Article re-write

What is an incident?

An incident is an unplanned interruption to an IT service or reduction in the quality of an IT service. Through some cloud tools we can track, monitor, analyze, and audit events. If these tools identify an event, which is analyzed and qualified as an incident, that “qualifying event” will raise an incident and trigger the incident management process and any appropriate response actions necessary to mitigate the incident.

Setup your AWS environment to prevent a security event

1. Preparation: The preparation step is critical. Train IR handlers to be able to respond to cloud-specific events. Ensure logging is enabled using  Amazon Elastic Compute Cloud (Amazon EC2) , AWS CloudTrail, and  VPC Flow Logs , collect and aggregate the logs centrally for correlation and analysis, and use  AWS Key Management Service (KMS)  to encrypt sensitive data at rest. You should consider multiple AWS sub accounts for isolation with  AWS Organizations . With Organizations, you can create separate accounts along business lines or mission areas which also limits the “blast radius” should a breach occur. For governance, you can apply policies to each of those sub accounts from the AWS master account.

2. Identification: Also known as Detection, you use behavioral-based rules for identifying and detecting breaches or spills, or, you can be notified about which user accounts and systems need “cleaning up.” You should open up a case number with  AWS Support  for cross-validation.

3. Containment: Use  AWS Command Line Interface (CLI)  or software development kits for quick containment using pre-defined restrictive security groups. Save the current security group of the host or instance, then isolate the host using restrictive ingress and egress security group rules.

4. Investigation: Once isolated, determine and analyze the correlation, threat, and timeline.

5. Eradication: Secure wipe-files. Response times may be faster with automation. After secure wipe, delete any KMS data keys, if used.

6. Recovery: Restore network access to original state.

7. Follow-up: Verify deletion of data keys (if KMS was used), cross-validate with Amazon Support, and report findings and response actions.

Cloud computing gives people an avenue to share distributed resources and services that belong to different organizations or sites. This creates some safety concerns for organizations that utilize cloud computing applications. According to NIST, Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. So apart from the obvious challenges for the cloud-provider of building and maintaining the required infrastructure for supporting the service enhancements, some of the challenges faced by incident handlers include the following:

Identification of relevant data sources: It is not easy to determine, which data sources are relevant for incident detection especially for SaaS and PaaS.

Customer-specific logging: For providing customers access to event sources, the CSP must implement concepts and mechanisms that ensure two goals: all relevant event information should be accessible, but one customer should not be able to view event information regarding other customers. These two goals may be conflicting for events concerning several customers at the same time

Detection despite missing information about customer infrastructure/resources: This problem is most pronounced with IaaS e.g. when providing intrusion detection for virtual machine images without knowledge regarding the installed OS but also occurs with PaaS e.g., the problem of intrusion detection for web applications without knowledge about the application.

Possible approaches to managing the challenges

Provision of technical information about infrastructure: When entering in a cloud-sourcing relationship, cloud customers should have at least some basic understanding of the CSP‟s infrastructure such that in case of a security incident.

Access to relevant data sources: Considerations of relevant data for incident analysis activities at the customer side, the CSP can analyze data according to the questions of the customer’s CSIRT and provide the customer with analysis results.

Interface to forensic use of virtualization technology: For IaaS, virtualization allows novel methods of carrying out forensic analysis which should be made available to IaaS customers.

Access to CSP incident handling capability: The CSP‟s incident handling capability must have clear responsibilities regarding the co-operation in the analysis of security incidents that should be also described in the SLA.