One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8327371 |
| Date de publication | 2023-04-13 10:00:00 (vue: 2023-04-13 10:07:50) |
| Titre | Cloud Forensics - Une introduction à l'enquête sur les incidents de sécurité dans AWS, Azure et GCP Cloud forensics - An introduction to investigating security incidents in AWS, Azure and GCP |
| Texte | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. The cloud has revolutionized the way we do business. It has made it possible for us to store and access data from anywhere in the world, and it has also made it possible for us to scale our businesses up or down as needed. However, the cloud also brings with it new challenges. One of the biggest challenges is just keeping track of all of the data that is stored in the cloud. This can make it difficult to identify and respond to security incidents. Another challenge is that the cloud is a complex environment. There are many different services and components that can be used in the cloud, and each of these services and components has different types of data stored in different ways. This can make it difficult to identify and respond to security incidents. Finally, since cloud systems scale up and down much more dynamically than anything we’ve seen in the past, then the data we need to understand the root cause and scope of an incident can disappear in the blink of an eye. In this blog post, we will discuss the challenges of cloud forensics and incident response, and we will also provide some tips on how to address these challenges. How to investigate a compromise of a cloud environment When you are investigating a compromise of a cloud environment, there are a few key steps that you should follow: Identify the scope of the incident: The first step is to identify the scope of the incident. This means determining which resources were affected and how the data was accessed. Collect evidence: The next step is to collect evidence. This includes collecting log files, network traffic, metadata, and configuration files. Analyze the evidence: The next step is to analyze the evidence. This means looking for signs of malicious activity and determining how the data was compromised. Respond to the incident and contain it: The next step is to respond to the incident. This means taking steps to mitigate the damage and prevent future incidents. For example with a compromise of an EC2 system in AWS, that may include turning off the system or updating the firewall to block all network traffic, as well as isolating any associated IAM roles by adding a DenyAll policy. Once the incident is contained, that will give you more time to investigate safely in detail. Document the incident: The final step is to document the incident. This includes creating a report that describes the incident, the steps that were taken to respond to the incident, and the lessons that were learned. What data can you get access to in the cloud? Getting access to the data required to perform an investigation to find the root cause is often harder in the cloud than it is on-prem. That’s as you often find yourself at the mercy of the data the cloud providers have decided to let you access. That said, there are a number of different resources that can be used for cloud forensics, including: AWS EC2: Data you can get includes snapshots of the volumes and memory dumps of the live systems. You can also get cloudtrail logs associated with the instance. AWS EKS: Data you can get includes audit logs and control plane logs in S3. You can also get the docker file system, which is normally a versioned filesystem called overlay2. You can also get the docker logs from containers that have been started and stopped. AWS ECS: You can use ecs execute or kubectl exec to grab files from the filesystem and memory. AWS Lambda: You can get cloud trail logs and previous versions of lambda. Azure Virtual Machines: You can download snapshots of the disks in VHD format. Azure Kubernetes Service: You can use &l |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | “command about access accessed accesses actions activity adding address adopt affected ahead all also analyze another any anything anywhere application are around article associated at&t audit author automate automation aws azure been biggest blink block blog brings built business businesses cado called can capabilities cause centric challenge challenges cloud cloudtrail collect collecting company complex components compromise compromised compute configuration contact contain contained containers content control could creating damage data decided denyall describes detail determining different difficult disappear discuss disks docker document does don’t down download downloading dumps dynamically each easily ec2 ec2: ecs ecs: eks: endorse engine: environment especially evidence evidence: example exec execute explicit eye fail figure file files filesystem final finally find firewall first follow: forensics format free from functionapplogs” functions: future gcp get getting give google grab harder has have having help here highly how however human iam identify identifying incident incident: incidents include includes including: information instance interested intervention introduction investigate investigating investigation invoke” isolating issues it: just keeping key kubectl kubernetes lambda lambda: learned learning lessons let like likely live log logging logs looking machines: made make malicious manually many may means memory mercy metadata mitigate more much need needed network new next normally not number off often once one overlay2 past perform place plan plan: plane please policy positions possible post prem prevent previous process produced provide provided provider providers purpose report repurposing required resources respond responding response response: responsibility revolutionized roles root round rules run: ruthlessly: safely said scale scope security seen service: services set should signs simply since snapshots solely some sources specific speed staff staff: started step steps stopped store stored such system systems take taken taking team than that’s them then these those time tips tools tools: track traffic trail train trial turning types understand understanding updating use used various versioned versions vhd views virtual visit vmdk volumes way ways we’ve website well what when which will without work world your yourself |
| Tags | Cloud |
| Stories | Uber |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.