Cloud forensic investigations involve large volumes of diverse devices and data. Investigations involving advanced persistent threat attacks involve filtering noisy data and using expert knowledge to identify the missing steps in the attacks that typically have long time spans. Under such circumstances, obtaining timely and credible forensic results is a challenge.

This chapter engages a case study to demonstrate how MITRE’s ATT&CK knowledge base and Lockheed Martin’s Cyber Kill Chain methodology can be used in conjunction to perform forensic analyses of advanced persistent threat attacks in cloud environments. ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques developed from real-world observations of attacks. The Cyber Kill Chain methodology describes a series of steps that trace a cyber attack from its early reconnaissance stage to the later data exfiltration stage. Because advanced persistent threat attacks on cloud systems involve the key Cyber Kill Chain phases of reconnaissance, command and control communications, privilege escalation, lateral movement through a network and exfiltration of confidential information, it is beneficial to combine the ATT&CK knowledge base and Cyber Kill Chain methodology to identify and aggregate evidence, and automate the construction of the attack steps.