Cloud Incident Response and Cloud security is rapidly evolving, and many organizations are struggling to respond and keep pace. Understanding the new approach to incident response management – including digital forensics – is critical, and understanding how to properly monitor and manage the growing cyberthreats throughout cloud computing environments is paramount.
Many modern business systems now operate either fully or partially within cloud environments, consisting of a combination of networks, storage, virtualization, management software and more. Adding to the complexity, these components are supplied by more than one cloud provider, such as Amazon Web Services, Microsoft Azure or Google Cloud Platform. Cloud IR refers to addressing incidents in these rapidly changing environments.
Incident response has changed drastically over the past decade, with the transition from on-premises to cloud computing playing a large role in this shift. A business network will now typically comprise a combinatory cloud infrastructure using technology from a range of cloud providers, including SaaS, PaaS and IaaS. This represents challenges, particularly in terms of data volume, accessibility and rapid evolution of threats. This fast pace of change requires a specialized team of incident responders who understand the true nature of cloud security, and investigations and are armed with specialized cloud IR tools and processes to continuously meet the demands of dynamic cloud workloads.
There are infrastructure, investigative and complexity differences between traditional IR in an on-prem environment and incident response in a cloud environment. The differences in cloud IR require specialized knowledge and methodologies to effectively prevent, detect and respond to cyber incidents in the cloud. The four major differences follow:
Some of the key cloud incident response challenges the industry faces include:
With cloud computing, even simple mistakes can lead to expensive, complicated incidents with outsized impact.
While challenges exist, there are cloud incident response management opportunities, particularly when data can be retained, accessed and effectively analyzed to help protect against future attacks.
There’s no doubt that cloud incident response is highly complex, but even so, it’s practical to create an incident response plan (IRP) that can be extremely effective. Best practices for incident response in the cloud include taking a proactive approach so that the organization is well prepared in the event of a cyber incident. This can include ensuring visibility, logging and auditing, across all cloud platforms and services to archive all administrative and potentially anomalous events.
A common pitfall in proper incident response handling in the cloud for many organizations is not changing the default configurations. Depending on the cloud platform or service in use, administrative events may not be captured by default, or they may not be logged for a long enough retention period to be relied upon during an investigation. Capturing and archiving logs is only half the battle; the other half is implementing alerting use cases to bring real-time visibility into potentially malicious events, such as excessive login failures to an administrative API or the creation of new unauthorized servers and services.
Leveraging an industry-standard framework, such as Center for Internet Security (CIS) Critical Security Controls or MITRE ATT&CK, can help an organization define and prioritize alerting use cases to detect potential threats as they occur. Additionally, staff training and developing incident response playbooks to define the specific roles and responsibilities for responding to individual cloud incidents will help standardize the response capabilities within an organization. Common incident response playbooks can include storage solution compromises (such as Amazon S3) or compromised/unauthorized virtual machines deployments. Incident response plans and playbooks should be tested regularly, either through simulated or active scenarios, to identify any potential gaps and required adjustments due to the ever-changing nature of the cloud service providers.
In some cases, it can be beneficial to consider deploying a dedicated sandbox environment within cloud platforms. The sandbox environment, which could also be called an investigation environment, should be specifically used for the investigation of incidents. This could be something simplistic like an isolated virtual segment in the IaaS platform, but it could also be something more tightly controlled, like an independent tenant used strictly for investigations. The latter would provide a significant advantage if there were suspicion of a control plane level compromise of a production environment. This type of environment allows teams to securely investigate potentially malicious content.
Cloud security is a continuous process. It includes conducting regular cloud security assessments to identify the current state risk deployed in the environment. A proper cloud security assessment should include an in-depth review of the deployed infrastructure, third-party service integrations, identity management, CI/CD pipelines and the ongoing governance of security posture.
Because cloud environments are inherently designed to be dynamic, scalable and ever-increasing in their service offerings, cloud IR cannot simply follow traditional incident response methods.
The cloud incident response framework consists of five main stages:
With the vastly different environment in networked systems today, it’s imperative that we execute a nuanced approach to incident management. Cloud IR addresses the challenges faced with respect to data volume, storage and accessibility, and maintains the fast pace set by the modern threat landscape. Rapid scoping is followed by swift yet thorough investigation, containment and remediation to ensure stability for the organization. Supplemental security guidance helps to create a stronger operating environment for years to come.
Cloud IR team must be staffed, with experienced cloud experts who understand the nature of cloud security investigations. They can quickly identify, respond to and contain cloud-specific threats, using industry-leading tools, and help you recover faster using an optimized approach for each stage of the cloud incident lifecycle.