An open-source cloud DFIR kit – Dredge!

Thursday 3 October 09:30 - 10:00, Green room

Santiago Abastante (SolidarityLabs)

Cloud incident response can be daunting, requiring a deep grasp of various (expensive) tools, and while most cloud-based startups can’t allocate budget for preventive controls, there is less space for them to understand what to do if they are hacked. So if security is not a top priority, incident response naturally goes to the bottom of the list – until they are hacked.

Dredge is an open-source tool designed to streamline cloud incident investigations by allowing cloud engineers and incident responders to execute non-trivial response tasks effortlessly, irrespective of their familiarity with specific cloud platforms.

With this tool, engineers will be able to respond to some attacks no matter what preparation they had before, taking advantage of the out-of-the-box security features most cloud providers offer but not everybody is aware of, like being able to retrieve a forensic image from a running server or getting logs that they didn’t know they had.

Some key features:

• Retrieve logs seamlessly from GitHub, Kubernetes, AWS, GCP or Azure.
• Take action: whether it's blocking an IP in an AWS tenant, isolating an EC2 instance, or strategically extracting crucial post-compromise user data.
• Identify tactical misconfigurations that can be exploited by an attacker.
• Analyse retrieved data easily within your terminal, utilizing built-in capabilities from VirusTotal and Shodan.
• Cloud incident response guidelines for companies to embrace and build their playbooks.

We will present two common cloud-based attacks and show how we can execute incident response tasks to address them:

• Admin Service account compromise and privilege elevation for account takeover
• EC2 Server compromised with malware

This tool was originally created to overcome the challenges encountered in our CSIRT and is now available for the community to use (https://github.com/solidarity-labs/dredge-mvp).

The presentation will be mostly technical, going through the main complexities that incident response in cloud environments presents, like the non-trivial execution of a server network isolation and how Dredge takes care of the small steps required to achieve this.

Santiago Abastante Santiago Abastante is a former police officer and cloud incident responder with 10+ years of IT experience. During the course of his career he has worn many different hats, being able to intervene in incidents of multiple magnitudes in both the private and public sector, from bank robberies to cybersecurity breaches to confidential information leaks.

Back to VB2024 Programme page

Back to VB2024 conference page

Register for VB2024

Other VB2024 papers