Emphasis on Cloud

This Photo by Unknown Author is licensed under CC BY-SA

Vanity Slide
• Hello I’m David Cowen • Triforce Developer (www.gettriforce.com)
• Certified SANS Instructor • Host Forensic Lunch Test Kitchen
• Managing Director, Cyber, KPMG LLP
• Open Source DFIR Developer
• Co-Author of the upcoming FOR509 Enterprise Cloud Forensics
(github.com/dlcowen)
• Host Forensic Lunch
• 5 Time Forensic 4 Cast Award Winner • National CCDC Redteam Leader for 13
• BBQ and Taco Connoisseur years
• Author / Co-author • DFIR CTF Master
• Hacking Exposed Computer Forensics • Defcon DFIR CTF
• Infosec Pro Guide to Computer Forensics • Magnet User Summit CTF
• Hacking Exposed Computer Forensics Blog • Winner best forensic beard
• Anti Hacker Toolkit 3rd Edition
• CIBOK
• Obsessed with DFIR
Time to learn
a new
operating
system

This Photo by Unknown Author is licensed under CC BY-SA-NC

Why the emphasis on the cloud?
• Stop focusing on traditional endpoints
• Embrace the cloud infrastructure
• Maturity of the cloud as a forensic data source
• Log storage
• No need for agents
• Living with Containers

This Photo by Unknown Author is licensed under CC BY-SA-NC

Stop focusing on traditional endpoints

• The cloud brings new opportunities

• The forgiveness of tech debt past
• The revelation of tech debt present
• The acceptance of tech debt future

This Photo by Unknown Author is licensed under CC BY-SA-NC

New Data Sources - AWS
Cloudtrail • Account Audit Logs

Cloudwatch Logs • Forwarded Logs from applications and endpoints

Cloudwatch Logs Insights • Metrics and patterns

Guard Duty • Anomaly detection within cloudtrail

VPC Flow Logs • Netflow logs from your virtual private clouds

S3 Logs • Logs from data storage access

New Data Sources - Azure

AzureAD Logs • Hybrid and Cloud AD User Authentication

Azure Audit Logs • Account Audit Logs

Azure Activity Logs • Logs reflecting changes to the account and instances

Azure Diagnostic Logs • Logs reflecting VM metrics

Azure Network Watcher • Logs from Azure Netflow logs from NSG

Azure Sentinel • Anomaly and Security Detection

New Data Sources - GCP
Cloud Audit Logs - Admin Activity
Cloud Audit Logs - System Event
Cloud Audit Logs - Data Access
VPC Flow Logs
VPC Firewall Rules Logs
Stackdriver
• Who is changing your GCP
• What is Changing within GCP
• Where are things being changed in GCP
• What is moving across your cloud net
• What is going through the firewall
• Where your logs go
 For each on premises
Embrace the resource you are
Cloud comfortable with there
Infrastructure is a cloud version for you
to move to
Perimeter Security

On premises Cloud
Network Firewall Virtual Firewall Appliance
Network Monitoring

On premises Cloud
Netflow VPC Flow
Network Taps Virtual Taps
IDS Cloud provider solutions
IPS
Authentication Sources

On Premises Cloud
SSO Azure AD
Active Directory Amazon SSO
 On Premises
• Splunk
• ELK
Log Storage • SIEM
and Alerting Cloud
• AWS Cloudwatch Logs Insights
• Azure Sentienel
• GCP Stackdriver
Cloud DFIR Maturity

AZURE GCP AWS

Azure DFIR Capabilities

Old Ways New Ways

Snapshots Public SAML Tokens
Downloading VHDs Resource block streaming
KAPE
Sentinel
GCP DFIR Capabilities

Old ways New ways

Imaging across the tenant Live triage
Syslog forwarding DT Timewolf
Turbinia for pipelining
Stackdriver
AWS DFIR Capabilities

Old Ways New Ways

Snapshotting AMIs Cloudwatch Logs
Downloading disks
Log storage in the Cloud

AZURE GCP AWS

 Flow Logs .50 per GB

Azure Log
Storage
Other Azure Logs $0.001/GB
such as Azure AD per month
 Stackdriver Audit Logs

• 50GB free per project

• After 50GB $.50 GB
GCP Log
Stackdriver Monitoring Logs
Storage
• $0.2580/MiB: 150–100,000 MiB
• $0.1510/MiB: 100,000–250,000
MiB
• $0.0610/MiB: above 250,000 MiB
 Cloudwatch Logs

• Collect (Data Ingestion) $0.50 per GB

• Store (Archival) $0.03 per GB
• Analyze (Logs Insights queries) $0.005 per GB of
data scanned
AWS Log Vended Logs and Delivering Logs to S3
Storage • VPC and Route53 logs qualify for Vended Logs
pricing
• First 10TB $0.50 per GB
• Next 20TB $0.25 per GB
• Next 20TB $0.10 per GB
• Over 50TB $0.05 per GB
 Azure Agents
No Need For
Agents? GCP Agents

AWS Agents
Azure Agent

MICROSOFT CAN BE AUTO TIES INTO AZURE

MONITORING AGENT PROVISIONED SECURITY CENTER
GCP Agents

Stackdriver monitoring agent Stackdriver API

Grabs metrics Allows you to send arbitrary logs to
Stackdriver
AWS Agents

AWS Application Discovery Agent Cloudwatch Logs

Grabs metrics and processes Allows you to point logs to cloudwatch for
storage
 Osquery
Privileged Visibility
Built in Docker
containers otherwise
API Support
required requires host

Living with
Containers
Supports
Other
Docker Kubernetes frameworks
based on docker
 • Universal Audit Logs
• Does not record individual mail
Office 365 item access
• Does capture User Agent strings
• Best reviewed outside of the cloud
 • Azure AD
• Integrated SSO means your auth
does not occur in Office 365
Office 365 • You need to tie in Azure AD logs
and look at user agents
 Onedrive is really sharepoint

Compliance Search it partially

Office 365 works

PST Export
 •Gsuite audit logs
Gsuite for •Drive
Business •Sharing Links
•Account access
 No logging of
Gsuite for
Business takeout
function
 • Mailbox export
• Multistep process
involving
Gsuite for • oauth tokens
Business • Api calls
• url polling
• Mbox downloading
Questions?

Thanks for watching you can reach me at

Email: Dcowen@kpmg.com
Twitter: @hecfblog
Youtube: https://www.youtube.com/learnforensics
Web: https://www.hecfblog.com
Podcast: Forensic Lunch on iTunes and others