Cloud DFIR: Why so Cirrus? presented at CloudSecuritySummit&Training 2019

by Rick Correa,

Summary : As companies move to cloud-based methods of collaboration, the days of looking thru MFT files for digital artifacts are quickly becoming thin and wispy. This talk will examine a real case study of tracking an advanced adversary through a modern cloud environment by following various breadcrumbs involving logs, emails, infrastructure and files. Additionally, we will provide recommendations to help practitioners answer the "5Ws and H" surrounding attacks involving cloud infrastructure. At the end of this talk, practitioners will be able to take our techniques and apply them to various cloud environments, and guide understand what they should be capturing for proper visibility.