When attackers get their hands on privileged credentials in cloud environments, their first move is rarely the big flashy action we expect. Instead, they're quietly turning off the alarms. Defense impairment has become a go-to tactic for adversaries who want to operate undetected in AWS and Azure environments, and it's working because teams aren't watching for it.
This talk will walk through real-world defense impairment techniques across AWS and Azure. We'll dig into what it looks like when attackers suppress their own IPs in GuardDuty, redirect CloudTrail logs to buckets they control, tamper with Azure diagnostic settings, or disable Defender entirely. More importantly, we'll focus on how to catch them doing it.
Attendees will leave with practical detections they can implement immediately and a better understanding of the logging bottlenecks that matter most when adversaries are trying to go dark in your cloud environment.
This webcast is ideal for Detection Engineers, Incident Responders, and SOC Analysts.
Attendees will learn how to:
- Identify common defense impairment techniques attackers use in AWS and Azure to disable or manipulate security controls
- Build detections in CloudTrail and Azure Activity Logs that make it harder for attackers to disable logging without being detected
- Recognize the logging architecture patterns that create resilient visibility even when adversaries attempt to impair defenses
This webcast supports content and knowledge from SEC541: Cloud Security Threat Detection. To learn more about this course and explore upcoming sessions, click here.
