Portal BCP - HackMD

# BCP (A business continuity plan) ## Service infrastructure description #### EC2 Instances: - **bastion** — Old architecture, is not used - **app-1b** — Old frontend - **app-1c** — Old frontend - **utildriver** — Old collectors, is used now - **bgtask-1b** — Old architecture - **virtual-collectors** — Application for generating demo data - **powerapp-api-dev** — Powerapp backend v4, DEVELOPMENT env - **powerapp-task-dev** - Powerapp worker, work with collectors + background tasks, DEVELOPMENT - **portal-api-prod** - Portal backend v3, PRODUCTION env - **portal-api-dev** - Portal backend v3, DEVELOPMENT env - **dev-portal-api** - Portal backend v4, DEVELOPMENT env - **powerapp-api-prod** - Powerapp backend v4, PRODUCTION env - **powerapp-task-prod** - Powerapp worker, work with collectors + background tasks, PRODUCTION --- ![](https://hackmd.io/_uploads/r17_BHBG6.png) Description of backend servers: #### Portal Development (Staging) - Name: `portal-api-dev` - Instance type: `t2.small` - Key pair assigned at launch: `tva` - List of inbound open ports: - 22, tcp, ssh, 93.170.46.118/32, Alex - 22, tcp, ssh, 217.71.1.16/32, Thomas - 22, tcp, ssh, 91.193.130.23/32, <???> - 80, tcp, http, ipv4 0 - 80, tcp, http, ipv6 ::/0 - 443, tcp, https, ipv4 0 - 443, tcp, https, ipv6 ::/0 #### Portal Production (Production) - Name: `portal-api-prod` - Instance type: `t3.medium` - Key pair assigned at launch: `tva` - List of inbound open ports: - 22, tcp, ssh, 93.170.46.118/32, Alex - 22, tcp, ssh, 217.71.1.16/32, tva - 80, tcp, http, ipv4 0 - 80, tcp, http, ipv6 ::/0 - 443, tcp, https, ipv4 0 - 443, tcp, https, ipv6 ::/0 --- ## Description of database instances: **portal-prod** Automated backups: Enabled (retension 14 Days) Copy tags to snapshots: **Enabled** Backup target: AWS Cloud (EU West (Ireland)) Backup window: 01:28-01:58 UTC (GMT) **portal-dev** Automated backups: Enabled (retension 7 Days) Copy tags to snapshots: **Disabled** Backup target: AWS Cloud (EU West (Ireland)) Backup window: 03:15-03:45 UTC (GMT) ## Production db Name: **portal-prod** db name: **prod** username: **portal_prod** Access: - 159.224.231.53/32 **Alex2** - 93.170.44.118/32 **Alex** - 217.71.1.16/32 **tva** - sg-075d857a - sg-07253ee029857533c ## Development (staging) db Name: **portal-dev** db name: **dev** username: **portal_dev** Access - sg-079450de0cf2ce2e4 - sg-4d7aa230 - 217.71.1.16/32 --- Description of frontend service: s3 buckets, static files: **Production**: - name: `powerapp-portal-prod` - access: Publicly accessible **Development** (Staging) - name: `powerapp-portal-dev` - access: Publicly accessible ---- Bash oneliners to get info from aws: ```bash # get list of all ec2 services aws --profile sysadm@powerapp ec2 describe-instances \ --output json --region eu-west-1 > ec2.services.json # get security groups name and id cat ec2.services.json | jq \ '.Reservations[].Instances[0].NetworkInterfaces[0].Groups[] | .GroupName + ", " + .GroupId' | rg prod # get data on security group: ports and addressess aws --profile sysadm@powerapp --output json \ --region eu-west-1 ec2 describe-security-group-rules \ --filter Name=group-id,Values=sg-079450de0cf2ce2e4 | jq ``` ---- BCP Notes: —— ## Events that could negatively impact operations: ### Internal - Developer cannot work anymore - Personal reasons - Sickness - Access lost - Environmental reasons - Hardware destroyed - Hardware\Software malfunctioning ### External - Ransomware attack - … - Infrastructure outages - ASW outages - GitHub outages - Supply chain attack: - Docker image - Python packages - Node packages - System packages ## Ransomware Response Plan ### Preventative measures - Security assessment/audit - Software hardening - System monitoring - Allow web server to serve requests only from frontend origin - Update software as much as possible - Configure backup system for - EC2 service - S3 buckets … ### Detection and Response - Determine impacted systems Determine which systems are affected? Can you isolate them? - Power down - Can you take all systems offline? - If not: can you power down the systems? - Triage affected systems - Which systems were affected? Identify most critical systems and order them by priority - Examine logs: - Review system logs Can you identify the initial attack vector? - Determine what happened: - Rebuild the sequence of events which happened leading to the successful attack. - Find the threat - Identify the malware (Configure the threat detection system) ### Communication and reporting - Report the incident and transparently communicate what has happened with the affected parties. (Prepare templates for communication) - Communicate internally: - Setup regular updates - Inform all members - Notify relevant authorities (and FIRST groups) - incident should be reported to the local or national law enforcement officials - Communicate externally: - All the customers and business parties should be informed on the incident regarding the extent of the damage. - Keep transparency level - Transparency minimizes harm to reputation, helps investigators and provides affected parties with an opportunity to take steps to protect sensitive data. ### Containment Strategies The system images should be taken to future analysis before systems shut down, hardware and ram memory. (Research on tools capable of doing that) Research if Denmark FIRST have any kind of templates/run-books https://www.first.org/members/teams/ ### Eradication Strategies ### Restoration of services - In case if RDS database instance was damaged/corrupted try to redeploy the instance - if redeployment is not possible then create a new instance from database snapshot - Deploy a new ec2 instance There are chances that AWS account was compromised as well hence new account should be used in order to keep forensic images —— Tools to use: https://github.com/google/cloud-forensics-utils https://www.cadosecurity.com/cado-community-edition/ https://www.youtube.com/watch?v=3oto8Bl2vaE https://www.mnemonic.io/resources/blog/container-security-infecting-images-to-establish-backdoors/ https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics https://book.hacktricks.xyz/linux-hardening/privilege-escalation#process-memory