In the wake of cloud-based attacks such as SolarWinds and Kaseya, today’s columnist, James Campbell of Cado Security, offers a five-point strategy for conducting cloud investigations. https://www.flickr.com/photos/[email protected]; https://creativecommons.org/licenses/by/2.0/legalcode

When more data moves to the cloud, hackers follow, putting new pressures on security teams. Just look at the first half of the year alone, we’ve already seen a number of cloud-based attacks such as SolarWinds and Kaseya. And these threats aren’t going away anytime soon.

Given how essential the cloud has become to businesses, security tools have promised to adapt to the cloud, but there are still major limitations.

When a cyber incident occurs in the cloud today, security analysts use a patchwork of tools to manually collect, process, and analyze the data surrounding a security incident. This process often takes weeks, all while the hacker has free rein to inflict damage. Even worse, because of the heavy uplift and time required to conduct proper investigations, incidents often get closed without digging deep enough.

Security teams are also challenged with securing auto-scaling infrastructures and containers. The dynamic and ephemeral nature of these resources makes it almost impossible for security experts to investigate a potential breach – and hackers are taking advantage.

Fortunately, cloud breaches don’t have to be so complicated and tedious.

Here are five tips to help security teams conduct successful investigations across modern cloud and container environments:

  • Know what types of data the company can capture and analyze.

Knowing the data sources the company can analyze in aggregate will make for a better investigation. By adding cloud context to traditional host-based analysis, security pros can fully grasp the full extent of what happened. For example, host-based analysis can let the team identify if malicious files are on the disk and help spot potential staging for data exfiltration. However, if the team combines host analysis with cloud provider logs, they can see if there are suspicious connections between hosts, or if an attacker has managed to gain some level of privilege to the rest of the cloud environment. By having this complete context, security teams can fully remediate the incident, as well as satisfy legal and regulatory requirements.

  • Consider the entire landscape.

Security teams often investigate cloud environments with the same approach they take with traditional investigations – capturing logs from external boundary platforms such as firewalls, VPN concentrators, proxies, as well as internal boundary platforms, including network and authentication. However, there’s an entire additional layer when it comes to cloud investigations: cloud management. If an attacker gains access to the cloud management layer, traditional detection technology will not offer visibility. In the traditional world, this would compare to an attacker having physical access to the datacenter so he can grab a server and walk out the door. The “physical doors” in the cloud are this cloud management layer. It’s imperative that the team include this component in all investigations.

  • Capture data fast, or the team might lose its chance.

Virtualization technology has been great for enterprises across the board. However, because of the nature of these resources, it’s often impossible for security teams to understand which assets and data have been compromised. To ensure that the team has the ability to analyze the asset, it must capture incident data before it’s gone. They can do this by integrating a digital forensics solution with a SIEM/SOAR or EDR/XDR and leveraging automation to trigger forensic data capture as soon as the system detects malicious activity.

  • Automate the tedious tasks.

Security teams are often bogged down by manual tasks that take time away from their investigation. A forensics analysis often requires massive amounts of data, and complicating things even further, this data lives across countless cloud platforms, regions, systems, and users. To capture, process, and triage the data required to conduct a full investigation using traditional methods can take weeks. However, by automating the most tedious parts of a forensics investigation, including data capture and processing, security teams can drastically reduce the amount of time and effort that’s required to understand the root cause and impact of an incident.

  • Understand root cause, identify patient zero, and close all gaps.

Security teams need to conduct a thorough forensics investigation post-breach to prevent future breaches. As we’ve seen with ransomware, attackers are known to execute successful repeat-ransomware attacks. It’s critical to retrace the attacker’s every move and identify how the attacker gained entry and how they were able to set up the ransomware distribution and execution. In addition, it’s important to identify all accounts, systems, and credentials that were compromised and the method of exploitation to ensure the team resolved all vulnerabilities and completely removed the attacker’s access.

The lack of automation coupled with the complexity of the cloud means organizations often don’t have the speed, visibility, or confidence to properly investigate and respond to cloud breaches. Further, the sheer volume of events and incidents security experts have to deal with makes it nearly impossible to strike the right balance between investigating enough and tackling the next problem. Fortunately, there’s a better way. With the right technology in place, security teams don’t have to be cloud experts to secure data in their environment.

James Campbell, co-founder and CEO, Cado Security