Be Prepared for a Breach with a Cloud Forensics Protocol
While the goal of most infosec professionals is ostensibly to prevent data breaches and security incidents, the daily headlines about major hacks prove that no one is completely safe. If — or perhaps we should say “when” — you are breached, one of the first steps is to perform digital forensics to help locate the attack vector, identify compromised systems, and tag any stolen data.
Cloud environments further complicate the digital forensics process, especially in an increasingly multi-cloud world, where multi-tenant hosting environments and hybrid IT infrastructure is more and more common.
Preparing a cloud forensics protocol can help your organization reduce the overall cost of a security investigation and disclosure, quickly figure out how the attacker gained access, restore system operations faster, and even garner discounts on any cyberinsurance you may have.
The Essential Questions
For a forensics examiner or your IT security officer, there are several key questions when it comes to collecting information about a cloud breach:
- Do you have the ability to collect the data, or do you need permission or third party tools?
- What jurisdiction does the data fall under?
- Can you legally force a service provider to disclose data?
Preparing Digital Forensics for Your Cloud
The cloud forensics process can be part of your business continuity plan, your disaster recovery plan, or your cybersecurity plan. It can also be a standalone document referenced within these other processes.
If tightly integrated with BC/DR or cybersecurity measures, your digital forensics plan can rely on existing monitoring tools to collect evidence before and during a breach. In addition to log examination, a regular snapshot backup or disaster recovery versioning can help identify when and where data was accessed, as well as restoring a functional environment if your infrastructure was disabled during the attack. Object-level monitoring and auditing and strong access controls are other areas you should include in your forensics plan.
Your plan should address responses from your technical team, your organization outside IT (like executives and any involved departments), and legal representation.
The technical aspects include your information security officers, who will handle the investigation, as well as your remaining IT staff, who can assist in technical support during the process. Depending on the scale of your organization, you may also want to have specific incident officers in charge of specific security breaches, like those related to unauthorized access, data loss, compliance standards like HIPAA, client confidentiality, malware/viruses, insider attacks, DDoS, and so forth.
Legal staffers or outside counsel should be familiar with specific jurisdictions and rulings on cloud computing and data management in general. They can advise on whether your investigations may have additional legal ramifications.
The jurisdiction question is an interesting one in particular, with some organizations recently foregoing United States based cloud providers due to their penchant for working with law enforcement and covert operations. In other words, the fear of being spied upon is real. Those local, regional, and national jurisdictions can come into play when you are trying to determine what is legal access to data and what is not; or whether you can legally compel a provider to release data to you. Many providers have cloud servers scattered across a variety of facilities in different states or even different countries.
Finally, in some cases, especially with smaller organizations, a third party security firm may be retained to assist with e-discovery or investigating an external chain or connections with additional service providers or contractors.
Working with Your Service Provider
Your Service Level Agreement should have specific clauses around data ownership, security, and multi-tenancy, especially around the service provided, access and techniques allowed during a security breach situation, the responsibilities of the CSP and customer during a forensic investigation, confidentiality of customer data (both yours and other tenants), privacy policies, and any legal regulations that may apply. For example, you may own the data hosted in the cloud, but associated metadata may not belong to your company legally, and might require a different method to acquire from the CSP.
Many cloud service providers have business and technical relationships and rely on other telecommunications organizations or even other CSPs. This further complicates the collection of digital forensics so be certain to understand the layers of your cloud infrastructure before a breach occurs so you can quickly respond, contact the involved parties, and begin digging for clues.
The three tenets of cloud forensics are Prepare, Partner, and Practice. Document and plan for a security incident before it occurs, so you are ready to move fast if it does. Partner with your CSP, other involved parties, and third party experts to fill any gaps in your expertise ahead of time as well. And finally, practice your plan with simulated breaches or regular meetings to make sure it upholds the latest security standards and functions as expected.