top of page

How Cloud Changes SecOps & Incident Response: Lessons from a Real-World Living-Off-The-Cloud Attack

What: Educational webinar with cloud detection & response (CDR) experts

When: Wednesday, November 15 at 3:30pm ET

Register: Register on SANS website (you must create a free SANS account to register)

Adversaries are increasingly targeting multi-cloud infrastructures to disrupt operations and demand ransomware, exfiltrate sensitive data, and steal funds. To accomplish this while evading detection, they often adapt traditional Living-off-the-Land (LOTL) tactics to the specific API-driven characteristics of the cloud.

How? Instead of leveraging native Windows tools like PowerShell and WMI to escalate privileges and move laterally across corporate networks, they’re now compromising native cloud platform and identity management tools to gain administrative privileges and move laterally from one cloud environment to another.

In addition to enabling automated cloud attacks, the benefits of this approach are that (1) it is stealthy, because most cloud platforms do not natively detect these types of activities, and (2) it enables attackers to reuse the same playbooks over and over, across different organizations, because most organizations using the same cloud providers (AWS, Azure, GCP) have similarly managed architectures.

In this educational webinar, we’ll:

  • Dissect a real-world Living-Off-The-Cloud (LOTC) attack that traversed multiple cloud provider platforms and enabled the attackers to disrupt and demand a ransom payment from the victim organization.

  • Discuss how the attack could have been detected, investigated, and contained at each phase of the kill chain.

  • Provide practical and actionable lessons to strengthen cloud detection and response capabilities and help answer the question “Am I collecting and effectively analyzing all necessary cloud telemetry to detect and stop cloud-native threats before they have a material impact on our business?”


Yotam Meitar, Director of Cloud Response, Gem Security

Yotam is an expert in cloud detection and response (CDR). With 10 years of experience in cyber security, he previously worked at Sygnia, a global cyber consulting and incident response services company with world-class expertise in forensic investigations, Red and Purple Teaming, vulnerability research, and offensive tool development. As Sygnia’s Director of Incident Response, he worked on some of the most sophisticated cloud attacks in the world. Prior to Sygnia, Yotam was a Cyber Analyst with Unit 8200 of the IDF.

Phil Neray, VP of Cyber Defense Strategy, Gem Security

Phil is VP of Cyber Defense Strategy at Gem Security, the Cloud Detection & Response (CDR) company. Prior to Gem, he held executive roles at innovative startups like CardinalOps, CyberX, Veracode, and Guardium as well as at larger organizations like Microsoft Security, IBM Security, and Symantec. Phil has a BSEE from McGill University, is certified in cloud security (CCSK), and has a black belt in American Jiu-Jitsu.


bottom of page