Cloud & Identity Compromise

Unauthorized access to cloud infrastructure or identity provider through stolen tokens, OAuth abuse, or misconfigured access policies.

Triage

4 procedures

Bound the Investigation Timeframe

Identify Patient Zero (First Compromised System)

Container Escape Detected

Validate the Initial Access Vector

Containment

4 procedures

Credential and Account Lockdown

Revoke Cloud Sessions and Tokens

Isolate Compromised Kubernetes Workload

Contain Compromised Serverless Function

Sponsored

Preservation

5 procedures

Volatile Memory Capture

Log Preservation and Snapshot

Document Chain of Custody for All Collected Evidence

Cloud Tenant Configuration Snapshot

Capture Cluster etcd Snapshot for Control-Plane Forensics

Collection

7 procedures

Collect Kubernetes Control-Plane Audit Trail

Collect Serverless Execution and Management Evidence

EDR Telemetry Collection

M365 Unified Audit Log Collection

Azure AD Sign-In and Audit Log Collection

Identify Alternative Evidence When Primary Logs Are Missing

Coordinate Log Collection from Third-Party Vendors

Analysis

5 procedures

Lateral Movement Analysis and Mapping

Detect OAuth and Consent Phishing Abuse

Investigate Mailbox Rule Modifications

Analyze Container Escape Primitives and Cluster-Wide Exposure

Analyze Cloud IAM Privilege Escalation

Eradication

4 procedures

Mass Credential Reset and Session Invalidation

Comprehensive Persistence Mechanism Sweep

Eradication Verification Checklist

Post-Incident Configuration Hardening

Recovery

1 procedure

Phased Service Restoration with Enhanced Monitoring

Post-Incident Review

4 procedures

Create New Detection Rules Based on Incident Findings

Generate Comprehensive Incident Report

Review Cloud Hardening Gaps After Identity Compromise

Conduct Lessons Learned Review Session