Traditional incident response (IR) learned from on-premises investigations doesn’t work in the cloud. Today's threat actors are finding misconfigurations and vulnerabilities to allow them to penetrate cloud environments. They’re also adapting old techniques to new environments, resulting in new, complex, and constantly evolving threats. Traditional information security must evolve to meet the new requirements of cloud and hybrid environments — but incident response also requires a significant update to be effective for cloud and hybrid environments. It requires not only cloud expertise, but security expertise as well – two areas where the talent gap is consistently significant.
There are four phases of incident response according to the National Institute of Standards and Technology:
- Prepare to handle incidents: establish an incident response capability, including gathering the tools and resources needed for incident responders
- Prevent incidents through strong security controls, including securing networks, systems, and applications
Detection and analysis
- Attack vectors, such as via external media, brute force, cross site scripting, email attachments and links, impersonation, improper usage, theft or loss of equipment, and more
- Signs of an incident: detecting and assessing possible incidents
- Sources of precursors and indicators, such as logs, publicly available information, and computer security software alerts
- Incident analysis is time consuming as there may be thousands or millions of indicators per day, so prioritization is critical
This phase also includes:
- Incident documentation – documenting all facts regarding a suspected incident, which results in more efficient problem-handling
- Incident prioritization, based on the functional impact, information impact, and recoverability of the incident
- Incident notification, notifying everyone who needs to be involved and providing status updates as required
Containment, eradication, and recovery
- Selecting a containment strategy based on the type of incident, including documenting criteria to facilitate decision making
- Gathering and handing evidence, which is required to resolve the incident but may also be necessary for legal proceedings
- Identifying the attacking hosts, though this is less critical than containment and can be quite time-consuming
- Eradication and recovery, including deleting malware, disabling breached user accounts, and identifying and mitigating exploited vulnerabilities
- Lessons learned, taking time to improve incident response, reflect new threats, and improve technology
- Using collected incident data to uncover systemic security weaknesses and threats, changes in incident trends, and measure the success of the IR team
- Retaining evidence based on a policy your organization creates, which must meet prosecution and data retention requirements – there are also potential costs related storing original hardware and retaining computers that can use the stored media and hardware
These are all essential both in traditional incident response and in incident response in the cloud. The difference is really in how IR teams conduct an investigation and what forensic evidence is available for them to collect and use to help the organization return to business as usual — and how quickly it can be accomplished. For any company with a hybrid or cloud infrastructure, it’s essential to consider how cloud environments and cloud IR is different and plan ahead to handle incidents quickly and effectively.
Preparation Is Key
The preparation phase of incident response is critical. Regardless of whether your organization is experiencing an incident in an on-prem, hybrid, or cloud environment, it’s essential to establish an incident response plan. Establishing tools and resources ahead of time can ensure resilient emergency communication, with back up mechanisms in place in case one fails or is compromised by an attacker.
Traditional incident response can take days to get the right data feeds and access to all the logs necessary to start investigating a response. Do you know the answers to these key questions, which are essential to responding to an incident in the cloud:
- How long do your cloud providers store your logs for?
- Can you pull the right data from your various cloud and third-party providers?
- How long will it take to download and analyze historical data?
- If an attacker deletes your logs to remove any trace of their activities, do you have your log data stored?
- Is your forensic data prepped and ready for rapid investigation?
- Does your IR team have the cloud expertise necessary to investigate a critical cloud incident?
Without forensic data, incident response is slow and chaotic as IR teams struggle to find the information necessary to determine the actions attackers have taken. In agile, dynamic environments, you need a cloud-based platform and cloud security expertise to prepare for and manage cybersecurity incidents effectively. New capabilities in the cloud, including automation, better storage, and improved compression options all made it not only possible, but imperative to change IR in cloud and hybrid environments and make readiness, response, and recovery a priority.
During the investigation phase, incident responders assess forensic evidence and pull together the details of the cyberattack, which may include identifying:
- who carried out the attack
- where the compromise initially happened
- what data was compromised or exfiltrated
In traditional incident response, this phase can be very time consuming. It can take several days for traditional IR teams to gain access to the right systems, logs, and configuration files. During this period, responders also may have to pull data off physical disks, seek additional permissions, or ask detailed questions to determine what data is most critical to the organization. As they investigate, they must also provide updates into the incident investigation over the phone, via extended Zoom calls, or via periodic meetings to review PowerPoint decks and spreadsheets. This can extend the investigation time as investigators must both conduct research and continuously update stakeholders.
In cloud and hybrid environments, it’s best to begin before an incident occurs by collecting forensic data in advance. Frequently, cloud service providers (CSPs) store data for only a brief period. Attackers also delete logs or otherwise impede investigations. It typically takes months to discover a breach, long after forensic data has been deleted, which is why it is critical to collect, store, and analyze data proactively. When forensic data is an afterthought, it makes incident investigation much more chaotic and challenging, resulting in prolonged response and recovery times.
Incident Containment, Eradication, Recovery
Containment, eradication, and recovery is mostly self-explanatory: it’s the part of incident management process where the incident undergoes triage, remediation, and resolution. For traditional incident responses, days or weeks may have passed before incident response teams can effectively contain a breach and recover from a severe incident. That may result in days or weeks of anxiety and uncertainty within the company, and increasingly healthcare, financial regulators, and data protection regulations require rapid notification for those individuals impacted by a breach.
Organizations must seek to shrink the overall response window from weeks to just days to begin remediation as quickly as possible. Accelerated remediation and recovery can help those impacted by a severe incident to return to business as usual quickly, rather than waiting weeks for full resolution of their security breach.
The final phase of incident response is the time to analyze the information gathered from the incident to improve investigation in future incident investigations. This part of the process is critical for both on-prem and hybrid and cloud incidents, helping organizations analyze their security posture and increase resilience to future attacks.
Traditional incident response and remediation is time-consuming. It’s primarily a manual process that moves slowly as incident response teams gather data from a variety of endpoints. SIEM data, servers, memory, and so on. It’s also fairly chaotic; traditional IR teams rely on internal processes to document and store this data. Pulling the information together and presenting it to the security team, leadership, and board of directors is a time-consuming, manual process.
In the cloud, forensic data can be collected proactively, based on a crown jewels analysis that identifies the assets most critical to accomplishing an organization’s mission. Proactive data collection and analysis radically reduces the time to begin an investigation and allows cloud incident response teams to use automation to provide open communication channels between team members and deliver detailed information to stakeholders, so they can make informed decisions quickly during a severe incident.
Traditional Incident Response Is Too Slow For The Cloud
The cloud is fast and constantly changing — new services are deployed frequently, and the cloud provider marketplace grows and changes every day. This cycle of constant change and innovation requires fundamental changes to traditional incident response plans. Instead of reactive positions, waiting for incidents to occur before taking action, it’s essential to adopt a readiness-mindset that evaluates risks for potential incidents and ensures that internal teams have spent the time needed to prepare for an attack, so if or when one happens, they aren’t unprepared.
There are unique cloud security issues and opportunities, which require both security and cloud expertise to help organizations return to business as usual quickly after an attack. Slow, manual processes that haven’t changed since incident response first began simply won’t work in the cloud, particularly as cyberattackers adapt old hacks to new environments and embrace automation as a way to attack at scale. Organizations need to change their approach to incident response as they transition to the cloud, bringing in trusted partners who offer the technology, automation, and skills needed today. It’s time that incident response changed to meet the new challenges and opportunities created by the shift to cloud environments.