Cloud adoption has skyrocketed over the past two decades, largely due to the numerous advantages it poses and how it has revolutionized the way organizations operate. However, it’s also important to recognize that this technology also presents some complexities that require specialized skills to navigate effectively. Even though the cloud can introduce a new set of risks, it also presents an opportunity for organizations to strengthen their security measures and stay ahead of cybercriminals.  

Although most organizations may already have an incident response (IR) plan in place, they may not be tracking the nuances associated with the cloud. Understanding these subtleties is critical to protecting your organization. To note, the Unit 42 Cloud Threat Report, Volume 7 found that 5% of the security rules trigger 80% of the alerts, meaning a small set of risky behaviors repeatedly observed in cloud workloads is having major security implications.  

Here are key considerations for your IR playbook, the most common-cloud based threats and how to best protect against them.  

Cloud IR vs. Traditional IR  

To start, it’s important to understand the key differences between traditional incident response, which happens on-premises, versus cloud incident response. The biggest difference is the need for cloud expertise. There is still a large knowledge gap and we’re seeing a ‘cloud taboo’ of sorts, similar to the mysticism around the internet when it first came out. Many people are experiencing this same sentiment when it comes to the cloud. At the practitioner level, it is important to have a good understanding of what data sets to go after and where they are stored. In situations where the organization lacks comprehensive knowledge of their environment, it becomes essential for the practitioner to know the right questions to ask.   

Previously, data was primarily stored on-premise with the infrastructure managed in-house, but is now commonly stored in virtual "off-site" data centers, where infrastructure and resources are managed over the internet by third parties. As a result, if security recommendations are not followed and kept up to date, data may become more vulnerable to unauthorized access by threat actors. Additionally, given the vast scale and intricate nature of cloud networks, the probability of security incidents stemming from administrative errors or misconfigurations is significantly heightened. When we work with an organization to determine how we would approach the response, we typically go through a list of questions to determine what the environment is like. This includes asking about the type of security they have, the type of logging that is in place and what retention looks like. Understanding your environment and data sets, what they are and where they exist, is a crucial step to ensuring that it remains secure. 

Considerations for securing your cloud environment

The cloud is highly configurable, but it can be overwhelming. Not many security features are on by default, especially when it comes to data preservation, logging and alert monitoring, which tends to be built-in by design for many on-prem environments. However, the cloud is built to be flexible and to offer multiple options for consumers. All of these capabilities are there, but you have to go in and enable them.  

The shared responsibility model can also be a source of guidance. In combination with the assumption that cloud service platforms have built-in security, cloud providers make it very clear what they are and are not responsible for. Organizations can look to this as a rubric to determine what exact areas they are responsible for and then map back to solutions that help fill the gaps. Each organization has a certain level of responsibility for securing their environment. Using the same lens as you would on-prem, it’s important to keep the notion in mind that everything is at your disposal in the cloud.  

Common cloud-based challenges   

Cloud-based threats often come down to unpatched vulnerabilities. In a lot of the cases we receive and analyze at Unit 42, many of the accounts were either over-privileged or over-permissive, which often leaves the environment subject to authentication bypasses, denial of service, remote execution attacks and more. When credentials are shared between accounts, it leads to them having excessive permissions, which facilitates unauthorized access to cloud environments. Ultimately, the threat actor is highly focused on gaining access in order to steal or destroy data.  

While there are many cloud-native solutions available to confront the issue of ephemeral data, if organizations are not aware of this notion, then there is a great risk to the availability of data when the time comes for an investigation or review. Specifically, if logging is not enabled, it can be difficult to preserve data. Data preservation becomes even more important at the forensic level when it’s ideal to work on copies of the data in a containerized environment. Monitoring your alert handling tools is an important way to ensure that nothing falls through the cracks.  

In the future, we’ll likely see the consolidation of security tools, more investment in processes and personnel and the collaboration between organizations and cloud providers to improve security. In the long run, increased awareness and understanding will shape the future of cloud security. Should your organization experience a cloud-based incident, equip yourself with the best team to help respond. Unit 42’s Cloud Incident Response service can support digital forensics and response methods that are specifically designed for these types of incidents. 

Bio: 

Ashlie Blanca is a Consulting Director, Unit 42 at Palo Alto Networks and has deep experience as a cybercrime investigator. Ashlie joined Unit 42 in 2018 after four years with the analytics company Novetta, where she was an intrusion analyst assigned to the U.S. Department of State. Three years prior, Ashlie was a senior consultant at Booz Allen Hamilton, where she was a member of the firm’s Computer Incident Response Team (CIRT). In that position, she identified and responded to live alerts and user inquiries related to network-based intrusions, mishandling of personal identifiable/health information, and malware analysis. Ashlie received her bachelor’s degree in criminal justice from Radford University and a Master of Forensic Science in high-technology crime investigation from George Washington University.