Table of Contents: Introduction
Download 244.94 Kb.
|
- Navigate this page:
- 4.3 Documentation of Findings
- 5. Incident Containment and Eradication 5.1 Isolation Procedures
| 4.2 Initial Analysis Steps
Upon detection of a security incident, the Cloud Security Analyst will perform the following initial analysis steps: Isolation: Isolate affected systems or resources to prevent further compromise. Logs and Artifacts: Collect relevant logs and artifacts for further analysis. Notification: Notify the Incident Response Coordinator and other relevant team members. 4.3 Documentation of Findings The Cloud Security Analyst will document findings in a centralized incident tracking system, including details such as: Date and time of detection. Initial analysis results. Identified vulnerabilities or attack vectors. Recommended actions for containment and eradication. 5. Incident Containment and Eradication 5.1 Isolation Procedures In the event of a security incident, the following isolation procedures will be implemented: IAM Access Restriction: Containing an incident in cloud infrastructure includes identifying all security principals compromised and/or added by the adversary, including users, compromised roles (such as via federated sessions or compromised identity stores), and service accounts. In many cases, the cloud provider supports more than one credential source for a security principal, allowing an adversary to impersonate a user or service account without interfering with the original, authorized purpose for that account — thereby hindering detection. All these must be carefully tracked and eliminated while ensuring adequate monitoring to detect any attempts by the adversary to reestablish persistence. Examples: Multiple API keys in addition to a password for a user, multiple credential sources for a service account, and multiple MFA devices for a single user. Download 244.94 Kb. Share with your friends:
|