Forensics is very well understood and practiced by CIRTs in on-prem environments but what happens when DFIR needs to be done in the cloud. This article breaks down how we do DFIR in the cloud.
What happens when we have an incident in the cloud?
In the cloud your primary forensics source is logs. the more you use the cloud, the more logs you have. IAAS = heaps of logs, Paas = eh logs, Saas = not that much tbh.
So what to look for in the logs? almost everything in the cloud has some sort of authentication tied to it so that where to start. Next is platform based logs. eg. user did this… Next logs is Resources, creation, deletion, start, stop. Then we have Infrastructure logs. eg. VM, network, storage. Lastly we have Application logs.
The logs we get are not pretty, we can use tools to parse them and ingest them to a SIEM to make format them into data that we can actually read as humans. We can use eric Zimmerman tools, SOFELK, Splunk, etc.
M365 Logs
M365 is Microsoft’s SAAS platform for email. Before October 2021, logging was off by default. If your tenancy was deployed after this date, congrats! you might have logs. Check the unified audit logs to confirm. For E5 license holders, you have 1 years worth of logs. For any other subscriptions you have 90 days. Either way, get your logs forwarded to a SEIM ASAP.
Azure logs
Azure is Microsofts IAAS platform serving Infrastructure. Azure has five mail logs:
- Tenant (On by Default) – Detect Password Spray Attacks
- Subscription (On by Default) – Analyze creation, deletion, start/stop or resources, new VMs
- Resource (Off by Default) – Used to log network traffic, file storage (Infrastructure)
- Operating System (Off by Default) – OS events, can show lateral movement
- Application (Off by Default) – IIS, SQL, etc. can show webshell activity
AWS Cloud Trail Logs
- CloudTrail – On by default
- 90 days free
- Avilable in 5-15 minutes
- Every API call is a CloudTrail event
- Can be backed up to an S3 bucket
- CloudTrail portal
- AWS provided services