Automating evidence collection will improve your cloud incident response process
Posted: Wednesday, Sep 13

i 3 Table of Contents

Automating evidence collection will improve your cloud incident response process

A primary concern of any security team is having the ability to respond to security events efficiently and in a timely manner, well before they are at risk of escalating.

The lack of automation coupled with alert fatigue often leads to overlooked risk, where seemingly low-severity detections may actually be connected to something far more malicious. To address this challenge and better protect your environment, it’s crucial to utilise automation at the core of your cloud incident response program to remove complexities and manual steps associated with incident investigations.

Automating the collection and forensic evidence across impacted systems is vital when an alert is triggered by a detection solution. With automation, critical insights can be immediately collected and processed across systems of interest and then run against a deeper set of threat intelligence to further validate the incident’s severity level.

Automating both triage and full disk collections across cloud resources ensures data availability and accessibility for deeper investigations. This is especially important in ephemeral environments where data can disappear in the blink of an eye. For example, if the ephemeral system is nuked, security teams can feel confident the data they need is there if / when they will need to perform a deeper investigation. This approach enables effective response and allows for continuous improvement of Incident Response (IR) processes. Automating evidence collection saves time during investigations, streamlining resolution timelines down from weeks to days. Let’s explore some examples and best practices.

Automating triage collection

Triage artefact collection plays a vital role in incident response (IR), enabling the rapid collection of a subset of artefacts such as system files, running processes, network connections, registry hives, volatile memory and event logs. Triage analysis helps analysts save time and narrow in their investigation in order to then decide across which systems they will need to perform more time-consuming processes like full disk analysis. Automating triage collection before doing a deeper investigation reduces Mean Time To Respond (MTTR).

Automating full disk collection

Like triage acquisitions, performing full disk collections has historically been a manual process involving bootable USB sticks or physical shipping of devices for forensic analysis. Although effective, these methods consumed so much time. With the rise of cloud technologies, capturing full disk images of cloud-based volumes has become easier through snapshotting and cloud provider APIs. However, challenges remain, like understanding different cloud providers’ APIs and writing scripts to interact with them.

And even after you capture the disk images, you still have the challenge of getting that image into an environment where you can process and analyse the data before the ephemeral server is nuked.

To overcome these challenges, utilising cloud-native APIs or cloud investigation and response platforms eliminates the need to bring data back on-premises. Cloud-native approaches simplify cloud complexities, remove the need for agents, and automate acquisition, processing and analysis of cloud volumes.

The five best practices for evidence collection

While the principles of evidence collection have remained relatively consistent over the years, the technology and tools have evolved significantly. Here are the five best practices to consider when automating evidence collection:

Best Practice #1: Identify and Collect the Right Artefacts

Reduce acquisition resources and processing time by prioritising valuable artefacts in triage collections. Key artefacts include network connection state, logged-on users, running processes, event logs, $MFT, registry hives and volatile memory. Automate the acquisition, processing and analysis of full disk images when necessary.

Best Practice #2: Efficiently Collect and Process Data

Standardise the collection and processing of evidence data to expedite investigations. Whenever possible, collect and process evidence from systems of interest in parallel to resolve incidents quickly. Cloud resources can be used to your advantage here.

Best Practice #3: Standardise Data Preservation

Define and document the lifecycle management of data, including storage location, access permissions and retention periods. Consider hot and cold storage requirements, full chain of custody and the proper tagging and labelling of evidence.

Best Practice #4: Analyse Data Holistically

Enable a comprehensive view of all evidence during an investigation to speed up the move to containment, eradication and recovery. Collect and aggregate data at scale, potentially using a timeline or user-friendly interface.

Best Practice #5: Stay Updated with Technological Advancements

Keep up-to-date with industry trends and advancements. Utilise cloud resources for secure, flexible and efficient evidence collection, processing and storage in cloud investigations. Don’t shoehorn existing on-premises IR processes for use in cloud investigations – visibility and response times will suffer.

Automating evidence collection in incident response processes is crucial for standardising artefact collection, reducing investigation time, enabling holistic data analysis and staying up-to-date with technological advancements. By following these best practices and utilising automation, security teams can enhance their incident response approaches.

James Campbell
Share This