How the Cloud Changes SecOps and Incident Response: Lessons from a Real-World Living-Off-The-Cloud Attack

Adversaries are increasingly targeting multi-cloud infrastructures to disrupt operations and demand ransomware, exfiltrate sensitive data, and steal funds. To accomplish this while evading detection, they often adapt traditional Living-off-the-Land (LOTL) tactics to the specific API-driven characteristics of the cloud.

How? Instead of leveraging native Windows tools like PowerShell and WMI to escalate privileges and move laterally across corporate networks, they’re now compromising native cloud platform and identity management tools to gain administrative privileges and move laterally from one cloud environment to another.

In addition to enabling automated cloud attacks, the benefits of this approach are that (1) it is stealthy, because most cloud platforms do not natively detect these types of activities, and (2) it enables attackers to reuse the same playbooks over and over, across different organizations, because most organizations using the same cloud providers (AWS, Azure, GCP) have similarly managed architectures.

In this educational webinar, we’ll:

  • Dissect a real-world Living-Off-The-Cloud (LOTC) attack that traversed multiple cloud provider platforms and enabled the attackers to disrupt and demand a ransom payment from the victim organization.
  • Discuss how the attack could have been detected, investigated, and contained at each phase of the kill chain.
  • Provide practical and actionable lessons to strengthen cloud detection and response capabilities and help answer the question “Am I collecting and effectively analyzing all necessary cloud telemetry to detect and stop cloud-native threats before they have a material impact on our business?”

Thank You to Our Sponsor