Incident Response in the Cloud - AWS Security Incident Response Guide

Incident Response in the Cloud

Design Goals of Cloud Response

Although the general processes and mechanisms of incident response, such as those defined in the NIST SP 800-61 Computer Security Incident Handling Guide, remain true, we encourage you to consider these specific design goals that are relevant to responding to security incidents in a cloud environment:

  • Establish response objectives – Work with your stakeholders, legal counsel, and organizational leadership to determine the goal of responding to an incident. Some common goals include containing and mitigating the issue, recovering the affected resources, preserving data for forensics, and attribution.

  • Respond using the cloud – Implement your response patterns where the event and data occurs.

  • Know what you have and what you need – Preserve logs, snapshots, and other evidence by copying them to a centralized security cloud account. Use tags, metadata, and mechanisms that enforce retention policies. For example, you may choose to use Linux dd command or a Windows equivalent to make a complete copy of data for investigative purposes.

  • Use redeployment mechanisms – If a security anomaly can be attributed to a misconfiguration, the remediation might be as simple as removing the variance by redeploying the resources with the proper configuration. When possible, make your response mechanisms safe to execute more than once and on unknown states.

  • Automate where possible – As you see issues or incidents repeat, build mechanisms that programmatically triage and respond to common situations. Use human responses for unique, new, and sensitive incidents.

  • Choose scalable solutions – Strive to match the scalability of your organization's approach to cloud computing, and reduce the time between detection and response.

  • Learn and improve your process – When you identify gaps in your process, tools, or people, plan to fix them. Simulations are safe methods to find gaps and improve processes.

NIST design goals remind you to review architecture for the ability to conduct both incident response and threat detection. As you plan your cloud implementation, think about responding to an incident or a forensics event. In some cases, this means you may have multiple organizations, accounts, and tools specifically set up for these response tasks. These tools and functions should be made available to the incident responder by deployment pipeline and should not be static, as this would cause a larger risk.