Cloud Security Fundamentals for Forensics & Incident Response

Forensic Labs
3 min readMar 18

--

Continuing our series on Cloud Forensics & Incident Response, we’ve now posted the second video in our series.

It’s titled “Cloud Security Fundamentals for Forensics & Incident Response” and you can watch it in YouTube now:

What is IaaS vs…? Hows is IR different?

Graphic from “IaaS vs. PaaS vs. SaaS” by RedHat

What is Shared Responsibility? What happens in IR?

Graphic from “Shared Responsibility Model” by AWS

What is Shared Fate?

Graphic from “Shared Responsibility Model” by AWS

What is Identity and Access Management (IAM)?

How does it impact IR? Access, Logs, Attacker Access…

What is Virtual Private Cloud (VPC)? How can an attacker move?

What are Common Attacks in the Cloud?

  • Misconfiguration
  • Stolen Credentials — Where do you find them?
  • Phishing — Recent examples
  • Poisoned Gold Image or Library
  • S3…

How else might you know you have a problem?

  • An email from AWS…
  • Weird IAM
  • Sudden increase in billing
  • High CPU Usage…
Graphic from “Cloud Security: Defense in Detail if Not in Depth” by SANS

Is DFIR in the Cloud just logging?

What logging is in AWS? Where do you look?

https://cloudstudio.com.au/2022/05/14/monitoring-service-aws-azure-gcp-part1/

What logging is in Azure? Where do you look?

https://cloudstudio.com.au/2022/05/14/monitoring-service-aws-azure-gcp-part1/

What logging is in GCP? Where do you look?

Graphic from Google

View in:

  • Log Explorer
  • Security Command Center

What alerting do the cloud providers provide?

Why is responding to incidents in the cloud hard?

Graphic from “Cloud Security: Defense in Detail if Not in Depth” by SANS

Cado Platform

Free 14-day trial

Receive unlimited access to the Cado Platform for 14 days.

www.cadosecurity.com/free-investigation/

--

--