I occasionally come across a view that by shifting workloads into a public cloud, organizations no longer require digital forensics and incident response, especially when consuming software as a service. In my experience, three primary factors contribute to this misconception:
A lack of understanding of the shared responsibility model.
A belief that ephemeral computing and auto-scaling destroy forensic data.
A belief that terminating a compromised resource and provisioning a new one contains an incident.
Let us review the shared responsibility model and look at common attack patterns to clarify this topic.
Shared Responsibility Model
Security is a shared responsibility between a cloud vendor and the customer. The cloud vendor is responsible for the security of the cloud, whereas the customer assumes responsibility for the resources they provision and control. The customer responsibility shifts depending on the provisioned resources and the consumption model; that is:
It is true that by migrating workloads to a public cloud, a customer inherits security controls provided by the cloud vendor; for example, the security of the physical network and the virtualization layer. However, the shared responsibility model also includes shared controls and customer-specific controls.
In the shared controls layer, customer responsibilities may include patching or configuration management. In contrast, customer-specific controls are the sole responsibility of the customer and may include controls such as identity and access control.
Even with the SaaS consumption model, security is easier said than done. No matter of the consumption model, the customer is always responsible for the following:
Identity and access management
Moreover, with the PaaS and SaaS models, customers are responsible for securing the resources that they provision and control.
A Brief Look at Cloud Compromises
Cloud compromises have become so prevalent that MITRE released a cloud-specific version of its ATT&CK framework. An interesting observation about the Initial Access tactic in the framework is that it describes techniques that adversaries leverage to target end-users, exploit trust relationships with external entities, and exploit vulnerabilities in public-facing applications. Furthermore, another common reason for cloud compromises is misconfigured services and unsecured resources exposed to the Internet.
For example, adversaries often target users that possess API keys and other credentials to cloud resources and use those credentials to pivot to the public cloud. Thus, the initial access and foothold often occur in the user environment. According to the shared responsibility model, the customer is responsible for securing their on-premises environments and users with access to the public cloud. In simple terms, regardless of a cloud deployment model, the customer owns the security of their organization.
Do We Still Need Incident Response?
The answer is absolutely yes. Cloud customers still need digital forensics and incident response capabilities to respond to incidents that involve:
Compromises of systems hosted on-premises, including those systems that connect to the public cloud.
Compromises of end-users, including end-user devices and identities.
Compromises of cloud resources provisioned and controlled by the customer, such as cloud identities, virtual servers, and data.
Cloud vendors often provide cloud-based security capabilities to facilitate incident response, such as logging and monitoring services that provide a rich data-set to incident responders. However, they do not investigate compromises of resources controlled by the customer unless the compromise directly affects the security of the cloud itself.
Moreover, in addition to digital forensics and incident response, organizations still require capabilities, such as malware analysis, cyber threat intelligence (CTI), and containment and eradication expertise. However, what has changed is that organizations need to augment traditional incident response skills with knowledge of cloud-specific technologies, audit capabilities, and resources.
Incident Response in Cloud Environments
Incident response in cloud computing environments typically combines traditional forensic methods with methods and tools native to a specific cloud computing environment. As part of their service catalog, cloud computing vendors often offer logging and monitoring services that provide rich data-sets to incident responders. This data can range from events associated with programmatic access to services to alert notifications of suspicious activities.
Forensic acquisition of digital evidence in cloud computing environments varies from vendor to vendor. Furthermore, the type of data that incident responders can acquire depends on the provisioned services. For example, if an enterprise provisions compute resources leveraging the IaaS model, forensic analysts may be able to acquire snapshots of virtual machines of interest if the vendor provides such functionality. With the PaaS and SaaS models, incident responders may be able to acquire only application event logs and forensic data specific to the cloud. With SaaS services, customers typically have access to application access logs only. However, with SaaS compromises, the initial access and foothold occur in the on-premises environment before the attacker accesses a SaaS application with the stolen credentials.
It is accurate to say that by migrating workloads to a public cloud, a customer inherits security controls provided by the cloud vendor. However, the customer is still responsible for the security of their users, on-premises environments that connect to the public cloud, data, and the cloud resources that they control. When an attacker compromises any of those components, incident response is indispensable in addressing the aftermath of the attack and preventing further damage. Consequently, organizations still need resources and capabilities, such as digital forensics, malware analysis, threat intelligence, and incident management, to prevent compromises from progressing into large-scale incidents.