Name & Direct Link: Cloud Labs

Platform: Invictus Incident Response

Good for Beginners: There are easy labs available

Cost: Free – $58.56/month

Proof of Completion: The “All-In” subscription offers digital badges

Description: Hands-on practice with cloud incident response. Microsoft  365, Azure, Sentinal, AWS and more.

Name & Direct Link: Digital Forensics & Incident Response in the Cloud Bootcamp

Platform: INE

Cost: This course is part of the INE Premium ($749/year) subscription*

Topics:

• Digital Forensics & Imaging
• Chain of Custody & Authority
• Evidence Collection
• Memory Forensics
• Logs & Network Analysis
• Cloud Infrastructure
• Cloud Incident Response
• Cloud Playbook
• Incident Response Lifecycle & Roles
• Threats – Hunting & Intelligence

*DFIR Diva is a partner of INE and receives a small percentage of sales made through partner links that go toward keeping the site running.

Name & Direct Link: Introduction to AWS Threat Detection

Platform: LinkedIn Learning

Instructor: Day Johnson

Cost: $34.99

Topics:

• MITRE Cloud Matrix
• Log Analysis in AWS
• CloudTrail Log Analysis
• Investigating Compute Threats
• Investigating IAM Threats
• Investigating Storage Threats
• Investigating Logging and Monitoring Threats
• Amazon GuardDuty

Name & Direct Link: AWS Incident Response Workshops

Platform: AWS

Cost: The workshops themselves are free but some of the AWS services used in the hands-on portion can result in charges.

Workshops Include:

• Unauthorized IAM Credential Use
• Ransomware on S3
• Cryptominer Based Security Events
• SSRF on IMDSv1
• AWS CIRT Toolkit for Automating Incident Response Preparedness
• Automating Incident Response Workshop
• SIEM on Amazon OpenSearch Service Workshop
• AWS Incident Response Playbooks Workshop
• Building an AWS Incident Response Runbook Using Jupyter Notebooks and CloudTrail Lake

Title: Cloud Forensics Demystified: Decoding Cloud Investigation Complexities for Digital Forensic Professionals

Authors: Ganesh Ramakrishnan & Mansoor Haqanee

Publisher: Packt

Where to Buy (links):

Packt

Amazon*

Topics:

• Cloud Fundamentals
• Forensic Readiness: Tools, Techniques, and Preparation for Cloud Forensics
• DFIR Investigations – Logs in AWS, Azure, and GCP
• Cloud Productivity Suites (Microsoft 365 and Google Workspace)
• Common Attack Vectors and TTPs
• Cloud Forensic Analysis – Responding to an Incident in the Cloud
• The Digital Forensics and Incident Response Process
• Tools and Techniques for Digital Forensic Investigations
• Live Forensic Analysis and Threat Hunting
• Network Forensics
• Malware Investigations
• Traditional Forensics vs Cloud Forensics
• MITRE ATT&CK Framework
• Cloud Evidence Acquisition (AWS, Azure, GCP)
• Analyzing Compromised Containers
• Analyzing Compromised Cloud Productivity Suites (Microsoft 365 and Google Workspace)

*DFIR Diva is an affiliate of Amazon and receives a small percentage of sales made through affiliate links that go toward keeping the site running.

Name & Direct Link: Hands-On KQL Courses

Platform: Blu Raven

Cost: Free – $546

Hands-On: Yes (uses a hyper-realistic lab environment)

Proof of Completion: Yes – Certificate of Completion

Courses and Topics:

Introduction to KQL for Security Analysis (Free – 50 seats are made available every week)

• Introduction to Databases and Logging
• KQL Fundamentals and Exploring Data
• Searching and Filtering Data
• Joining and Combining Datasets

Hands-On Kusto Query Language (KQL) for Security Analysts ($327)

• Introduction to Databases and Logging
• KQL Fundamentals and Exploring Data
• Searching and Filtering Data
• Creating and Manipulating Fields
• Joining and Combining Datasets
• Time Traveling within the Logs
• Aggregating Data
• Visualizing Data
• Time Series Analysis
• Using KQL for Triage and Investigations

Hands-On KQL for Threat Hunting and Detection Engineering ($546)

• Introduction to Databases and Logging
• KQL Fundamentals and Exploring Data
• Searching and Filtering Data
• Creating and Manipulating Fields
• Joining and Combining Datasets
• Time Traveling within the Logs
• Aggregating Data
• Anomaly Detection using KQL
• Time Series Analysis
• Visualizing Data

Name & Direct Link: AWS Security Incident Response Courses

Platform: AWS

Cost: Free

Proof of Completion: Certificate

Courses:

• AWS Security Incident Response Overview
• AWS Security Incident Response – Cryptomining Use Case
• AWS Security Incident Response – Ransomware Use Case
• AWS Security Incident Response – Compromised IAM Credentials Use Case

Name & Direct Link: Cloud Incident Response Framework (publication)

Platform: Cloud Security Alliance (CSA)

Name & Direct Link: Pwned Labs

Platform: Pwned Labs

Cost: Basic – Free, Pro – $20/month or $200/year

Good For Beginners: Yes – There are labs labeled as “Beginner”

Community: There is a Pwned Labs Discord Server

Description: Hands-On Security Cloud Labs. There are labs for both blue and red teams. Including DFIR-type labs such as “Investigate Threats with Amazon Detective” and “Breach in the Cloud”.

Name & Direct Link: Cloud Forensics & Incident Response Videos

Platform: YouTube – Cado Security

Topics Include:

• EC2 Forensics and Incident Response
• AWS GuardDuty for Forensics & Incident Response
• AWS SSM Forensics and Incident Response
• Google Kubernetes Engine Forensics and Incident Response
• Kubernetes: Docker Forensics & Incident Response
• Google Compute Engine Forensics and Incident Response
• ECS Forensics and Incident Response
• Azure Forensics and Incident Response
• AWS Log Forensics & Incident Response
• Cloud Security Fundamentals for Forensics & Incident Response

Additional Resources:

There is a free Cado Community Edition – leverages the scale and speed of the cloud to simplify deep-dive investigations.

Cado Security also developed an open source tool: CloudGrep (It currently supports searching log files, optionally compressed with gzip (.gz) or zip (.zip), in AWS S3, Azure Storage or Google Cloud Storage.)

In addition to their Blog, they have cloud forensics & incident response Resources on their website such as:

• Ultimate Guide to Incident Response in Azure
• Ultimate Guide to Incident Response in AWS
• The Ultimate Guide to Incident Response in GCP
• The Ultimate Guide to Docker & Kubernetes Forensics & Incident Response
• The Ultimate Guide to Forensics of Mining Malware in Linux Container and Cloud Environments
• Investigating Microsoft 365 Compromises Cheat Sheet
• GCP Incident Response Cheat Sheet
• AWS Incident Response Cheat Sheet
• Azure Incident Response Cheat Sheet