Hackers, bad actors, and national entities are always looking for new ways to exploit network connectivity, and the Cloud is now falling prey. Cloud services are taking businesses by storm, with ease of use and convenience; it’s no wonder many organizations are jumping on the bandwagon. The unfortunate reality is that companies are seldom prepared when a cloud-based attack occurs, potentially leaving them with irreparable damages done to the business.
With the growing trend in cloud vulnerabilities, having a cloud incident response plan (IRP) will reduce the overall risk associated with cloud services utilization by changing the security mentality and attitudes within the organization; let’s discuss.
What is Cloud Incident Response?
The cloud is any service that is available on-demand by users using “borrowed” computer power or data from the cloud provider. They act as virtual servers that are stored over the internet. This radical change in cloud computing offers huge conveniences to those using them, such as instantaneous file sharing across the organization, hosting of software at a reduced cost, and more. It has made it possible for organizations to manage their information systems without having to manage physical servers. However, it’s not all great news.
With a report conducted by Trustwave showing that cyberattacks on cloud services have doubled in 2019, even compromising around 20 percent of all security incidents that year, an incident response strategy is a must.
Incident Response Plan
An IRP is a strategy or document that outlines, gives direction, and provides solutions to the organization in the event a breach or cyberattack occurs. Most strategies will be developed by a security specialist, which can then be executed by your organization.
IRP’s vary depending on the industry, but generally speaking, they tend to follow a similar pattern, and cloud incident response does so too.
In Brief, the IRP consists of 6 parts (sometimes 5 depending on the framework) and those are:
- Recovery, or lessons learned
The preparation of the cloud IRP, as the name suggests, is the steps the organization takes prior to any breach occurring. In the case of cloud services, preparation will also include choosing the right services provider.
Employees or users will create most cloud projects outside the organizational information systems or control environment. Unless your organization has the resources to develop and host its own cloud environment, chances are the organization is paying a cloud services provider.
For this reason, it is vital that in the preparation phase, the organization shortlists cloud providers on a strict security audit protocol, which means the organization should use a rigorous testing program of cloud service providers before onboarding.
Some techniques that your organization can implement are:
- Internal Policy: as part of the security audit, ensure that the internal policy has a list of requirements ready so that that acquisition can go smoothly. In the cases where the organization creates its own cloud infrastructure, ensure the developers have adequate training in cloud security.
- Training and Awareness: The staff must also have adequate training and awareness when using cloud services. For example, make sure the staff is made aware of securing link sharing and the difference between public and private sessions.
- Use Reputable Providers: In most cases, you will have limited control over the security environment of the cloud service. So it is best to choose one that is used by the wider business community, for example, Google or Amazon. Keeping in mind that you are leaving the security up to them, but you can still take steps to minizine risk.
Identification, traditionally, can be a big undertaking. In information systems that rely on physical servers, it is challenging to track the cause of a breach or security event unless the organization took prior steps to implement a security incident and event management (SIEM) software.
Fortunately, most cloud services and infrastructures come built-in with monitoring systems making this step substantially easier.
The kind of tracking tools that the organization should be looking for when choosing the right cloud infrastructure is:
- CPU usage
- No. of users engaged
- Login attempts
- Data packet transfers
These should be the minimum, but depending on your security needs there may be more. With the above tools, the identification of a security event is made easier. Spikes in CPU usage could indicate an unauthorized software is attempting to execute or install. If the user count is higher than the amount of staff your organization employs it could indicate there are persona non grata trying to access the network.
These are a few examples of identification that can help you detect an attack, and potentially prevent it from happening.
It is also vital that the organization log only necessary data. This restricted logging will help reduce the “noise” when assessing events that are occurring over the system and it will also reduce the cost by limiting expenditure on data storage.
You can also set up an email-based notification system that will alert the security team or the person responsible for an unusual event (based on the parameters you set).
Analysis, or triage of the situation, asks the organization to go back and assess the severity of the security event. Traditionally, this would involve analyzing logs that may have come from the SIEM system, or by using surveys to determine who was doing what and where followed by finding the root cause of the problem. Only then could the organization assess the severity of the event.
