My notes:
- Methodologies for Cyber Threat Intelligence: [06:00]
- Blacklist - hashes, IP, ports,
- Statistical Analysis
- Behavior Analysis - Mitre Att&ck (intention/tactics) [06:55]
- Case Study : Capital One Attack [08:58]
- T1595: Active scanning
- T1190: Exploit webap (SSRF) [13:25]
- T1552: Access EC2 metadata service [14:14]
- T1526: Discover Token to access to all S3 bucket [15:20]
- T1530: Data exfil from S3 cloud storage
- The Cloud API Service [18:50]
- CloudTrail - for threat hunting using API calls [20:00]
- Azure Resource Provider Operations [30:00]
- Portal
- CLI: az privoder operation list
- Azure Activity Log [33:13]
- only provides Create, Update, Delete (no Read)
- Grouped by correlation ID
- Azure IMDSv1 Vs IMDSv2