Dr Michael Cohen
Velocidex Consulting
Michael Cohen has over 15 years of experience in applying and developing novel incident response and digital forensics tools and techniques. He has previously worked in the Australian Department of Defence as an information security specialist providing advice on policy compliance, code review and system hardening. He then continued on to work in the field of digital forensics at the Australian Federal Police specializing in network and memory forensics. In 2010 he joined Google, where he led the GRR development team to create a world class endpoint monitoring tool for incident response and remote forensic analysis. While at Google, he founded and spearheaded the Rekall project - an advanced memory forensic framework. More recently, Michael has worked in Google's Cloud Platform division specializing in cloud Identity and Access Management (IAM). Michael has recently founded Velocidex Consulting - a practice specializing in helping organizations deploy, manage and develop open source security and incident response tools. MichaelCohen_AusCERT2018-Digital-Forensics-and-Incident-Response-in-the-Cloud-Pt-1 MichaelCohen_AusCERT2018-Digital-Forensics-and-Incident-Response-in-the-Cloud-Pt-2 MichaelCohen_AusCERT2018-Digital-Forensics-and-Incident-Response-in-the-Cloud-Pt-3

TUTORIAL: Digital Forensics and Incident Response in the Cloud

Cloud technologies have made it easier for organizations to adapt rapidly to changing IT needs. Teams may acquire (and destroy) new computing resources at a press of a button providing for very flexible deployment environment. While this capability is generally useful, it does come at the cost of increasing management overheads and particularly degraded security posture. Traditionally, IT managers have provided visibility into organizational inventories and could use this information to enforce org wide standard operating environments (SOEs), institute patching regimes etc. However, with the advent of cloud computing, every team can create new VMs and containers on a whim for both production and development use, typically consisting of the cloud service provider's SOE offering. In this tutorial we explore open source tools available for managing cloud deployments. In particular we look at the endpoint monitoring solutions provided by Google's Rekall Agent and Facebook's OSQuery and how these can be integrated into typical cloud deployments. Delegates should be able to walk away from this tutorial being able to install and manage a cloud deployment of Rekall Agent and OSQuery on their VM endpoints. These solutions allow the administrators to gain insight into their enterprise wide deployment. For example, one could ask questions such as:
  • What is the current patch level of all my cloud VM's and containers for each software package? Which VM's are in need of patching? Which VMs have been created recently, and do they comply with minimum security hardening standards?
  • Who has remote access to my VM's? E.g. via ssh authorized_keys? Via cloud IAM's security policy?
  • Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.