Thankfully, similarly to the identification issue, cloud infrastructures make this easy. Through their in-built logging, cloud services allow you to assess whether projects run by users are:
- Connected to corporate environments
- Accessing other users on the network
- Created privately or publicly
- What kind of data is in use
- And more.
If an event is identified, you can check to see whether the root cause could lead to further breaches or if it is contained to that singular incident.
The issue with the cloud is that users can create cloud projects at any moment. Those users can also restrict access, which means the admins use up valuable time accessing user projects, limiting their ability to assess severity.
One way to circumnavigate that is to allow the admin team emergency access to projects when an event has been identified.
Most cloud services will run on virtual machines (VM). This actually makes the investigation phase a lot easier to execute whilst also making it discrete.
Unlike traditional cyber forensics, you don’t need to ship compromised machines or devices to a security team or do imaging of any sort. With virtual machines, you can take a snapshot of the compromised assets and carry out the required forensics without alerting any would-be attackers.
As mentioned previously, the logs kept by cloud services also serve as a tool in the investigation phase of cloud incident response.
Within the IRP, the organization should mention some options available to them when carrying out an investigation. Some open-source tools make the analysis of VM’s more straightforward, with the added benefit of hashing technology if you need to use the newly created data as evidence in a report.
The hashing essentially makes it tamper-proof, so that an investigative body or authority can be sure that what is being reported is accurate.
The second option is to outsource the forensics to a specialist. It is advisable to shortlist candidates prior to an incident so that you can begin communicating a partnership. Keeping in mind that IRP’s are most effective when created during the inception of the business or very early on. Starting this process first will also limit the downtime to the business during a security event.
Once you get past the identification phase, containment, like some other steps in the IRP, is much easier to achieve. The problem previously faced in identification was gaining access to VM’s or projects when users have restricted controls activated.
But by the time you reach this stage of the IRP, the security team should already have access or contact with the users who have control. Either way, as the title suggests, this stage involves containing threats and eliminating or mitigating them where possible.
In the cloud, this is possible through:
- Blocking compromised credentials should slow down any attackers and block them from reaccessing the account.
- Pausing the operation of VM’s. Here you can pause VM’s that are compromised. This will stop any spread of viruses or attackers from jumping from one machine to another.
- Shutting down VM’s. A more stringent measure than pausing the VM, you can simply shut it down.
- Network isolation. Here you can add firewall rules that block the compromised assets from connecting to the network or contain the asset to an internal network.
In extreme cases, you can also delete the VM’s. It is only advisable to do so if backups are made regularly.
The final stage in cloud incident response strategy is the recovery phase. This is also sometimes referred to, in other IRP frameworks, as lessons learned.
In the recovery phase, the organization can begin to put VM’s back online after the threat has been contained and or eliminated. It is essential that the organization take close logs about what happened during this phase.
This accounting ensures that they are ready if it were to happen again. Furthermore, it makes the whole organization more prepared for security events as a whole. The bright side of security events happening is that it can involve many team members, even those who might not be part of the security team, it is even preferable that they have less security experience.
You can start to understand why this phase is sometimes referred to as lessons learned.
Through executing the incident response plan, the whole organization has a taste of what to expect in the future.
We can only hope that the event is not of profound significance, but your organization’s cyber resilience primarily decides that.
As an overall cloud incidence strategy, following the steps of a traditional IRP will yield great results. The only thing to be aware of is the subtle difference in cloud infrastructures compared to more physical information systems.
It is still vital that your organization understands the basics of cloud operations and, more importantly, cloud security. These two things alone will increase the readiness of the organization.
How we can help
Cloud services have made our lives more convenient. The opportunity cost of such convenience sometimes means sacrificing security, but we say why not both.
Don’t let convenience get in the way of security when you can have the best of both worlds.
RSI Security is the nation’s premier cybersecurity and compliance provider. Let us help you with your cloud incident response or any other security matter that needs tending.
Get in contact with us today, book a free consultation here.