Cloud incident response and forensics: What enterprises need to know

Performing cloud incident response and forensics requires a different approach. Expert Matt Pascucci outlines the steps enterprises should take with cloud service providers.

As the industry continues moving toward the cloud, security practitioners need to not only secure the cloud implementation...

but be able to perform incident response and forensics in it afterward. Many organizations are already using cloud in one form or another, and depending on the service model – infrastructure as a service, software as a service or platform as a service -- will have to adapt their incident response and forensic investigation programs accordingly to encompass the cloud. This article reviews the concerns and benefits of performing cloud incident response and forensics.

Cloud incident response: Getting started

The first thing that needs to be performed when moving to a cloud service provider is an assessment of what the organization has currently and how moving to the cloud will change its incident response and computer forensic programs. Performing these programs in the cloud is a new field and needs to be fully understood before making the transition. A key factor through this effort is determining the service model of all systems utilizing the cloud and where the data is being stored. This will help guide your decisions on how processes will be handled during an incident quicker if an organization is aware of where data is being stored.

Also, many times an organization will slowly make the transition to the cloud and still keep a presence in its local data center. It's with this hybrid architecture an organization needs to be careful the most since its current incident response and computer forensic tools weren't designed or implemented for the cloud. This can leave dark spots in your network and allow attacks to go unnoticed without the capability to perform cloud forensics. For example, will logging a cloud system have the ability to come locally to your on-premises log management storage? How will an organization handle an intrusion prevention system inspection now that the traffic doesn't leave the cloud instances? An architecture that's both in the cloud and tethered to the physical world can be dangerous if not thoroughly designed from this viewpoint.

Performing a gap analysis of how the existing incident response/forensic tools and processes are currently being used in an organization and how they'll be used in the cloud is important. This will determine if moving to the cloud causes any limitations in the processes, or potentially any improvements. All changes to the process need to be explored on how they'll work going forward. During this time a review of the CSPs roles and responsibility within your cloud incident response and forensic process should be performed so the organization understands how to run within a cooperative model in the cloud.

CSP support and data management

Depending on your service model, CSP support will play a different role in your processes and should be known upfront before moving into the cloud. The CSP support team will become an active member of your incident response team and will need to know how to work within your runbook. These processes should be worked out before a migration is made and tested after the integration to verify the procedures on both sides. The further an organization gets from the IaaS service model, the less the provider will normally be responsible for; this is true with cloud incident response and forensic assessments as well. It's imperative to understand what each party is responsible for and how to go about the process before a true incident occurs.

Another factor to consider when performing cloud incident response and forensics is how to collect and preserve data during an incident. The chain of custody is important when doing this and will now include a third party assisting with the process. There's also a strong possibility the systems being utilized are part of shared infrastructure and many of the log sources a business is used to having won't be available. For example, if there was distributed denial-of-service attack against a website hosted in the public cloud, but the traffic is being sent through a shared load balancer, it might not be possible to receive NetFlow data in full due to privacy concerns of other clients. There are times when the logs being requested aren't available, even in an IaaS model. As long as you have a piece of shared infrastructure inline, there's the possibility of losing logs and visibility.

Many CSPs are offering extended security products or features holistically that allow security services in the cloud to be as tight as possible. If the entire infrastructure is cloud-based you essentially have all your systems in one provider to manage as needed. There's the option to freeze, disable connections, or even quarantine virtual machines in a safe location for cloud incident response and forensic purposes.

Cloud incident response and forensics: Questions to ask

When selecting a cloud provider/application that will offer good incident response and computer forensic frameworks, look for the following:

  • Open APIs that allow a company to reach into the CSPs offerings and tie directly into to a business' existing products and services. This is especially important if the migration to cloud is going to be in a hybrid state.
  • Determine how systems are logged and what types of logs are being stored. This changes with offerings, but will the CSP be able to give you this or will you need a log management product in the cloud, or a separate system to send logs to?
  • Review how the CSP and your security software deal with the elasticity of the cloud. When new systems are spun up, or even destroyed, how are logs, endpoint security and network security being handled? From an incident response and forensics standpoint these teams need to be aware of how these systems are moving and if their software can be deployed. Also, you need to know where the data went if the systems were decommissioned.
  • Determine if any of your current security services can be implemented in the cloud. How will you be performing IPS? Most times this is done on the network, but now in the cloud it's being done on the host level in many cases. Do you have virtual counterparts of what you're currently using on-premises in the cloud? This is important when running an investigation.
  • Will at any time your data, systems, applications and logs be moved to a different country? This has the potential to hold up an investigation if the privacy laws of that country restrict incident response and forensic teams from performing their work.
  • Review of the CSP beforehand, SOC 2 and other compliance-related documentation. This will give you a good idea of what the CSP has in place and what gaps you'll have to fill in your cloud incident response and forensic processes.


There are benefits of performing cloud incident response and forensics; it's not all muddy. Organizations will see these benefits the most when they start moving fully into the cloud, but the service model does play a huge part. If a company was to fully go into the cloud from an IaaS perspective it should first look at what CSPs have to offer from a security standpoint.

Next Steps

Find out what the biggest challenges for cloud migration are

Learn how to make data sanitization simpler in the cloud

Time is of the essence with incident response

Dig Deeper on Public Cloud Computing Security