The Evolution of Cloud Forensics and Incident Response>
Optiv Blog – Ramy F. Rahman
For this blog series, we will be focused on AWS and EC2 hosts, but many of the tools will be public and private cloud-agnostic. The initial visibility we would want aligns with tools traditionally used for configuration management. Who modified the firewall. What rules were changed. What were the permissions given to an IAM role. For this visibility, we will leverage Palo Alto Networks Prisma Cloud to replicate monitoring of an environment that an SOC would want in a centralized dashboard.

MITRE released this attack matrix for Enterprise Cloud that I feel is a good reference for walking through some of the aspects of an example enterprise cloud attack that we can identify once we have Prisma Cloud deployed. For this blog series, Iâll be covering techniques in initial access, persistence, privilege escalation and defense evasion tactic phases.

MITRE ATT&CK® â Initial Access â Valid Accounts MITRE ATT&CK® – Persistence â Account Manipulation â Create Accounts â Valid Accounts MITRE ATT&CK® â Privileged Escalation â Valid Accounts
Link: https://www.optiv.com/explore-optiv-insights/source-zero/evolution-cloud-forensics-and-incident-response