Cloud incidents are increasing and require specific investigation methods focused on cloud assets, identities, and configurations rather than traditional endpoints. Unit 42’s recommended response process includes the following steps:
Scope and Mindset for Cloud Investigations
- 29% of incidents in 2024 involved cloud or SaaS environments.
- Cloud investigations prioritize identities, misconfigurations, and service interactions.
Step 1: Triage and Scoping
- Establish event timeline and detect abnormal activity.
- Identify affected assets (VMs, IAM, storage, containers).
- Address logging gaps—enable and retain logs for at least 90 days.
Step 2: Evidence Collection
- Collect audit/resource logs, VM/container snapshots.
- Capture volatile artifacts quickly as cloud environments are ephemeral.
Step 3: Identity and Role Forensics
- Investigate IAM settings, login patterns, escalation attempts.
- Watch for identity hopping and privilege misuse.
Step 4: Lateral Movement and Persistence
- Detect movement across regions/services using existing credentials.
- Use behavioral baselining to spot anomalies, not just failed logins.
Step 5: Containment, Eradication, Recovery
- Contain compromised assets quickly without alerting attackers.
- Remove persistence, rotate credentials, and validate remediation.
- Restore operations, patch vulnerabilities, and monitor for follow-up attacks.
Recommendations
- Centralize logs, develop IR playbooks, and prepare forensic sandboxes.
- Institutionalize lessons learned to improve future incident response.
- Adopt zero trust principles and use specialized security assessments and retainers for support.
https://unit42.paloaltonetworks.com/responding-to-cloud-incidents/