Back

Showing 6 episodes for Cloud Ir And Forensics

#177
June 17, 2024

EP177 Cloud Incident Confessions: Top 5 Mistakes Leading to Breaches from Mandiant

Guest:

29:29

Topics covered:

  • Most organizations you see use both cloud and on-premise environments. What are the most common challenges organizations face in securing their hybrid cloud environments?
  • You do IR so in your experience, what are top 5  mistakes organizations make that lead to cloud incidents?
  • How and why do organizations get the attack surface wrong? Are there pillars of attack surface?
  • We talk a lot about how IAM matters in the cloud.  Is that true that AD is what gets you in many cases even for other clouds?
  • What is your best cloud incident preparedness advice for organizations that are new to cloud and still use on-prem as well?
#174
May 27, 2024

EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework

Guest:

Angelika Rohrer, Sr. Technical Program Manager, Cyber Security Response at Alphabet

29:29

Topics covered:

  • Incident response (IR) is by definition “reactive”, but ultimately incident prep determines your IR success. What are the broad areas where one needs to prepare?
  • You have created a new framework for measuring how ready you are for an incident, what is the approach you took to create it?
  • Can you elaborate on the core principles behind the Continuous Improvement (CI) Framework for incident response?
  • Why is continuous improvement crucial for effective incident response, especially in cloud environments? Can’t you just make a playbook and use it?
  • How to overcome the desire to focus on the easy metrics and go to more valuable ones?
  • What do you think Google does best in this area?
  • Can you share examples of how the CI Framework could have helped prevent or mitigate a real-world cloud security incident?
  • How can other organizations practically implement the CI Framework to enhance their incident response capabilities after they read the paper?
#158
February 5, 2024

EP158 Ghostbusters for the Cloud: Who You Gonna Call for Cloud Forensics

Guest:

29:29

Topics covered:

  • Could you share a bit about when you get pulled into incidents and what are your goals when you are?
  • How does that change in the cloud? How do you establish a chain of custody and prove it for law enforcement, if needed?
  • What tooling do you rely on for cloud forensics and is that tooling available to "normal people"? 
  • How do we at Google know when it’s time to call for help, and how should our customers know that it’s time? 
  • Can I quote Ray Parker Jr and ask, who you gonna call?
  • What’s your advice to a security leader on how to “prepare for the inevitable” in this context? 
  • Cloud forensics - is it easier or harder than the 1990s classic forensics?
#157
January 29, 2024

EP157 Decoding CDR & CIRA: What Happens When SecOps Meets Cloud

Guest:

27:27

Topics covered:

  • How does Cloud Detection and Response (CDR) differ from traditional, on-premises detection and response?
  • What are the key challenges of cloud detection and response?
  • Often we lift and shift our teams to Cloud, and not always for bad reasons, so  what’s your advice on how to teach the old dogs new tricks: “on-premise-trained” D&R teams and cloud D&R?
  • What is this new CIRA thing that Gartner just cooked up?  Should CIRA exist as a separate market or technology or is this just a slice of CDR or even SIEM perhaps?
  • What do you tell people who say that “SIEM is their CDR”?
  • What are the key roles and responsibilities of the CDR team? How is the cloud D&R process related to DevOps and cloud-style IT processes?
#156
January 22, 2024

EP156 Living Off the Land and Attacking Critical Infrastructure: Mandiant Incident Deep Dive

Guest:

29:29

Topics covered:

  • Could you give us a brief overview of what this power disruption incident was about?
  • This incident involved both Living Off the Land and attacks on operational technology (OT). Could you explain to our audience what these mean and what the attacker did here?
  • We also saw a wiper used to hide forensics, is that common these days?
  • Did the attacker risk tipping their hand about upcoming physical attacks? If we’d seen this intrusion earlier, might we have understood the attacker’s next moves?
  • How did your team establish robust attribution in this case, and how they do it in general? How sure are we, really? 
  • Could you share how this came about and maybe some of the highlights in our relationship helping defend that country?
#153
December 18, 2023

EP153 Kevin Mandia on Cloud Breaches: New Threat Actors, Old Mistakes, and Lessons for All

Guest:

29:29

Topics covered:

  • When you look back, what were the most surprising cloud breaches in 2023, and what can we learn from them? How were they different from the “old world” of on-prem breaches? 
  • For a long time it’s felt like incident response has been an on-prem specialization, and that adversaries are primarily focused on compromising on-prem infrastructure. Who are we seeing go after cloud environments? The same threat actors or not?
  • Could you share a bit about the mistakes and risks that you saw organizations make that made their cloud breaches possible or made them worse? Conversely, what ended up being helpful to organizations in limiting the blast radius or making response easier? 
  • Tim’s mother worked in a network disaster recovery team for a long time–their motto was “preparing for the inevitable.” What advice do you have for helping security teams and IT teams get ready for cloud breaches? Especially for recent cloud entrants?