As you’ve probably noticed, Digital forensics and incident response (DFIR) is a bit different in a cloud-based threat landscape. Attackers have adapted their tactics to use cloud technologies, and Incident Response (IR) teams need to do the same or risk being left flat-footed when responding to incidents that span multiple systems, users, regions, and cloud platforms
All this and more is detailed in a new SANS report, A SANS 2021 DFIR Cloud Report: Partly Cloudy with a Bunch of DFIR. Authors Domenica Crognale and Heather Mahalik call out several things that are different with DFIR in the cloud:
- Access is different – There is no physical access to media, and IR teams need to ensure that they have sufficient levels of access to gather the needed forensic evidence (snapshots, memory images, logs) from the various affected environments.
- Logging and tools are good, with caveats – The nice thing about DFIR in the cloud is that cloud services typically have robust logging available—if it’s configured properly! The authors note that native tools such as Amazon Detective and Azure Sentinel are quite good, but should not be expected to enable a complete and thorough forensic investigation on their own. That’s because attackers often do not limit their activities to just one platform, and so IR teams need to be ready to piece together evidence that spans many hosts, containers, user accounts, and cloud environments.
- Automate! – One of the reasons cloud computing took off was the ease with which application teams could automate provisioning, and the same promise is available to cloud-savvy DFIR teams. The report advises that IR teams set up automation to trigger evidence collection in the case of an incident.
There’s more in the report, including a description of common cloud-focused attacks, such as cryptomining malware with worming capability that takes advantage of container orchestration. The Uptycs Threat Research team analyzed this particular attack targeting Docker and Kubernetes systems in October.