Create-AWS-Snapshot playbook for Microsoft Azure Sentinel automate the gathering and preserving evidences required for the Digital Forensic process aimed to reconstruct events, determine the how, when, and where the incident occurred (NIST SP800-61R2) and to generate threat information. The main goal of automation is to minimize the time gap between security incident detection and evidence collection. Also, playbook helps to establish proper Threat Intelligence Program (M1019) and mitigate following MITRE ATT&CK “Defense Evasion” techniques:
- T1146 “Clear Command History”
- T1107 “File Deletion”
- T1070 “Indicator Removal on Host”
This Playbook creates an AWS EC2 snapshot in line with requirements described in section 4 “Acquiring Forensic Evidence in EC2” of SANS Institute Information Security Reading Room paper “Digital Forensic Analysis of Amazon Linux EC2 Instances” (Author: Kenneth G. Hartman, firstname.lastname@example.org)
Mentioned above paper presents specific tactics for the forensic analysis of Amazon Linux that align with the SANS “Finding Malware – Step by Step” process for Microsoft Windows and leverage the tools from the ThreatResponse project. ThreatResponse is an open-source project team that develops tools and promotes techniques focused on improving incident response in Amazon Web Services.
Against the global trend to shift business-critical workloads to cloud services such as Amazon Web Services Elastic Cloud Computing (EC2), this playbook in combination with mentioned SANS paper and ThreatResponse tools should help organizations to improve their forensic capabilities in the cloud and significantly reduce MTTR metric.
Note. Playbooks leverage Azure Logic Apps, therefore charges apply.
MITRE ATT&ACK Mitigation ID: M1019, Threat Intelligence Program https://attack.mitre.org/mitigations/M1019/