn’t be just wait for the cloud native version to come in, I guess.

What are your thoughts on that cloud native versus like going for an open source? What challenges can they see if they were to go down the other parts of open source?

Toni de la Fuente: Yeah. Well, first of all, feel really supported inside AWS and Amazon in general with opensource. So I can do pretty much what I want in prowler , because it’s good for us, for AWS customers.

Of course we see every day, every week new checks in, in security hub, right? So the point of security hub, you have to enable security hub they have better vision. You have to enable whatever you want to check in insecurity hat, and it’s totally fine because you can plan your, your, your check points with security hat.

And this is, this is fine. What the point of using prouder is [00:33:00] that you can run it very easily in your site using your own credentials, right. To analyze out of the box, all the regions in just one shot, let’s say, right? So you don’t have to configure anything. It’s going to go and see everything. The same thing that you can see as a user.

And tells you when you have to fix or not. With, with, with that said Browder is growing more in, in specific checks features like, like also socialization and, and allow customers to do whatever they need. You know, probably more flexible manner than a service, because this is a tool. It’s a tool that you don’t load, you do with whatever you want with it.

I mean, it’s, we, we, it’s not really compatible with between security, have a prouder because you have more flexibility with the total that you can do

Ashish Rajan: whatever. Yeah. So, so what tool do you recommend? I mean, I know probably was your favorite, but what other tools do you recommend in the open [00:34:00] source space?

I know we’re a bit of a biased answer there, but what do you recommend outside of

Toni de la Fuente: problem? Yeah, first of all, is an answer. I answered your question. If your question is I work with customers everyday and I always recommend using the most native tools or services as possible because it’s going to give you more everything is going to be easier at the end of the day, you know, the API APIs, et cetera.

Right if you want the extra mile look at yeah. You need property to, to use another tool for, or service for partners or open-source tools. In terms of open source tools. I can recommend pretty much all of them. I mean, if you’re using any open source tool, is it because you are worried about security?

If you are worried about security, you are doing a good job that that’s simple. That’s simple. So run all of them. With care, of course not. Don’t don’t break anything, but at least for assessment, like, like top my bear, like stocks rate for like Prowler, like [00:35:00] many of us that, that, that I hope that I have in my arsenal of AWS security tools that we are going to share.

Also the, the link run all of them for IAM to understand what is your, I am pusher. If you have to open. Rules or you have rules that allow escalation of privileges, things like that. Right. All of them and understand your infrastructure. So I cannot pick one. I would pick all of them, right? Yeah.

Ashish Rajan: Yeah. I think maybe another way to put this also would be that pick a one that you understand, because some of them have been written in different languages as well.

And you may or may not be comfortable in biotin, but you may love, I don’t know, something, some other language. So you may choose a different parcel. I’m sure. To your point, if you go on and get up, you’ll definitely find something which is probably written in a language that you understand, but most of them are pretty straightforward and buttons is usually easy enough as well.

That’s my bias articles. I know bison.

Toni de la Fuente: Yeah, well, I’m running by them, but I, I D I did probably with bias because for me, it’s very easy to write [00:36:00] a buy scripts and using the CLA the CLA the AWS CLA is very powerful. So you have a tool in top of the CLI you forget a lot of, a lot of headaches, you know, in terms of connections or a lot of things like that.

And everybody knows bash. I mean, it’s easy. It’s easy enough to write a check so you can write a product check in, in five blanks. Yeah, just to AWS, to AWS CLI commands. And of course you can do that also in, in, in Python, did you can write checks in priority. You cannot write checks in Python today, but you will be able

Ashish Rajan: to do that.

Toni de la Fuente: Yeah, but, but yeah, usually they did. They told that you are more comfortable with,

Ashish Rajan: for sure. Awesome, man. Thank you. Ready, VDC. And this is kind of like looking at it as a crystal ball kind of question. Where do you see the whole incident response space go in, in, in cloud? I know we kind of stopped when you started making prouder.

