Detecting & Investigating threats in Cloud environments.

CyberUK this year kicked off with a narrative of tales of woe from across industry and the public sector in the face of the ever-increasing pace of innovation from threats to digital environments. With a forward view dominated by the impact of AI (Artificial Intelligence) the message is clear, expect more of the same with a main course of new and innovative opportunism.

This provided a perfect backdrop to the Masterclass delivered NCC Group participated in ‘Detecting & Investigating threats in Cloud environments’. Here is an extrapolated version of some of the key points raised during the panel discussion.

In cloud there is no such thing as Mr. Average or Default, Standard or any other middling term that could be used to suggest some common state of ‘norm’.

In the Cloud everyone is exceptional, extraordinary and unique and most challenging of all changing in realtime, all the time. It is the nature of cloud, it is what allows Business to innovate so explosively and pivot with an agility that would have stolen market share only a few years ago, but today it is becoming a key survival trait in a fast-paced digital economy.

Your threats and risks versus those that you get out of a manual, be that NIST, ISO, NCSC or CIS amongst many others are a false dawn. These Standards, frameworks and control sets are better than nothing and help get some of the visibility required to support quickly identifying some of the control actions that need to be taken. BUT they cannot provide you with YOUR complete unique Cyber Fingerprint that YOU will need to defend and express in meaningful terms (Risk) to YOUR business leaders and maintain a state of resilience to keep your organisation standing in the face of a broad spectrum of incidents you will experience.

If you are going to prioritise one thing as you adopt Cloud technologies, focus on effective strategies for detecting and investigating cybersecurity threats within cloud environments. Address and recognise across ALL disciplines the unique complexities and dynamics introduced by cloud infrastructures that impact traditional security protocols, forensic procedures and materially influences your digital resilience.

Challenges in Incident Response in the Cloud

• Distributed Architecture – Cloud environments typically distribute data and services across multiple locations and servers. This fragmentation complicates the tracking and monitoring of potential security incidents.
• Multi-Tenancy – Shared resources among various users and organizations in a cloud environment lead to increased risks and complexities in isolating the incident scope and impact.
• Limited Visibility and Control – Users often have limited visibility into the underlying infrastructure, which hampers the ability to detect anomalies and respond timely to incidents.
• Scalability of Resources – While the scalability of cloud services offers flexibility and efficiency, it also allows threats to propagate more quickly across systems if not adequately managed.
• Integration of Security Tools – The integration and compatibility of traditional security tools with cloud services can be challenging, leading to potential gaps in threat detection and response capabilities.

Forensic Limitations in the Cloud

• Access to Physical Hardware – Forensic investigations often require access to physical hardware; however, in cloud environments, this hardware is managed by service providers, limiting forensic activities.
• Data Collection – Collecting relevant data for forensic analysis is more complex in a cloud setting due to the dynamic provisioning and de-provisioning of resources.
• Chain of Custody – Establishing and maintaining a clear chain of custody for digital evidence in the cloud is problematic because of the virtual and distributed nature of the infrastructure.
• Legal and Compliance Issues – There are jurisdictional challenges and compliance issues related to data location and access, as data stored in the cloud can reside in multiple countries, each with its own set of laws and regulations.
• Tool Effectiveness – Forensic tools that were originally designed for on-premises environments may not be effective or applicable in cloud environments, necessitating the development of new methodologies and tools.

Organizations need to adapt their incident response strategies and forensic approaches to effectively address the unique challenges posed by cloud environments. Enhanced collaboration with cloud service providers, development of cloud-specific security and forensic tools, and continuous training and updating of cybersecurity practices to handle the evolving threat landscape in cloud infrastructures.