Code and Automation Restriction: Automation and deployment frameworks in the cloud platforms, and any user-defined code which can act as a security principal, including functions-as-a-service, containers, and hosts, can be used by the adversary to re-establish persistence in the environment. A comprehensive review of all possible pivot points, persistence mechanisms, and outliers in configured access is required to ensure thorough containment and subsequent ejection.
Network Isolation: Network backdoors including rogue VPC peering points and simple modification to network security group rules can expose resources to continued adversary control. And cloud-based infrastructure with excessive outbound permissions, with policies such as allowing access to all IP ranges belonging to a trusted cloud provider, can be abused by adversaries to blend in with authorized traffic to that cloud provider. A comprehensive review of all possible pivot points, persistence mechanisms, and outliers in configured access is required to ensure thorough containment and subsequent ejection.
5.2 Eradication Procedures Once the incident is contained, the Cloud Security Analyst will proceed with eradication procedures:
System Patching: Apply patches to eliminate vulnerabilities exploited during the incident.
Malware Removal: Identify and remove any malware present in the cloud environment.
5.3 Communication During Containment Regular updates will be provided to the Incident Response Coordinator and Communication Officer regarding the status of incident containment. Communication to other stakeholders will follow the communication plan outlined in Section 7.
6. Evidence Collection 6.1 Collection Tools and Procedures The Cloud Security Analyst will use forensics tools and follow established procedures for evidence collection:
