5 best practices for incident response in cloud environments

As businesses embrace the cloud and containers, cyberattacks are on the rise. Businesses need to quickly collect, sort, and analyze data to reduce attacks. James Campbell, CEO and Co-Founder of Cado Security, discusses five best practices for incident response in cloud and container environments.

When it comes to incident response, speed and efficiency are key. However, the changing IT landscape has made things fast and increasingly difficult. With the continued adoption of the cloud, cyber attackers are changing the way they operate. The attack surface grows rapidly, extending to edge containers. The sudden increase in remote work during the pandemic has made the problem much worse.

The average time to respond to a cyber incident can range from days when a business is aware of the attack, as in the case of stolen assets or a reported error, to weeks or months in the case of a stealth flight. attacks, whether from within or without. Many of the most damaging attacks are of the latter variety, such as Verizon highlights in its 2021 Data Breach Investigations Report. from IBM 2021 Costs of a Data Breach Report found that it took an average of 287 days to identify and contain a data breach (seven days more than the previous year), with the costs of the breach increasing over time. Violations that took more than 200 days to identify cost an average of $4.87 million, compared to $3.61 million for violations identified and contained in less than 200 days.

Organizations must be able to quickly collect, sort, and analyze data to mitigate attacks and limit damage. In a cloud environment, this requires automation and, for best results, the use of a cloud-native forensic platform. Automating evidence collection alone can save analysts days or even weeks during an investigation. Here are five best practices to drastically reduce investigation and response time.

1) Identify data sources and collect carefully

Efficiently performing the initial triage by collecting the right set of artifacts will significantly reduce processing time and acquisition resource usage. This will help you identify additional data sources while excluding others. Under the direction of the SANS Institute and the National Institute of Standards and Technology (NIST) stresses that live data triage collection should be based on:

  • Artifacts likely to have value for the investigation
  • Data volatility
  • The amount of effort required to acquire this data

Normalize on a basic set of artifacts for triage, including network connection status, logged in users, running processes, event logs, $MFT, registry hives, and volatile memory. If triage evidence analysis warrants a full disk image, you can acquire, process, and analyze it automatically using cloud-native tools.

Full disk captures have traditionally involved a tedious manual process using bootable USB drives or shipping a device to a secure location. Creating snapshots and using a cloud provider’s APIs made this task easier in the cloud, but it still required the knowledge and skills to work with each provider’s APIs. Today, the process can be automated using cloud-native APIs. Another option is to use a cloud-native forensic platform that abstracts cloud complexity and fully automates the acquisition, processing, and analysis of entire cloud volumes. And it can do this without impacting workloads since no agent is required.

Learn more: Configuring an Isolated Recovery Environment for Incident Response

2) Collect and process data efficiently

The faster you can analyze key events, the faster you can react, reducing the risk to your organization. It is best to document and standardize the collection and processing of evidence and, where possible, to work in parallel with the systems of interest.

Automation will significantly streamline the process, and in the context of cloud and container environments, it’s essential to ensure data is captured before it’s gone. You can also use remote commands to invoke a SOAR (Security Orchestration, Automation and Response) platform to collect data from multiple sources and perform automated actions based on a predefined playbook. Additionally, by integrating your cloud-native investigation platform with these other solutions, you can ensure that further investigation can begin immediately after high-severity detections.

3) Standardize data retention

The value and volatility of data typically drives its lifecycle management. Be sure to define and document where the data will be stored and for how long, and who will have access to it. Where possible, define hot and cold storage requirements and full chain of custody, including appropriate marking and labeling of evidence.

4) Analyze data holistically

Be prepared to collect and aggregate data at scale, enabling a comprehensive view of all systems and the ability to explore data in a user-friendly way, like a timeline. Additionally, the data collected should be enriched with threat intelligence so that analysts can quickly and easily dive into the most important evidence first and pivot their investigation from there. A holistic view improves investigation efficiency and speeds containment, eradication and recovery.

5) Refine and sharpen your tool set

IT environments are not static and your incident response process should not be static either. It must adapt to changes in the IT or security landscape. For example, the COVID-19 pandemic has accelerated cloud adoption, forcing organizations to apply current IR processes inappropriately to cloud investigations or simply accept the risk of limited visibility and response capabilities. in the cloud. However, you could instead use the cloud as a security asset, including leveraging a cloud-native forensics platform. The cloud can also provide secure, flexible, and efficient processes for collecting, processing, and storing evidence.

Concrete example

In one example, the use of EDR/XRD, SOAR, and a cloud-native forensic platform enables proactive capture, processing, and analysis of data in the environment.

EDR/XDR triggers alerts (possibly involving multiple events or systems), and the SOAR platform correlates the alerts, putting a playbook into action and issuing an API call to the cloud-native investigation platform.

Subsequently, the SOAR calls the EDR/XRD API (or a cloud agent) to execute a command on the host in question.

During this time, a triage package is generated, uploaded to cloud storage and automatically processed in the investigation platform. Threat information is applied to artifacts, allowing analysts to view, search, and collaborate on the investigation, working with a shared view in a single window and a single timeline.

If further investigation is needed, a full disk acquisition can acquire deeper artifacts. Once the investigation is done, the organization can begin remediation.

Cloud speed and scale response

With incident response, speed is key, but so is accurate threat assessment. It is essential to have a well-defined and proven plan for cloud and container surveys. Triage helps identify incidents early and focus the investigation on the affected systems. Agentless full disk acquisition enables deeper analysis without disrupting production workloads. And process automation throughout not only dramatically increases speed, but also improves process accuracy and consistency, further reducing time to resolution.

Basic best practices for data collection and incident response haven’t changed much over the past decade—NIST’s Computer Security Incident Management Guide, for example, dates from 2012—but the computing environment and the tools available have changed considerably. Following these best practices using automation and a cloud-native forensics platform enables a standardized data collection process, holistic analysis, and reduced time to resolution of incidents. And it also allows security to keep pace with the rapidly changing cloud landscape.

Which of these practices do you have in place to reduce incident investigation and response time? Let us know on Facebook, Twitterand LinkedIn.

LEARN MORE ABOUT INCIDENT RESPONSE:

Comments are closed.