teissTalk: Digital forensics and incident response in the cloud

teissTalk host Jenny Radcliffe was joined by Greg van der Gaast, CISO, Scoutbee; Mike Johnson, Cyber Threat Intelligence and Incident Response Manager, WithYouWithMe; and Gary Cox, Technology Director UK & Ireland , Infoblox.

Views on news

Although cyberattacks on western businesses have been so far blissfully limited, a report from Forrester says every organisation must prepare for a “new era of cyber threats” as a result of Russia’s invasion of Ukraine. However, most of the cyberattacks so far have been unsophisticated DDoS and there hasn’t been anything that would fit into a cyber war level. As a result of the conflict, the NCSC says all UK organisations should bolster their online defences and follow its guidance on steps to take when the cyber threat is heightened. Our main guest believes that cybersecurity shouldn’t be intelligence-led but rather adjusted to individual businesses and their infrastructures. You have less to worry about the latest exploits, for example, if you have patched everything on your network. Maybe more focus should be given to non-state bad actors than Russia itself, who try to take advantage of the current geopolitical situation – former Konti group may resurface. Businesses should, nevertheless, continue to stick to the “get your basics right!” principle. The article also mentions Cyclops Blink attributed to a threat actor linked to the Russian intelligence service, which doesn’t seem to have gone fully active yet. However, it can be used to create a botnet and launch a DDoS attack any time soon.

Whether on premises or in the cloud, digital forensics has the same rules

Digital transformation accelerated during the pandemic, which created new risks. With remote work and the resulting heightened complexity of corporate networks, context and policy have become key to cyber protection. Context can provide incident response experts with highly valuable information that can make their efforts much more effective when narrowing down the number of devices where the breach may have happened or detecting small indicators of anomalies. You always need to be aware of what’s going on your network and why, the risk profiles of users as well as of detected events. A distributed workforce will have a much wider attack surface. Make sure you understand what your employees do in their job roles and what systems they need to access to accomplish their tasks. If you have a strong endpoint management system, you ‘ll be in a position to dictate and draw up whitelists of users who you give more flexibility to. Remain in control of the software inventory too. For smaller organisations who can’t afford to have a dedicated security team, it may be handy to use security services offered by cloud providers. However, these providers won’t have the context to what’s happening on the corporate network or what your critical assets are, therefore they aren’t the ideal solution in the long run.

The most important components that digital forensics can leverage are DNS and DHCP (Dynamic Host Configuration Protocol linking network activity with devices responsible for it) closely followed by any forms of user identity tracking. IP addresses are transient and can be changing from day to day. Therefore, it’s important to tie activity back to the originating device and user. Having access to all your system logs and logs in general are also critical. As an incident responder you may get about 50,000 alerts per day and can respond to a maximum of 20. The holy grail is how you can get to the 20 most high risk ones out of the fifty thousand.