Cyber Incident Response in Public Cloud: implications of modern cloud computing characteristics for cyber incident response
Loukasmäki, Henri (2023)
Loukasmäki, Henri
2023
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2023060621788
https://urn.fi/URN:NBN:fi:amk-2023060621788
Tiivistelmä
Modern cloud computing has fundamentally changed how IT-resources are consumed by organizations and end-users. The cloud is also defined by some of its key characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. On the other hand, industry standard frameworks for cyber incident response were mainly developed during the time when cloud computing had not yet emerged, and the same models and frameworks are still utilized when responding to cyber security incidents in the cloud domain.
The main objective was to research and to illuminate some of the complexities related to responding to cyber security incidents in the public cloud domain, and to provide practical guidance and insights on how to prepare, detect, analyze, contain, eradicate, recover, and learn from cloud-based incidents by comparing, contrasting, and evaluating different cloud capabilities and their viability and potential use-cases for various phases of incident response. Secondary objective was to research the typical public cloud operating environment from an incident responders’ point of view, and also to assess different types of incident response capabilities, tooling, approaches, and strategies by analyzing two different large cloud providers services and products.
While it was observed that generally the same processes and models can be utilized when responding to incidents in the cloud, and the overall goals for different incident response phases still remain the same, the tools and techniques for efficient incident response need to be able to utilize, exhibit, and take advantage of common cloud-based characteristics. Also, the importance of mitigating threats targeting identities was highlighted, as in the cloud, identity is the de facto security perimeter. Overall, when responding to cyber security incidents in the cloud, incident responders should have a deep understanding of the cloud platform, what kind of services they offer, and what kind of interdependencies they have. Also, it is important to understand what kind of telemetry the platform and the services produce, and what kind of limitations some cloud service models bring with them.
The main objective was to research and to illuminate some of the complexities related to responding to cyber security incidents in the public cloud domain, and to provide practical guidance and insights on how to prepare, detect, analyze, contain, eradicate, recover, and learn from cloud-based incidents by comparing, contrasting, and evaluating different cloud capabilities and their viability and potential use-cases for various phases of incident response. Secondary objective was to research the typical public cloud operating environment from an incident responders’ point of view, and also to assess different types of incident response capabilities, tooling, approaches, and strategies by analyzing two different large cloud providers services and products.
While it was observed that generally the same processes and models can be utilized when responding to incidents in the cloud, and the overall goals for different incident response phases still remain the same, the tools and techniques for efficient incident response need to be able to utilize, exhibit, and take advantage of common cloud-based characteristics. Also, the importance of mitigating threats targeting identities was highlighted, as in the cloud, identity is the de facto security perimeter. Overall, when responding to cyber security incidents in the cloud, incident responders should have a deep understanding of the cloud platform, what kind of services they offer, and what kind of interdependencies they have. Also, it is important to understand what kind of telemetry the platform and the services produce, and what kind of limitations some cloud service models bring with them.