Incident Response In The AWS Cloud

Uploaded on 2021-09-30 in TECHNOLOGY--Developments, NEWS-Cybersecurity News, FREE TO VIEW

The Amazon Web Services (AWS) cloud works under a shared responsibility model, just like all major cloud vendors. This means AWS secures the underlying infrastructure and cloud customers are required to protect their cloud resources and data, including accounts and permissions, network and data, and application code deployed in the cloud.

There are several indicators that can signal a potential threat, including abnormal cloud resource utilization or billing activity. To ensure timely incident response, cloud customers need to continuously monitor their cloud environment. 

This could mean storing event log data, leveraging AWS security features, and adding third-party monitoring solutions if necessary. You should also create an incident response plan designed especially to respond to security events occurring within the AWS cloud.

AWS Security Incident Domains

Three domains exist within the organization’s responsibility, where incidents relating to security could take place. The distinction between the domains relates to the tools used to respond. 

The three domains are:

Service Domain - incidents in the service domain impact a customer’s IAM permissions, AWS account, billing, resource metadata and more. A service domain event is an event that you react to with just AWS API mechanisms, or where there are root causes connected to your resource permissions or configuration and may have associated service-oriented logging. 

Infrastructure Domain - incidents within the infrastructure domain are activity connected to the network or data. This includes data and processes on the Amazon EC2 instances, the traffic to the Amazon EC2 instances in the VPC, and components for example containers or various future services. Responses to these events tend to involve restoration, acquisition, or retrieval of incident-related data for forensic purposes. This typically involves correspondence with the operating systems of an instance, and for certain cases, could include AWS API mechanisms. 

Application Domain - incidents in this domain take place in the software deployed or the application code to the infrastructure or services. This domain must be an element of your cloud threat response and detection runbooks, and could incorporate responses like those within the infrastructure domain. With considered and appropriate application architecture, you are able to oversee this domain through cloud tools, making use of automated recovery, forensics and deployment.  

For each of these domains, you should think about the cybercriminals who could act against your resources, data or account. Whether external or internal, make use of a risk framework to ascertain what the particular risks are to the organisation and prepare with these risks in mind. 

Within a service domain, you strive to attain your objectives solely with AWS APIs. Within the infrastructure domain, you may employ both digital forensics/incident response (DFIR) software and AWS APIs for the operating system of the workstation. For example, an Amazon EC2 instance which you have developed for IR purposes.

Infrastructure domain incidents could include disk blocks on an Amazon Elastic Block Store (Amazon EBS) volume, studying network packet captures, and/or volatile memory gained via an instance. Ransomware is a rising threat, making it important to pursue a careful AWS backup strategy.

Indicators of AWS Security Events

Several security events exist that you may not regard as incidents, however, it could still be worthwhile investigating them. To identify security-related events in the AWS Cloud environment, you could employ these mechanisms. 

Though not a complete list, consider these examples of potential indicators: 

Logs and Monitors - review AWS logs (including Amazon S3 access logs, Amazon CloudTrail, and VPC Flow Logs) as well as security monitoring services (including Amazon Detective, Amazon GuardDuty, Amazon Macie, or AWS Security Hub). Make use of monitors for example  Amazon CloudWatch alarms and Amazon Route 53 health checks. Use Linux syslog logs, Windows Events and different application-specific logs which you could create in the applications, following this log to Amazon CloudWatch via a CloudWatch agent. 

Billing Activity - an unexpected variation in billing activity could point to a security event. 

Threat Intelligence - if you sign up to a 3rd party intelligence feed, you could use that information together with other monitoring and/or logging tools to find possible indicators of events. 

One-time Contract - it could be the developers, customers, or other staff members who identify something unusual, so you have to have a well-publicised and well-known way for them to contact the security team. Some methods include contact email addresses, web forms and ticketing systems. If your organization deals with the public, you could also require a public-facing security contract tool. 

AWS Security Hub is a tool which AWS provides for detection and automation. Security Hub offers you a detailed view of the compliance status and high-priority security alerts over AWS accounts in a centralized place, providing more visibility to such indicators. 

AWS Security Hub does not equal Security Information and Event Management (SIEM) software, and thus doesn’t retain log data. Rather, it organizes, aggregates and prioritizes security alerts, or discoveries, from several AWS services.  

This provides Security Operations teams with deeper insights when an event takes place. Security Hub monitors the environment on an ongoing basis using automated compliance checks according to the AWS industry standard and best practices followed by your organization. 

