Cloud Incident Response

Cloud security is rapidly evolving, and many organizations are struggling to respond and keep pace. Understanding the new approach to incident response management – including digital forensics – is critical, and understanding how to properly monitor and manage the growing cyberthreats throughout cloud computing environments is paramount.

What Is Cloud Incident Response (IR)?

Many modern business systems now operate either fully or partially within cloud environments, consisting of a combination of networks, storage, virtualization, management software and more. Adding to the complexity, these components are supplied by more than one cloud provider, such as Amazon Web Services, Microsoft Azure or Google Cloud Platform. Cloud IR refers to addressing incidents in these rapidly changing environments.

Incident response has changed drastically over the past decade, with the transition from on-premises to cloud computing playing a large role in this shift. A business network will now typically comprise a combinatory cloud infrastructure using technology from a range of cloud providers, including SaaS, PaaS and IaaS. This represents challenges, particularly in terms of data volume, accessibility and rapid evolution of threats. This fast pace of change requires a specialized team of incident responders who understand the true nature of cloud security, and investigations and are armed with specialized cloud IR tools and processes to continuously meet the demands of dynamic cloud workloads.

How Is Cloud IR Different from Traditional IR?

There are infrastructure, investigative and complexity differences between traditional IR in an on-prem environment and incident response in a cloud environment. The differences in cloud IR require specialized knowledge and methodologies to effectively prevent, detect and respond to cyber incidents in the cloud. The four major differences follow.

1. The Cloud Management Plane

The primary difference in on-premises versus cloud environments is the management plane. The cloud management plane (also referred to as the administrative console) is the control center for adding new identities, deploying new services and managing the overall configuration for an organization’s hosted assets in the cloud.

The management plane of a cloud platform provides a streamlined dashboard to manage identities and infrastructure, which is why it is typically the key target for a threat actor. Compromising the management plane of an AWS environment, for instance, is similar to compromising an on-premises domain controller or a hypervisor – in both instances the threat actor will obtain the keys to the kingdom. It is crucial to know, at all times, which accounts and identities (service accounts included) have administrative access to the management plane.

2. A Difference in Data

Another of the key differences between the two environments is where data, apps and other components are stored. While they used to be held within the corporate data center, they are now on external servers; and if security recommendations are not followed and kept up to date, data may be more accessible to threat actors and increase the size of the attack surface. It’s also worth noting that due to the sheer size and complexity of cloud networks, there’s an increased likelihood that security incidents occur as a result of errors or misconfigurations made by administrators.

3. Scope and Manageability

Another challenge with the cloud setup is accessibility. Traditional on-prem systems housed static and easily accessible datasets. But cloud environments produce mass amounts of data that businesses often choose not to log due to excessive costs.

4. Operating Procedures Require Agility

The dynamic nature of modern systems means that standard operating procedures are less defined in cloud IR. Traditional incident response follows a fairly rigid set of protocols using established detective controls and tools, and it was common to find experts with comprehensive knowledge in the field. On the other hand, cloud environments are highly dynamic, and successful response teams must be as agile and familiar with the minutiae of the cloud services and platforms.

What Are the Cloud IR Challenges?

Some of the key cloud incident response challenges the industry faces include:

• Lack of cloud expertise: Traditional incident response evolved at a snail’s pace compared to today’s security environment and threat landscape in the cloud. Now, it’s nearly impossible for cloud computing experts to have comprehensive knowledge of every threat or attack vector.

• Outdated methods: Traditional DFIR methods were not designed for cloud IR, which means each responder must possess the agility and critical thinking skills to adapt and react to an ever-changing threat landscape.

• Data collection/ingestion: The sheer volume of data involved in modern cloud IR represents a significant challenge. An expanded attack surface and hordes of data pertaining to a single incident means that organizations must find innovative methods to ensure robust data collection that doesn’t blow the budget, while still maintaining security and integrity.

• Access to data: It can also be difficult to access data in a timely manner, particularly when it’s held by a third-party cloud service provider.

With cloud computing, even simple mistakes can lead to expensive, complicated incidents with outsized impact.

While challenges exist, there are cloud incident response management opportunities, particularly when data can be retained, accessed and effectively analyzed to help protect against future attacks.

