With more organizations moving to the cloud for storage, applications, and processing, digital forensics investigators increasingly require new tools and techniques capable of conducting investigations on systems where they have no physical access.
Gone, for the most part, are the days when the forensics investigator could pop out the hard drive of an on-premises server for a forensic image and simply analyze it for clues on what happened. Hands-on evaluations of physical evidence, formerly the norm in forensic investigations, are now the exception. Today’s cloud-based network could be located almost anywhere — for European Union cloud infrastructures, servers generally have to be in the same country as where the data was created, but that’s as specific as the law gets. For the most part, investigators have no direct access to the servers.
Instead, companies need to work with their cloud providers in advance to articulate clearly what access they can have before an event occurs, says Thomas Brittain, former managing director of cyber risk at Kroll who recently joined Amazon Web Services as a security leader for cloud response.
For example, ask the cloud provider up front about any limitations during an investigation, Brittain recommends. Questions include: What logging or log sources are available from each of your cloud vendors? How do you ensure that your personnel have the training and the understanding to do an investigation in that cloud environment?
Considering that investigators will not have physical access to compromised disk drives, enterprises need to ensure ahead of time that the investigators will have the ability to obtain a forensic image of the hard disk even without having actual physical access. That may mean the provider’s staff would need to create and provide the image to the investigators, or the provider would allow the investigators virtual access to the compromised devices.
Cloud-Ready Forensics Tools
New digital forensics tools and techniques are necessary to uncover electronic evidence for processing into actionable intelligence for cloud-based data breaches, ransomware attacks, and other cases of malfeasance.-
Because there are no standardized tools designed to meet every cloud vendors’ network needs, many forensics teams develop custom applications. But there is still a problem. “It's insane, trying to figure out standardized training, there is no, there are no standardized tools,” Brittain says.
“We've had to adapt from more of a forensic standpoint to more of a live-by-instant-response in triage,” concurs Aaron Crawford, senior security consultant with NCC Group’s North America Incident Response. “The lines between triage and forensics have absolutely blurred with the introduction of the cloud. It's even more complicated because you have several flavors of clouds out there and providers such as Tencent, Google, Amazon, and Microsoft — the primary Big Four out there.”
Crawford also acknowledges the lack of industry-standard tools. “We've had to become our own tool smiths now. We've had to write our own tools [and] create our own custom solutions to address a lot of these issues to help relieve the burden for our clients,” he says. “One of the biggest things that's changed is that immediacy for information and updates is absolutely critical. And that's because the threat landscape changed. The threat landscape got significantly more malicious, and the repercussions are even greater than they were before.”
While forensics teams are creating tools for the various environments, they also need to ensure that their tools will interoperate with existing security tools. Custom tools need to be “sustainable, explainable, [and] repeatable. If I go to court as an expert witness, I have to make sure that those tools are repeatable, and you can understand them, and someone else other than me can use them.”
Wayne Johnson, director of Global Cyber Incident Response and leader of the forensics practice at Protiviti, also sees challenges and possibilities with custom forensic tools. “From an interoperability perspective, I think that's incumbent on those that are that are making those one-off tools, [that] as the different coding languages change, as the different coding capabilities increase, the digital forensics domain has to be able to move with them right and be able to understand those," he says.
“Even with traditional architectures that are that are on-prem, there are many organizations that still have their own custom code and custom applications. So be those in the cloud or on prem., the same concept applies.”
Soliciting Board Support
As the attack surface grows, in part due to the explosion of internet of things (IoT) devices, cybersecurity experts need a place at the table with the board of directors and general counsels, Johnson notes. Ultimately, combining the digital forensics capabilities with incident response is “an area where we've really seen the board's taking notice and realizing that there's definitely a conversation there.”
The added benefit to having a cyber-savvy board member is to help the other board members “understand and interpret what’s coming from the CISO and the CIO.” The addition of cybersecurity experts on the board, combined with a cyber-knowledgeable general counsel, will further bolster the board’s understand on what cybersecurity and forensics can do to protect corporate assets.
“I think we're seeing, we're seeing a much more sophisticated and cyber-savvy boards starting to emerge as you start looking across various industries,” Johnson says.