Asia-24-Bohannon-CloudConsoleCartographer

ASIA 2024Cloud Console CartographerTapping Into Mapping > Slogging Thru Logging•Introduction•Cloud Logs for Defenders•PROBLEM: Noisy Console Logs•SOLUTION: Mapping for Clarity•Tool Demo + ReleaseANDI AHMETIASSOCIATE THREAT RESEARCHER@SecEagleAnd1andi-ahmetiKosovoPermiso-io-tools/CloudGrapplerDANIEL BOHANNONPRINCIPAL THREAT RESEARCHER@danielhbohannondanielhbohannondanielbohannon/Invoke-Obfuscation/Invoke-CradleCrafter/Invoke-DOSfuscation/Revoke-ObfuscationUSA(5 yrs)(2 yrs)Role of Logs in Threat Hunting & IR•Logs == Visibility•Enable (if not by default)•Forward to secondary location•Process further:•Aggregate•Correlate•Search for malicious activityOn-Premvs Cloud Logs (Data source, not storage location)•Host & network logs•Native logging vs aftermarket products•Extremely granular:•E.g.process arguments, image loads, process memory, registry modifications, DNS lookups, network connections, logon types, file writes, file content•Numerous “fingerprints” in user/attacker activity•Intro