We conclude our 3-part blog series on cloud security with today’s feature on cloud incident response. Visit MyRepublic Ignite to learn more about our enterprise ICT solutions for SMEs in Singapore.
Cloud Incident Response for the Modern SME
Today’s security landscape is complicated. Accepting that your systems will be breached at some point is necessary for protecting your organisation; thus, your cloud security strategy should include both pre-breach and post-breach elements.
Over 85% of organisations will adopt a cloud-first principle by 2025 and cannot fully execute their digital strategies without it. By 2025, over 95% of new digital workloads will be deployed on cloud-native platforms, up from 30% in 2021.
Since the transition from on-premises to cloud computing over a decade ago, incident response (IR) has changed drastically.
Nowadays, business networks typically consist of a combined cloud infrastructure from a number of cloud providers, including SaaS and PaaS. There are many challenges related to this, including data volume, accessibility, and the rapid evolution of threats.
This year alone, 27% of businesses experienced a cyber-attack on their cloud environment, according to CheckPoint. With cyber attackers increasingly targeting the cloud, organisations that adopt a cloud-first approach need to keep themselves prepared in case of critical, service disrupting incidents.
What is Cloud Ransomware?
Cloud ransomware, which was previously extremely rare, is now growing in frequency.
Traditional ransomware cannot attack API-based cloud storage systems, as these do not have access to file systems. As a result, threat actors are developing new tactics, techniques, and procedures (TTPs) to launch ransomware attacks more easily in cloud environments. These are highly challenging to predict, which is why only the most experienced incident responders are able to anticipate what these TTPs might entail in order to best prepare for and respond to them.
Cloud ransomware actors are likely to use cloud APIs to find and access cloud resources that contain persistent data they can encrypt.
A threat actor may target specific cloud services based on the APIs for accessing them, or they may develop different payloads for each targeted service, like some traditional ransomware actors have previously developed different payloads targeting different operating systems. Last year, the average ransomware demand was USD 2.2 million, according to Palo Alto Networks, and as attackers start targeting the cloud, this is only predicted to rise.
A cloud environment will host millions of “events”, such as system log-ons, software updates, network connections established, and more. Most of these events will be normal behaviour for your environment.
It is important to be able to identify the events that are unauthorised or have an adverse impact on your systems and business. These are what we commonly call incidents.
Understanding the Cloud IR Process
As cloud workloads rapidly evolve, organisations require specialised incident responders, who have a deep understanding of cloud security, investigations, and specialised tools and processes.
Engaging an experienced team of cloud incident responders enables organisations to cut down the dwell time of cyber-attacks that is the time between the start of an attack and its eradication and also comply with legal requirements, ensure business continuity, and limit the damages that such breaches may cause. Having a cloud incident response strategy helps organisations deliver their cloud-based services and products reliably and efficiently.
Cloud incident response involves the alignment of critical resources, operations and services necessary to manage incidents within a cloud infrastructure. Knowing whom to contact in case of a cloud cyber-attack, and following a comprehensive cloud incident response plan, allow cloud technicians to quickly restore the operations of a downed service.
Conducting frequent compromise assessments is also vital to ensuring cloud cybersecurity. Through proactive threat hunting, organisations can detect and contain malware, limit impact on electronic data and valuable networks, and eradicate cyber incidents prior to their escalation into full blown cyber crises.
Cloud Incident Response Strategy
A solid cloud incident response strategy should cover preparation, identification, containment, eradication, recovery, and lessons learnt.
1. Preparation
This stage is critical, and much effort should be put to ensure the organisation is as prepared as possible.
Some (non-exhaustive) questions to consider:
• What elements comprise your security infrastructure?
• Who is in your response team?
• Who are the decision makers?
• Do you need experts in Media, Legal, HR or IT Systems?
• Do you have reporting obligations to external authorities? If so, who will liaise with them and when?
• Do you have adequate internal skills, or do you need trusted partners to assist?
• Are you capable of capturing evidence for use in potential criminal or civil proceedings?
When developing incident response plans in cloud environments, a key first step that the incident response team works on is asset prioritisation. This includes listing not just critical assets but also systems, networks, servers and applications. Then, the responders start observing the traffic patterns for these assets with the help of endpoint detection and response (EDR). This helps in determining the norm and being aware of any discrepancies.
As with traditional incident response, the next step is to set up appropriate policies and standards to follow in different situations such as network access, login guidelines, use of strong passwords, file sharing, as well as email and other platform access. Strategising on how to manage the different types of cases and incidents involves ranking each possible event based on priority, severity and organisational impact; providing notes on each event, specifying how it can be solved, what steps to take to remediate it, and what tools to use if any.
Setting up a communication plan among all stakeholders involved is also important. This involves assigning responsibilities among individual contact persons, what form of communication to use, when they should be contacted and during which kinds of incidents.
2. Identification
A cloud environment will host millions of “events”, such as system log-ons, software updates, network connections established, and more. Most of these events will be normal behaviour for your environment.
It is important to be able to identify the events that are unauthorised or have an adverse impact on your systems and business. These are what we commonly call incidents. In order to prevent incidents from happening, regular and strict monitoring must be observed. This helps in detecting and reporting any anomalies or potential security risks. Monitoring security events includes a constant review of log files, error messages, intrusion detection systems and firewalls.
At the onset of an attack, identifying the root cause of the breach is and should be the main objective. This includes finding out who, what, when, where and how it happened. Check from different entry points and indicators including user accounts, system administrators, network administrators, the SIEM and logs.
Alert and report the incident to the proper authority by submitting an incident ticket. Classify the incident based on the provided incident types. Analyse and record the extent of the event, especially its damage to the systems.
3. Containment
The essential focus of incident response is to contain the damage, eradicate all threats and restore all systems back online.
Part of containing the damage is to ensure that the incident will not escalate further. This includes isolating the infected accounts, servers or networks from the rest of the environment, backing up files and systems, and temporarily repairing any damaged material. Aside from these, it is important to keep all evidence safe from destruction.
Note that managing containment can be tricky as many stakeholders may be affected and certain efforts may even tip off the attackers that you are aware of their actions. As such, decision-makers need to be informed and empowered. Consideration must be given to balancing the risk of continuing normal operations with the actions required to mitigate the threat.
4. Eradication
Following Identification and Containment, there should be enough information to determine the root cause of the incident and how to best disrupt the attacker and remove them from your environment.
The priority is to neutralise and remove all threats, including malicious activities and contents. Consider conducting a complete reimaging of the system’s hard drive to safeguard it from subsequent attacks.
5. Recovery
Any affected cloud systems or platforms will need to be restored to proper working order following an incident. Examine any connected or related systems to ensure they are operating as normal with no signs of compromise.
Security professionals must coordinate these efforts with the business and operations teams to minimise disruption and maximise efficiency. Lastly, recovery requires establishing more sophisticated monitoring and detection techniques for combating future threats.
6. Lesson learnt/post-incident activity
This final step involves the assessment of the entire incident, i.e., how it was prepared for, managed and addressed. While many firms regrettably skip this process, it is absolutely essential to recognise your victories and failures during the entire process.
What did the organisation and stakeholders learn from this incident? Could the incident have been prevented? Was it handled correctly? Do we have the right people and resources to detect and manage such incidents in the future?
During this step, incident responders prepare briefings for the board, shareholders and reporting agencies where required, and suggest ways to train employees to be more cyber aware.
Systematic reflection highlights areas for sustainment and improvement for the future. This final step will serve as training, from which you are able to update your current incident response plan and the list of incidents you have already encountered.
To conclude, we ask: Is it possible to be secure without a security strategy?
Sure, but your security activities may not be aligned with your organisation’s strategic business outcomes, requiring a significant amount of time and money to rectify. A well-defined cloud security strategy can help your organisation avoid overspending or underspending on cloud security controls.
Download our MyRepublic Ignite white paper ‘Building a successful Cloud Security Strategy’ for a primer of cloud security for businesses adopting modern technologies.