Best Practices for Incident Response in the Cloud

There’s no doubt that cloud incident response is highly complex, but even so, it’s practical to create an incident response plan (IRP) that can be extremely effective. Best practices for incident response in the cloud include taking a proactive approach so that the organization is well prepared in the event of a cyber incident. This can include ensuring visibility, logging and auditing, across all cloud platforms and services to archive all administrative and potentially anomalous events.

Combating Misconfiguration

A common pitfall in proper incident response handling in the cloud for many organizations is not changing the default configurations. Depending on the cloud platform or service in use, administrative events may not be captured by default, or they may not be logged for a long enough retention period to be relied upon during an investigation. Capturing and archiving logs is only half the battle; the other half is implementing alerting use cases to bring real-time visibility into potentially malicious events, such as excessive login failures to an administrative API or the creation of new unauthorized servers and services.

Staff Training and Developing IR Playbooks

Leveraging an industry-standard framework, such as Center for Internet Security (CIS) Critical Security Controls or MITRE ATT&CK, can help an organization define and prioritize alerting use cases to detect potential threats as they occur. Additionally, staff training and developing incident response playbooks to define the specific roles and responsibilities for responding to individual cloud incidents will help standardize the response capabilities within an organization. Common incident response playbooks can include storage solution compromises (such as Amazon S3) or compromised/unauthorized virtual machines deployments. Incident response plans and playbooks should be tested regularly, either through simulated or active scenarios, to identify any potential gaps and required adjustments due to the ever-changing nature of the cloud service providers.

Cloud Sandbox Deployment

In some cases, it can be beneficial to consider deploying a dedicated sandbox environment within cloud platforms. The sandbox environment, which could also be called an investigation environment, should be specifically used for the investigation of incidents. This could be something simplistic like an isolated virtual segment in the IaaS platform, but it could also be something more tightly controlled, like an independent tenant used strictly for investigations. The latter would provide a significant advantage if there were suspicion of a control plane level compromise of a production environment. This type of environment allows teams to securely investigate potentially malicious content.

Cloud security is a continuous process. It includes conducting regular cloud security assessments to identify the current state risk deployed in the environment. A proper cloud security assessment should include an in-depth review of the deployed infrastructure, third-party service integrations, identity management, CI/CD pipelines and the ongoing governance of security posture.

Cloud IR Framework

Because cloud environments are inherently designed to be dynamic, scalable and ever-increasing in their service offerings, cloud IR cannot simply follow traditional incident response methods.

Unit 42 provides the fastest and most effective recovery for cloud security incidents, with an optimized approach for each stage of the cloud incident lifecycle.

The cloud incident response framework consists of five main stages:

1. Scope: The initial priority is to assess the breadth, severity and nature of a security incident.
2. Investigate: A thorough investigation provides full visibility and involves the use of advanced tools for evidence collection, detection and analysis. Through thorough investigation, a full corpus of IoCs and TTPs from the engagement is derived. Leveraging these helps create a full understanding of the incident and associated risk.
3. Remediate: This process involves ridding the environment of an identified threat through means such as suspending, stopping or removing the associated foothold(s). This also involves closing off or further hardening the initial security gap that was leveraged to start the attack.
4. Secure: Throughout the process, we identify security weaknesses and advise on how to fix those weaknesses to mitigate the risk and severity of future security incidents.
5. Support and Report: To ensure full cloud incident response benefits, we provide comprehensive reporting and offer support through expert guidance on security enhancements that span both the near-term and long-term roadmaps.

What Are the Benefits of Cloud IR?

With the vastly different environment in networked systems today, it’s imperative that we execute a nuanced approach to incident management. Cloud IR addresses the challenges faced with respect to data volume, storage and accessibility, and maintains the fast pace set by the modern threat landscape. Rapid scoping is followed by swift yet thorough investigation, containment and remediation to ensure stability for the organization. Supplemental security guidance helps to create a stronger operating environment for years to come.

The Unit 42 Cloud IR team is staffed with experienced cloud experts who understand the nature of cloud security investigations. They can quickly identify, respond to and contain cloud-specific threats, using industry-leading tools, and help you recover faster using an optimized approach for each stage of the cloud incident lifecycle. Read the Cloud IR at a Glance to learn more.