Hardening AWS Environments and Automating Incident Response for AWS Compromises

DerbyCon 6.0 - Recharge

Presented by: Andrew Krug, Alex McCormack
Date: Sunday September 25, 2016
Time: 11:00 - 11:50
Location: Regency North
Track: Break Me

Incident Response procedures differ in the cloud versus when performed in traditional, on-premise, environments. The cloud offers the ability to respond to an incident by programmatically collecting evidence and quarantining instances but with this programmatic ability comes the risk of a compromised API key. The risk of a compromised key can be mitigated but proper configuration and monitoring must be in place. The talk discusses the paradigm of Incident Response in the cloud and introduces tools to automate the collection of forensic evidence of a compromised host. It highlights the need to properly configure an AWS environment and provides a tool to aid the configuration process.

Andrew Krug

Andrew Krug is a Senior Software Engineer at a large cyber security company. Krug has been Consultant, Network Architect, Systems Administrator, Operations Manager, Technical Trainer, and Software Engineer. Currently Krug works to develop gamified security education through security simulation scenarios and rich interactive content.

Alex McCormack

Alex McCormack is a Principal Software Developer at a large cyber security company. Alex assists in the design and implementation of Capture the Flag competitions and training events. Alex has designed CTF challenges since 2013 and given training since 2012. Prior to developing CTFs, Alex worked in Incident Response and Malware Analysis.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats