March 1, 2023
While the goal of most infosec professionals is ostensibly to prevent data breaches and security incidents, the daily headlines about major hacks prove that no one is completely safe. If — or perhaps we should say “when” — you are breached, one of the first steps is to perform digital forensics to help locate the attack vector, identify compromised systems, and tag any stolen data.
Cloud environments further complicate the digital forensics process, especially in an increasingly multi-cloud world, where multi-tenant hosting environments and hybrid IT infrastructure is more and more common.
Preparing a cloud forensics protocol can help your organization reduce the overall cost of a security investigation and disclosure, quickly figure out how the attacker gained access, restore system operations faster, and even garner discounts on any cyberinsurance you may have.
For a forensics examiner or your IT security officer, there are several key questions when it comes to collecting information about a cloud breach:
The cloud forensics process can be part of your business continuity plan, your disaster recovery plan, or your cybersecurity plan. It can also be a standalone document referenced within these other processes.
If tightly integrated with BC/DR or cybersecurity measures, your digital forensics plan can rely on existing monitoring tools to collect evidence before and during a breach. In addition to log examination, a regular snapshot backup or disaster recovery versioning can help identify when and where data was accessed, as well as restoring a functional environment if your infrastructure was disabled during the attack. Object-level monitoring and auditing and strong access controls are other areas you should include in your forensics plan.
Your plan should address responses from your technical team, your organization outside IT (like executives and any involved departments), and legal representation.
The technical aspects include your information security officers, who will handle the investigation, as well as your remaining IT staff, who can assist in technical support during the process. Depending on the scale of your organization, you may also want to have specific incident officers in charge of specific security breaches, like those related to unauthorized access, data loss, compliance standards like HIPAA, client confidentiality, malware/viruses, insider attacks, DDoS, and so forth.
Legal staffers or outside counsel should be familiar with specific jurisdictions and rulings on cloud computing and data management in general. They can advise on whether your investigations may have additional legal ramifications.
The jurisdiction question is an interesting one in particular, with some organizations recently foregoing United States based cloud providers due to their penchant for working with law enforcement and covert operations. In other words, the fear of being spied upon is real. Those local, regional, and national jurisdictions can come into play when you are trying to determine what is legal access to data and what is not; or whether you can legally compel a provider to release data to you. Many providers have cloud servers scattered across a variety of facilities in different states or even different countries.
Finally, in some cases, especially with smaller organizations, a third party security firm may be retained to assist with e-discovery or investigating an external chain or connections with additional service providers or contractors.
.png){kind=logo}
We're here to help you tackle what's next in your digital journey.