There was no CIS benchmark now we have CIS [00:37:00] benchmark and yet CSA computers cloud security, Osos sorry, cloud security Alliance as well. I’m like, what is that? What are they called? So the, like the space is growing. And I’m curious to know from your side who part of being in the space for probably the longest, where do you see the incident response based go in cloud more automation, more tools, or where do you see this goal?

Toni de la Fuente: Yeah. Yeah. It’s more and more understanding of what to do. So the, we have more and more services and more interaction with the, you know, between services how do automate all that stuff. So we, we talk a lot about how to respond to an incident in NDC doing science, but what about notebook in, in, in other services or, or a, a container in, in EK.

Yes. So all that automation, the automation across all of the services that are, have something really to do with compute also important. So the automation beyond easy [00:38:00] two instances is probably what is next to understanding that. We can, we can have incidents beyond that. yeah.

Ashish Rajan: It’s really interesting too,

Toni de la Fuente: of, of, of, you know education in that.

Ashish Rajan: Yeah. Cause I think what he said is Ryan, because primarily every time you kind of try and look for incident response conversations, they usually floating around easy two instances. They’re not really forwarding around it. What if you have like a Cuban studies. Like a cute board in your AWS and suddenly it gets compromised.

What do you do for that? Are there tools for this? So how do you extract something out of the container? Like we haven’t really gone into that, any of that detail as well, so do appreciate them as well. I’ve got a question from Katelyn again. Welcome my friend. What is the benefit of using the integration of Prowler with AWS sort of security hub?

If any, since we have the possibility of having a central dashboard of the status checks using Prowler.

Toni de la Fuente: Yeah. Well, so you have all the tools in security [00:39:00] for compliance or for you not to send to some findings, whatever type of findings that you can send to security have using AWS security funding format.

You can use per hour or as a set of a specific checks. Empower to, to security have, which is something that I have seen in many customers. So of course it doesn’t make sense to run this CAS yes. Checks in prouder. If you have an insecure, they have, for example, unless you want, because a it’s the same, but if you have, for example, a specific checks that you want right.

Or are available in product, for example, for, for glue or for RDS, or even detect secrets. Or index in the medics box, which is another group that is available in product that is going to tell you what is exposed to the internet. In any account, I mean, any account or any region, your infrastructure, or even check if you have something exposing out, for example, in [00:40:00] Chilanga you, you know, this a website where you can find IP addresses and resources exposed or open to the internet.

So this kind of a specific checks or even secrets, do you have any, any key or password or certificate, et cetera, that in your infrastructure, you can look at that in, in product. So we have I have some customers, very large customers. They have their own specific checks. Something that is public is the government of Canada.

For example, they have specific checks. They wanted to write in prouder. So this is something that you can take advantage of broadly and with Suzy hat, but of course you can write your own conflict rules as well.

Ashish Rajan: That’s awesome. Cool. No, that’s pretty much what the question that I have for this episode, man, but I do appreciate taking the time out. So for people who may have follow up questions, I want to connect with you and probably find you, where can they connect with you and maybe have a follow-up conversation.

Toni de la Fuente: Well, probably Twitter or the thing, so they can find me in Twitter as Tony Blakes T O N I B L Y X. [00:41:00] My DMS are open. So I’m always happy to, to know about people using. prowler and doing whatever else in cloud security that I’m interested or even Linux security. I, I love also doing stuff with open source and Linux, so I’m always happy to, to hear from,

Ashish Rajan: from others.

Awesome. I I’ll leave those in the common shownotes as well. It should be on www.cloudsecuritypodcast. tv

Definitely check Tony out with all the episode information that we shared them. Thanks everyone. And I will see you all next week. Thanks so much for this Toni. I really appreciate that, man.

Thank you. Thanks

Toni de la Fuente: everybody.

Enjoying our content? Don't forget to subscribe!