A cloud security incident revealed that merely changing credentials and rebuilding instances after a breach was insufficient without proper Incident Response (IR). The attackers swiftly regained access through the original vulnerabilities. Only after discovering their database had been completely exfiltrated did the customer initiate a comprehensive IR, revealing backdoors planted across critical instances. How did this occur? What design principles could mitigate such risks? Furthermore, evidence of anomalous logins to privileged accounts with MFA was discovered - what strategies could enhance this security layer?

This session explores a cloud IR case study, demonstrating how to leverage logs and cloud-native security services to uncover attack patterns, reconstruct the attack timeline, and identify hidden backdoors. By examining the attacker's methodology, we'll understand the rationale behind cloud security best practices and how poor least-privilege design enabled persistent unauthorized access. We'll conclude by analyzing traces of compromised MFA on privileged accounts, common MFA bypass techniques, and propose a novel automation strategies which meat zero trust approach for strengthening your security posture.