SANS - Enterprise cloud threat hunting and attack investigation

The world is changing and so is the data we need to conduct our investigations. Cloud platforms change how data is stored and accessed. They remove an investigator’s ability to put their hands directly on the data. Many investigators are trying to force old methods for on-premise examination onto cloud-hosted platforms. Rather than resisting change, threat hunters and investigators must learn to embrace the new opportunities presented to them in the form of new cloud-based evidence sources. This workshop will give attendees insight into the rapidly changing world of enterprise cloud environments by uncovering new evidence sources that only exist in the cloud and using contemporary techniques for conducting threat hunting and investigations.

This workshop aims to advance the knowledge of security and incident response professionals when it comes to approaching cloud-based platforms. While several commercial vendors offer capabilities to collect evidence from cloud platforms, this workshop will focus on how teams can acquire evidence and data without requiring proprietary information or software. For this workshop, in-depth exercises are included throughout to provide hands-on experience for attendees to practice the knowledge presented in the workshop.

This workshop will provide hands-on exercises for analysing cloud-based evidence and the open-source tools available to perform this analysis. Attendees will leave with a solid overview of where fundamental evidence for Amazon and Google is located and how to obtain it quickly during an investigation. Attendees will leave with an understanding of common attack techniques used today by threat actors and where to find evidence of these attacks. In addition to this knowledge, attendees will also be shown how to investigate cloud-based network evidence at scale, leveraging built-in cloud infrastructure to aid investigators and speed up incident identification, scoping, and analysis.

Outline:

• Common Attacks against Cloud Infrastructure
• Quick cloud language primer
• Opensource Tools for Cloud evidence analysis
• Azure Authentication Attack Analysis
• AWS Log Extraction and Analysis
• Google Cloud Storage Buckets and Network Log Analysis

Who Should Attend?

This workshop is best suited to experienced Information Security Professionals who directly support and aid in responding to data breach incidents and intrusions on cloud-based infrastructure. This workshop is designed for: experienced digital forensic analysts who want to expand their understanding of cloud-based investigations and incident response team

What are the attendee takeaways?

Incident Response and Hunting Across Clouds

• Common attacks by threat actors
• Mapping Attacks to MITRE ATT&CK(R) Cloud Matrix
• Types of clouds
• DFIR in the cloud
• Core concepts
• SOF-ELK architecture
• Logstash
• Search process

Azure DFIR Knowledge

• Available Evidence
• Understanding Sign-In and Audit Logs
• Analysis of Password Spray Attacks
• AWS DIFR Knowledge