BEGIN:VCALENDAR PRODID:-//vBulletin 6//EN VERSION:2.0 CALSCALE:GREGORIAN BEGIN:VEVENT UID:33ea52a9-22ce-4f70-9734-98d17f6dccc5 DTSTAMP:20260520T060402Z SUMMARY:Cloud host base strategy by staging defensive tools for Threat Hunt ing and Forensics DESCRIPTION:Title: Cloud host base strategy by staging defensive tools for Threat Hunting and Forensics\n\nDescription:\nCloud instance forensic acqu isition presents certain challenges to forensics teams. Traditional forens ic methods usually are not effective in the cloud. Access and networks are designed differently than in an on-premise Data Center. Forward thinking strategies need to be implemented so that Incident Response Cyber teams ca n effectively use forensically sound methods to examine artifacts on hosts .\n\nMy talk is about how to prepare your organization for forensic acquis itions in a cloud infrastructure. I will quickly cover how to prepare a fl eet of systems for memory and physical disk forensics. The targets are AWS EC2 instances but could be applied to any other cloud providers host prov isioning infrastructure. I will focus on the process and infrastructure re quired to do this level of inspection. By the end you will be able to appl y these strategies to activities such as Threat Hunting.\n\nMany organizat ions struggle with implementing Threat Hunting programs with orchestration in mind to capture memory and disk level forensics. How does a Cyber team respond to an alert they receive from a cloud host? How can they quickly collect artifacts for further forensic inspection? Last\, how can you best secure the forensics infrastructure from where you launch the orchestrate d forensic examiner systems?\n\nThe first part of my talk will describe th e infrastructure required to be in the place to support forensic orchestra tion. I will outline a strategy: servers\, tools\, storage\, and protectiv e measures to ensure that forensic activities are conducted behind a cloud of secrecy. Maintaining stealth mode is critically important to enabling the forensic team to do their job while the business is not impacted by th e investigative activities.\n\nIn the second part\, we will examine the pi peline process to implement solutions in EC2 instances with pre-configured memory and acquisition tools ready to be tapped into by the forensic team . I will discuss some of the challenges encountered when conducting forens ics with the different AWS hypervisor solutions.\n\nAs a result\, testing each design of the Linux instances with your forensics tools is an importa nt part of the process. Do not expect the forensic tools to work seamlessl y when the architecture teams switch fundamental infrastructure designs. E ach phase of the AMI delivery pipeline needs to be tested and verified tha t the Cyber team can continue to perform their investigations without runn ing into challenges during a real incident. Do not wait until forensics is really needed to only find out that the tools designed did not perform th eir job.\n\n=====\n\nYouTube: https://www.youtube.com/watch?v=DSipgVlsAfo\ n\n#cloudv-general-text: https://discord.com/channels/708208267699945503/7 32733373172285520\n\nSpeaker(s): Michael Mimo\n\nLocation: Cloud Vlg\n\nDi scord: https://discord.com/channels/708208267699945503/732733373172285520\ n\nEvent starts: 2020-08-09 11:00 (11:00 AM) PDT (UTC -07:00)\n\nEvent end s: 2020-08-09 11:45 (11:45 AM) PDT (UTC -07:00)\n\nFor the most up-to-date information\, please either visit https://info.defcon.org\, or use Hacker Tracker\, which is available for iOS and Android. This is an automated mes sage\, and this data was last modified 2020-08-08T05:43 (UTC). URL:https://forum.defcon.org/node/234726 DTSTART:20200809T190000Z DTEND:20200809T194501Z LOCATION:Cloud Vlg END:VEVENT END:VCALENDAR