Materials used and mentioned during my talk at RootedCON 2017
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
Automate or die - Rootedcon 2017.pptx
README.md
security_monkey_and_tools.template

README.md

Tools and code used during my talk at RootedCON 2017

Automate or Die! How to survive to an attack in the cloud

March 3rd, 2017


##CloudFormation Template Template used for demos is based on my existing CFN template to automate deploy of Security Monkey. For additional steps after deployment please go to that repo documentation here here ###What does this CFN template?

  1. Creates a VPC with a public subnet for two instances and a private subnet for RDS (Pgsql used by SecurityMonkey)
  2. One instance is dedicated to Security Monkey the other has Tools and sample code on it like: Prowler, ThreatResponse Tools (see the template for details)

##Presentation in PPTX format See file Automate or die - Rootedcon 2017.pptx in this repo. You can easily use all links in the References slide. All links below in this README. That presentation contains also hidden slides that I didn't show during my talk.

##Some commands used during my Demo 1- Instance Role - metadata server:

  • curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
  • curl http://169.254.169.254/latest/meta-data/iam/security-credentials/SampleRole-17TS7M8I11W2K
  • aws sts get-session-token --duration-seconds 129600
  • aws ec2 describe-instances
  • aws ec2 create-key-pair --key-name admin666 --output text

2- Mad-King attack (Tools Instance): Demo Video mad-king

  • cd /opt/mad-king
  • aws configure use valid keys
  • virtualenv .
  • source bin/activate
  • zappa deploy production and go to output URL

3- Incident Response aws_ir (Tools Instance):

Demo Video host compromise

Demo Video key compromise

  • aws_ir key-compromise --access-key-id AKIAJTEST
  • aws_ir instance-compromise --instance-ip IP --user centos --ssh-key ~/key-toplay.pem --repository-url https://threatresponse-lime-modules.s3.amazonaws.com
  • volatility -f IP-2017-02-23T02\:15\:48-mem.lime imageinfo
  • volatility -f IP-2017-02-23T02\:15\:48-mem.lime --profile=Ubuntu14043 linux_pslist

4- Hardening template, Prowler, SecurityMonkey

Demo Video

  • hardening template from here
  • run prowler (ssh to Tools Instance, aws-cli must be configured)
  • cd /opt/aws-cis-security-benchmark
  • ./prowler
  • show securitymonkey

5- Cleanup demo!!

  • Delete CFN Stacks, SSH keys and Access keys!

##All links and tools mentioned during the talk in order of appearance