Working in the SolidarityLabs CSIRT, we help small organizations in Latin America to overcome cybersecurity incidents. Doing so, we found that Cloud incident response can be daunting, requiring a plethora of (expensive) tools and skills, while most Cloud Based companies can’t allocate budget for preventive controls, there is less space for them to understand what to do if they are hacked, specially knowing how hard it is to find (And retain) a security engineer with cloud based skills and incident response mindset.

That’s why we created Dredge, an Open Source framework designed to streamline cloud incident investigations, by allowing Cloud Engineers and Incident Responders to execute non-trivial response tasks effortlessly, irrespective of your familiarity with specific cloud platforms nor incident response tactics.

The main idea is to empower Engineers to respond to attacks no matter what preparation they had before, taking advantage of most of the out-of-the box security features cloud providers offer but not everybody is aware, like being able to retrieve a forensic image from a running server or getting logs that they didn’t know they had.

Some Key Features that differentiate Dredge from existing tooling:
- Python-based CLI
- Retrieve logs seamlessly from Github, Kubernetes, AWS, GCP or Azure.
- Take action: whether it's blocking an IP in an AWS tenant, disabling an AccessKey, isolating an EC2 instance, or strategically extracting crucial post-compromise user data.
- Identify tactical misconfigurations that can be exploited by an attacker.
- Execute Threat Hunting Techniques
- Create an attack timeline based on IOCs.
- Analyze retrieved data effortlessly within your terminal, utilizing built-in capabilities from VirusTotal and Shodan.
- Cloud Incident Response Guidelines for companies to embrace and build their playbooks.

Repo: https://github.com/solidarity-labs/dredge-mvp