Cloud storming: You need more than an umbrella to stay secure
Published: Feb 13, 2018
Author: Jason Scott
Cloud computing technology has revolutionized the way organizations provision their information technology (IT) infrastructure. Migration to cloud computing replaces much of the traditional IT hardware found in an organization's cloud-hosting facility with virtualized, remote and on-demand software services—configured for its specific needs. These services are often hosted by a third-party facility. As a result, the software and data from the organization's applications may be physically stored across multiple locations—and these could be anywhere in the world.
Although cloud-related digital forensics isn't new, one of the challenges investigative response firms face is getting timely access to the evidence at these third-party cloud-hosting facilities. Businesses utilizing these services are often not aware of the challenges that can arise and delay digital investigation efforts. When conducting digital forensics activities involving evidence in third-party cloud storage, there are three significant factors to consider: knowing what type of cloud-hosting service you have, being able to quickly access your stored data and having a mature cloud storage service provider on your side.
Know what type of cloud-hosting service you have
Regardless of the type of cloud-hosting service provider you choose, be familiar with the service contract—and who is responsible for what in terms of cybersecurity. Generally speaking, there are three categories of cloud-hosting service offerings:
- Infrastructure-as-a-Service (IaaS) providers manage networking, hardware and virtualization—the customer manages the software and data.
- Platform-as-a-Service (PaaS) providers manage networking, hardware, virtualization and operating systems—the customer still manages the data and applications.
- Software-as-a-Service (SaaS) providers manage it all on the customer’s behalf.
Make sure you can locate and access your data
Where are your systems, memory, logs and data stored in the cloud? More specifically, where is the cloud-hosting facility that houses your data located? Knowing where your data is stored can significantly reduce the time required to get investigative responders in a position to collect and preserve evidentiary data. Also, regular and accurate data and asset management, through tracking and accountability, enhances the speed and efficiency of locating and accessing the correct information during a cybersecurity incident.
Is physical access to the third-party cloud-hosting facility available for evidence collection? If a live image must be made of a physical system, can the investigative responder physically access the system in the cloud-hosting facility? Many third-party facilities don't allow direct access to physical servers under their custody and control.
If access is possible, can an image of the collected data be exported to a network share or storage device at the third-party cloud-hosting facility? If the digital investigation requires imaging a large system, possibly with a Network Attached Storage (NAS) device, finding a place for the forensically acquired information on the network can be a challenge. It's important to work with your cloud-hosting facility to understand how the forensic acquisition of a large amount of data within their cloud storage environment will occur.
If remote imaging is the only option for evidence acquisition, then understanding and testing the access and forensic imaging process with your third-party cloud-hosting facility becomes even more critical, as data outputs may still be needed from local storage. Working through this proactively may prevent delays in acquisition. We have witnessed first-hand that having to work through multiple authorizations to gain physical, or even logical, access to your stored data during an ongoing cybersecurity incident can introduce unnecessary delays.
Have a mature cloud-hosting provider on your side
With this in mind, review your cloud-hosting services agreement in terms of being able to gather evidence and information—systems, memory, logs and data—that you'll need for a forensic investigation. We've read solid agreements that prescribe compliance with customer requests, but fall apart under the intense demands and rapid responses required during a cybersecurity incident.
After reviewing your cloud-hosting services agreement, dry-run the cloud-hosting facility's ticketing system. These generally aren’t designed to expedite the forensic imaging process of systems under their care and control. Ask the cloud-hosting services provider to share their incident response plan and any FAQs on how they'll respond to incidents and in doing so, how they'll cooperate with their customer during a cybersecurity incident.
It’s critical to ensure your cloud-hosting facility is aware that, in the event of a cybersecurity incident affecting your data at their location, you'll be requesting their cooperation. This is integral to accessing your data so that investigative responders can work as quickly and efficiently as possible. Remember, seasoned cloud-hosting service providers are mature in data privacy and security, and should be experienced in dealing with the aspects involving digital forensics and incident response.
An example of Cloud Storming—“The Acumulus Datum”
A scenario in the Verizon 2017 Data Breach Digest (DBD) illustrates why these precautions are so important. In this cloud-based digital forensics investigation, the victim organization had received customer complaints regarding their e-commerce website. Customers’ first attempts at payment initially failed; however, upon second attempt, the transactions would go through. An inspection of the web page found it to be fake. The victim organization quickly took it offline.
It turns out a low-cost cloud service provider hosted the data halfway across the globe—fortunately, we had investigative responders nearby. After finally getting to the data, we were able to determine the fake payment page was coded to upload credit card data in real time to an external IP address, and the second payment attempt processed the data legitimately. The story ended up having a happy ending, as the investigation revealed a flaw in the threat actor's code and no data was actually taken.
General recommendations for security in the cloud
Several additional prevention, mitigation, response and investigation recommendations for cloud-related data breaches and cybersecurity incidents are summarized as follows:
- Authenticate using multiple factors—at a minimum, implement two-factor authentication for access to all critical systems.
- Limit access to critical assets—restrict direct access to trusted users and IP addresses only.
- Make log data impactful—enable and centralize logging in a way that’s easy for investigative responders to access during a cybersecurity incident.
- Leverage incident response playbooks—create incident response playbooks for the most relevant data breach and other cybersecurity incidents for your industry and organization.
- Change admin passwords immediately—change local and network administrator passwords first in the event of a data breach.
Verizon publishes an annual Data Breach Investigations Report with valuable statistics on the current threats in each industry. Verizon also publishes an annual Data Breach Digest (DBD) containing real world scenarios of incidents investigated by the Verizon Threat Research Advisory Center investigative response team. The scenarios in the annual DBD can be utilized to further explore current threats and recommendations to further build on your online safety training.
More about data breaches
Would you like to know more about data breaches?
2017 Data Breach Digest Update: Cloud Storming: Forecasting whether systems are in the area
Read the 2017 Data Breach Digest Update for more information on cloud-related data breach mitigation and prevention as well as response and investigation considerations and recommendations.
Read more about cyber threat detection and response.
About the author
Jason Scott holds a Juris Doctor degree, a Bachelor's Degree in Computer Science and has worked in the cybersecurity, information security, cyber law, and criminal prosecution of crimes involving electronic/digital evidence areas for over twenty years. Jason is a Senior Security Consultant working as part of the Verizon Threat Research Advisory Center investigative response team. As part of this team, Jason responds to cybersecurity incidents, including data breach and PCI incidents, provides incident response training along with tabletop simulation exercises and performs incident response capability assessments and plan reviews.