Skip to content

Incident Response

General

Link Notes
Cloud Incident Response Framework The Cloud Security Alliance released a framework which aims to be the go-to guide for cloud customers to effectively prepare for and manage cloud incidents
Incident Response in the Cloud Blog post walking through each phase you may encounter in traditional incident response and highlight the differences when adopting cloud computing
Guide to Digital Forensics Incident Response in the Cloud Post covering the differences between cloud forensics and forensics in on-premises systems

How Tos

Link Notes
Cloud Security Table Top Exercises Really interesting table top exercises designed to start a conversation. Although they are focused towards AWS and not all of them will be applicable to every environment, I highly recommend to try them with your monitoring team.
Incident Response Methodologies 2022 CERT Societe Generale provides easy to use operational incident best practices
Intro to forensics in the cloud: A container was compromised. What’s next? Learn what tools and data sources you need to use in cloud forensics investigation and how they come into practice in a real-life example

Canary Tokens

Link Notes
A “Safety Net” for AWS Canarytokens AWS Canarytokens are a low-effort, high-fidelity method to detect attackers who have compromised your infrastructure
Zero Maintenance AWS Canary Tokens That Scale By utilizing temporary credentials (credentials returned as the result of the AssumeRole operation) as honeytokens, we can deploy a honeytoken approach that scales with our environment, utilize existing detection mechanisms (CloudTrail alerting), and remove the need to run a set of infrastructure dedicated to managing IAM Users
Canary tokens: Learn all about the unsung heroes of security at Grafana Labs This article explains how Grafana Labs uses canary tokens for threat detection, their placement strategy in GitHub secrets, integration with Thinkst platform for alerting, and best practices learned from catching a real attacker including metadata management and avoiding false positives

Tools

Link Notes
dispatch
  • All of the ad-hoc things you're doing to manage incidents today, done for you, and much more
  • Helps manage security incidents by integrating with existing tools (Slack, GSuite, Jira, etc.,)
  • Introducing Dispatch
response Monzo's real-time incident response and reporting tool
socless SOCless is a serverless framework built to help security teams easily automate their incident response and operations workflows
grr GRR Rapid Response: remote live forensics for incident response
cloud-forensics-utils Python library to carry out DFIR analysis on the Cloud
cloudgrep
  • Cloudgrep is grep for cloud storage
  • It currently supports searching log files, optionally compressed with gzip (.gz) or zip (.zip), in AWS S3, Azure Storage or Google Cloud Storage