Most cloud environments are over-permissioned and under-prepared for incident response.
Security teams need access to logs, snapshots, and configuration data to understand how an attack unfolded, but giving blanket access opens the door to insider threats, misconfigurations, and lateral movement.
So, how do you enable forensics without compromising your security posture?
The dilemma: balancing access and security
There is a tension between two crucial aspects of cloud security that create a challenge for cloud forensics.
One aspect is the need for Security Operations Center (SOC) and Incident Response (IR) teams to access comprehensive data for investigating and resolving security incidents.
The other conflicting aspect is the principle of least privilege and minimal manual access advocated by cloud security best practices.
This conflict is particularly pronounced in modern cloud environments, where traditional physical access controls no longer apply, and infrastructure-as-code and containerization have transformed the landscape.
There are several common but less-than-ideal approaches to this challenge:
- Accepting limited data access, potentially leaving incidents unresolved
- Granting root-level access during major incidents, risking further compromise
Relying on cloud or DevOps teams to retrieve data, causing delays and potential miscommunication
[related-resource]
Challenges in container forensics
Containers present unique challenges for forensic investigations due to their ephemeral and dynamic nature. The orchestration and management of containers, whether on private clusters or using services like AWS Elastic Kubernetes Service (EKS), introduce complexities in capturing and analyzing forensic data.
To effectively investigate containers, it's often necessary to acquire the underlying volume of a node or perform memory captures. However, these actions require specific Identity and Access Management (IAM) and network access to the node, as well as familiarity with the container environment, which may not always be straightforward.
An alternative method of collection in containerized environments is to utilize automated tools to collect this evidence. Since they can detect malicious activity and collect relevant data without needing human input, they can act immediately, securing evidence that might be lost by the time a human analyst is available to collect it manually.
Additionally, automation can help significantly with access and permissions. Instead of analysts needing the correct permissions for the account, service, and node, as well as deep knowledge of the container service itself, for any container from which they wish to collect logs. They can instead collect them, and have them all presented in one place, at the click of a button.
A better approach: practical strategies for cloud forensics
It's crucial to implement strategies that strike a balance between necessary access and stringent security controls.
Here are several key approaches:
1. Dedicated cloud forensics accounts
Establishing a separate cloud account or subscription specifically for forensic activities is foundational. This approach isolates forensic activities from regular operations, preventing potential contamination from compromised environments. Dedicated accounts also enable tighter control over access policies, ensuring that forensic operations do not inadvertently expose sensitive data to unauthorized users.
A separate account allows for:
- Isolation: The forensic investigation environment is isolated from potentially compromised environments, reducing the risk of cross-contamination.
- Tighter access controls: Policies and controls can be more strictly enforced in a dedicated account, reducing the likelihood of unauthorized access.
- Simplified governance: A clear and simplified chain of custody for digital evidence is easier to maintain, ensuring that forensic activities meet legal and regulatory requirements.
For more specifics:
2. Cross-account roles with least privilege
Using cross-account IAM roles, the forensics account can access other accounts, but only with permissions that are strictly necessary for the investigation. This ensures that the principle of least privilege is upheld, reducing the risk of unauthorized access or data exposure during the forensic process.
3. Temporary credentials for just-in-time access
Leveraging temporary credentials, such as AWS STS tokens, allows for just-in-time access during an investigation. These credentials are short-lived and scoped to specific resources, ensuring that access is granted only when absolutely necessary and is automatically revoked after the investigation is completed. This reduces the window of opportunity for potential attackers to exploit elevated permissions.
For AWS, you can use commands such as:
aws sts get-session-token --duration-seconds 43200
aws sts assume-role --role-arn role-to-assume --role-session-name "sts-session-1" --duration-seconds 43200
For Azure, you can use commands such as:
az ad app credential reset --id <appId> --password <sp_password> --end-date 2024-01-01
For more details for Google Cloud environments, see “Create short-lived credentials for a service account” and the request.time parameter.
4. Tag-based access control
Pre-deploying access control based on resource tags is another effective strategy. By tagging resources with identifiers like "Forensics," access can be dynamically granted only to those resources that are relevant to the investigation. This targeted approach minimizes the risk of overexposure and ensures that forensic teams can quickly and efficiently access the data they need.
For example, in AWS:
Condition: StringLike: aws:ResourceTag/Name: ForensicsEnabled
Condition: StringLike: ssm:resourceTag/SSMEnabled: True
For example, in Azure:
"Condition": "StringLike(Resource[Microsoft.Resources/tags.example_key], '*')"
For example, in Google Cloud:
expression: > resource.matchTag('tagKeys/ForensicsEnabled', '*')
Tighten access, enhance security
The shift to cloud environments demands a rethinking of how we approach forensic investigations. By implementing strategies like dedicated cloud forensic accounts, cross-account roles, temporary credentials, and tag-based access control, organizations can strike the right balance between access and security. These practices not only enhance the effectiveness of forensic investigations but also ensure that access is tightly controlled, reducing the risk of exacerbating an incident or compromising the investigation.
Find the right tools for your cloud security
Darktrace delivers a proactive approach to cyber resilience in a single cybersecurity platform, including cloud coverage.
Darktrace’s cloud offerings have been bolstered with the acquisition of Cado Security Ltd., which enables security teams to gain immediate access to forensic-level data in multi-cloud, container, serverless, SaaS, and on-premises environments.
In addition to having these forensics capabilities, Darktrace / CLOUD is a real-time Cloud Detection and Response (CDR) solution built with advanced AI to make cloud security accessible to all security teams and SOCs. By using multiple machine learning techniques, Darktrace brings unprecedented visibility, threat detection, investigation, and incident response to hybrid and multi-cloud environments.
Learn how to evaluate cloud investigation and incident response tools
Discover how real forensics solutions can help your team efficiently understand and respond to cloud threats.
.png)
