Incident Response
General¶
| Link | Notes |
|---|---|
| Cloud Incident Response Framework | The Cloud Security Alliance released a framework which aims to be the go-to guide for cloud customers to effectively prepare for and manage cloud incidents |
| Incident Response in the Cloud | Blog post walking through each phase you may encounter in traditional incident response and highlight the differences when adopting cloud computing |
| Guide to Digital Forensics Incident Response in the Cloud | Post covering the differences between cloud forensics and forensics in on-premises systems |
How Tos¶
| Link | Notes |
|---|---|
| Cloud Security Table Top Exercises | Really interesting table top exercises designed to start a conversation. Although they are focused towards AWS and not all of them will be applicable to every environment, I highly recommend to try them with your monitoring team. |
| Incident Response Methodologies 2022 | CERT Societe Generale provides easy to use operational incident best practices |
| Intro to forensics in the cloud: A container was compromised. What’s next? | Learn what tools and data sources you need to use in cloud forensics investigation and how they come into practice in a real-life example |
Canary Tokens¶
| Link | Notes |
|---|---|
| A “Safety Net” for AWS Canarytokens | AWS Canarytokens are a low-effort, high-fidelity method to detect attackers who have compromised your infrastructure |
| Zero Maintenance AWS Canary Tokens That Scale | By utilizing temporary credentials (credentials returned as the result of the AssumeRole operation) as honeytokens, we can deploy a honeytoken approach that scales with our environment, utilize existing detection mechanisms (CloudTrail alerting), and remove the need to run a set of infrastructure dedicated to managing IAM Users |
| Canary tokens: Learn all about the unsung heroes of security at Grafana Labs | This article explains how Grafana Labs uses canary tokens for threat detection, their placement strategy in GitHub secrets, integration with Thinkst platform for alerting, and best practices learned from catching a real attacker including metadata management and avoiding false positives |
Tools¶
| Link | Notes |
|---|---|
| dispatch |
|
| response | Monzo's real-time incident response and reporting tool |
| socless | SOCless is a serverless framework built to help security teams easily automate their incident response and operations workflows |
| grr | GRR Rapid Response: remote live forensics for incident response |
| cloud-forensics-utils | Python library to carry out DFIR analysis on the Cloud |
| cloudgrep |
|