Ansible for Incident Response Brad Sollar Sr. Solutions Architect Jun 2018
Intro With the high rate of turnover inherent in military organizations, institutional knowledge can be easily lost such as network configurations and organizational processes. Additionally, Security teams within these organizations normally have multiple tool sets with complex configurations that can be difficult to duplicate the exact setup or share with other team members. Open source automation tools make it easy codify and automate processes and configurations. This can be especially helpful to security teams to have repeatable and shareable configurations for their architecture and tooling. Open source infrastructure(s) can help to scale automation, manage complex deployments and speed productivity. By standardizing workflows and process through automation will help teams to enhance mission capabilities. 2
Automation A general tool capable of supporting the entire stack with minimal expertise and coding experience required. A general-purpose automation capability that is core to lowering the barrier to entry for cyber warriors Operators need to focus on the mission instead of having to know what tools fit where. Operators do not need to know how to configure each tool, the automation would take care of setting everything up for conducting a mission. Automate complex actions such as; Forensics collections Offensive actions Incident response 3
Automation: Intro to Ansible Agentless SSH/WinRM Desired State (no unnecessary changes) Extensible and Modular (1600+ modules) Push-Based Architecture Easy Targeting Based on Facts 4
Automation: Intro to Ansible Ansible for Security Uses Security Technical Implementation Guides (STIG) Payment Card Industry Data Security Standard (PCI DSS) Network device hardening Remediation Internal standards System tracking with (Ansible Tower) Incident response 5
Automation: Incident Response NIST SP 800-61 Computer Security Incident Handling Guide 6
Automation: Incident Response Automate Response Actions After a analyst find signs of compromise and a incident has been declared organizations will start to proceed to the Containment, Eradication, and Recovery phase. 7
Automation: Incident Response Containment strategies vary based on the type of incident. Organizations should create separate containment strategies for each major incident type, with criteria documented clearly to facilitate decisionmaking. Email malware Infection APT Network based DDoS Web & DB Compromise 8
Incident Response Web & DB Compromise Things to Automate image drives Choose a Containment Strategy network connections memory dump command history Evidence Collection/Preservation system hashes label evidence Eradication and Recovery disable compromised accounts patch vulnerabilities restore from backups rebuild systems 9
Network Switches Incident Response Automate your Response Dump Configs Create IP Blocks Create Port Blocks Control Node Compromised Hosts Inventory Playbook SSH SSH, API Disconnect Volumes Image Drive Memory Dump Command History etc... Newly Provisioned Hosts Modules SSH, API 10 Patch new systems Add application data Add new signatures Return to service
11 Sample IR Playbook:
Automation: Incident Response Sample Playbook 12
Security Automation Automation is used to audit and configure Operating Systems and applications to secure baselines using Ansible Playbooks. These Playbooks can help to secure against common baselines such as; DISA STIG NIST 800 Series CIS Benchmarks 13
Security Automation Links openshift-compliance-guide.readthedocs.io/en/latest/ https://galaxy.ansible.com/mindpointgroup/rhel7-stig/ https://galaxy.ansible.com/redhatgov/800-53/ 14
Thank You! plus.google.com/+redhat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/redhatnews youtube.com/user/redhatvideos