AWS Security Incident Response Plan

All AWS users in an organization must have an appreciation of the security incident response procedures, and the security staff should know how to react to security issues. While preparation and education are essential, it is recommended that customers practice these skills via simulations to improve and iterate their processes.   

A successful incident response plan in the cloud should achieve the following:

  • Educate the security incident and operations response staff with respect to cloud technologies and how the organization plans on using them. 
  • Prepare the incident response team to react to and detect incidents in the cloud by permitting detective competencies and providing the right access level to the required tools and cloud services. Prepare the required runbooks, both automated and manual, to ensure consistent and reliable responses. Work together with different teams to create expected foundational operations and employ that knowledge to notice deviations from regular operations.  
  • Simulate both unexpected and expected security events in the cloud to demonstrate how well you have prepared.
  • Iterate on the outcome of the simulations to reduce delays, increase the scale of the response posture, and further minimise risk.

Conclusion

In this article, I covered the basics of incident response within the AWS cloud: 

  • Understanding the shared security model and the three domains cloud customers are responsible to secure.
  • Monitoring for indicators of AWS security events, and establishing logging, monitoring, and threat intelligence processes as needed.
  • Developing and implementing an AWS security incident response plan designed to cover the unique security challenges posed by cloud environments.

I hope this will be of help as you gain a better understanding of developing, implementing, and maintaining incident response practices and processes within the AWS cloud

Cynet:         Aquasec:       NetApp:

__________________

Gilad David Mayaan is a strategic Consutant, technology writer and CEO of Agile SEO, a digital marketing agency focused on technology. 

__________________

You Might Also Read: 

Six Reasons To Move Your SIEM To The Cloud:

 

« Connected Cars - What Does Your Car Know About You?
US Cyber Security Chiefs Support Mandatory Incident Reporting »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Rackspace Technology

Rackspace Technology

Rackspace Technology is a leading provider of managed services across all major public and private cloud technologies. Secure your IT environments with powerful cloud security solutions and support.

CEPS

CEPS

CEPS is a leading think tank and forum for debate on EU affairs, ranking among the top think tanks in Europe. Topic areas include Innovation, Digital economy and Cyber-security.

NUS-Singtel Cyber Security R&D Lab

NUS-Singtel Cyber Security R&D Lab

NUS-Singtel Cyber Security R&D Lab conducts research into predictive security analytics.

Council of Europe - Cybercrime Programme Office (C-PROC)

Council of Europe - Cybercrime Programme Office (C-PROC)

The Cybercrime Programme Office of the Council of Europe is responsible for assisting countries worldwide in strengthening their legal systems capacity to respond to cybercrime

Ahope

Ahope

Ahope is a mobile security solution provider in Korea with a long history of security solution development.

CyberTrap

CyberTrap

CyberTrap is an advanced highly-interactive deception technology allowing real-time analysis and control of security breaches.

Ergo

Ergo

Ergo is a world-class IT Partner of choice, leveraging the latest technology available in cloud, mobility, big data, analytics, and social media.

Redwall Technologies

Redwall Technologies

Redwall provides cybersecurity expertise and technology to prevent and respond to emerging threats against mobile applications and connected infrastructures.

Octiga

Octiga

Octiga is an office 365 cloud security provider. It offers Office 365 monitoring, incident response and recovery tools.

Shearwater Group

Shearwater Group

Shearwater Group is an award-winning organisational resilience group that provides cyber security, advisory and managed security services to help secure businesses in a connected global economy.

Securolytics

Securolytics

Securolytics offers the simplest, most complete and affordable IoT security for all organizations. Securolytics quickly identifies unmanaged devices to reduce security and compliance risks.

comforte AG

comforte AG

comforte AG is a leading provider of data-centric security technology. Organizations worldwide rely on our tokenization and format-preserving encryption capabilities to secure personal, sensitive data

ImmuniWeb

ImmuniWeb

We Simplify, Accelerate and Reduce Costs of Security Testing, Protection and Compliance.

EkoCyber

EkoCyber

EkoCyber partner with businesses as a value-added MSSP to provide top-tier, trusted and transparent cyber security services at an affordable price point.

Exodata

Exodata

Exodata is a French digital services company specializing in the outsourcing of IT Systems and solutions.

Strategic Security Solutions (S3)

Strategic Security Solutions (S3)

S3 is a leading provider of Cybersecurity consulting services for Identity and Access Governance (IAG), Zero Trust, and Enterprise Risk and Compliance.