Skip to content

disruptops/IncidentResponseGenerator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
backdoor_role.py
backdoor_role.py
 
 
backdoor_role.zip
backdoor_role.zip
 
 
config.yml
config.yml
 
 
incident_response_generator.py
incident_response_generator.py
 
 
launch_instance.py
launch_instance.py
 
 
launch_instance.zip
launch_instance.zip
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

IncidentResponseGenerator

This application simulates an attack on AWS infrastructure. It was built for the Securosis/Cloud Security Alliance Advanced Cloud Security Practitioner training class.

This code is designed to be run inside an instance with an IAM role with admin privileges. Some caveats:

  • DO NOT RUN THIS IN ANY ACCOUNT OTHER THAN A TRAINING ACCOUNT!!
  • This will make changes to your account that, while within the terms of service of AWS, could create security exposures. It should be safe but we make no warranties or promises and it absolutely should never be run on a real account.
  • The code is deliberately not commented just to make life a little harder on students.
  • The associated config file has some values that would allow Securosis cross account access. CHANGE THIS TO AN ACCOUNT YOU CONTROL!!
    • We can't actually use this access since we don't know the target account and we don't scan millions of AWS accounts to see if we can get in, but you have been warned.
  • The default app uses two lambda functions in amn S3 bucket we control, THIS IS ARBITRARY CODE EXECUTION!
    • We've included the code so you can host it in your own bucket.
    • In future updates we will change the config file to point to an S3 bucket so you don't have to change the code, but right now you need to update the code yourself.
  • Cleanup is currently manual. In the future we will provide a cleaner script. SOmeday.

How we use this in training

We publish a public AMI with this app pre-loaded. Students run a CloudFormation template that creates a new IAM rule and instance profile, then launches an instance with the AMI, where the code runs on initial boot. This takes a few minutes and then we have the students attempt to contain and respond to the simulated attack. No network exposures are created and no secrets are leaked.

This version was created for an exercise that should take about an hour, including launch, response, cleanup, and discussion.

Future plans

  1. Add additional attack types for an upcoming advanced incident response class we are working on.
  2. Create a cleaner script.
  3. Add command line arguments for which attacks to include or exclude.

About

Updated incident response generator for training classes

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

41 stars

Watchers

8 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages