Explore effective cloud threat hunting tactics in this 45-minute RSA Conference talk by Sherri Davidoff and Matt Durrin from LMG Security. Dive into proactive detection and mitigation of attacks on cloud and hybrid environments, covering orchestration attacks, file synchronization poisoning, cross-tenant attacks, credential stuffing, and architectural flaws. Learn about honeyclouds, integrated monitoring, and behavioral analysis/AI. Discover cloud hacking tools for AWS and Microsoft environments, and gain insights into creating hypotheses, using AWS GuardDuty, and leveraging Splunk for threat hunting. Examine real-world scenarios, including anonymous threats, bucket listing, and geolocation of adversaries. Understand the importance of PowerShell over GUI for better results and explore hosted network monitoring solutions. Gain valuable takeaways to enhance your cloud security posture and protect against sophisticated cyber threats.
Overview
Syllabus
Missed Opportunities
Roadmap
Finger Pointing
Lack of Visibility
Our Cloud Threat Simulation
AWS Cloud Hacking Toolkit
Microsoft Cloud Environment
Meet The Cloud Hacker
Instrumentation
An Anonymous Threat
Threat Hunting - Create Hypothesis
AWS Tools
Guard Duty - "Hacker" Operating System Alert
Alert Fatigue
Interview with Anna Demin
Hunting With Splunk
Getting Data Into Splunk
Alert! The Adversary Lists Buckets
Alert! The Adversary Checks Available Functions
The User Agent String: A Wealth of Information
Chained with...
The Meatballs Are Gone!
New Host Configuration
Microsoft Audit Log Search
Can You Trust Your Tools?
Use Powershell Instead of the GUI for Better Results
Splunk Joins The Hunt!
Adversary - Successful Login
Adversary Geolocation
Create Hypothesis - Credential Stuffing
Mirroring Network Traffic-VTAP
Hosted Network Monitoring - Extra Hop
Current Hypothesis
Takeaways
Questions?
Taught by
RSA Conference
