Incident response in the cloud

[Tomasz Miklas]

Hi

As we moved to this forum I thought I'll bring the topic over from LinkedIn where it was initially started
http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&gid=2818396&discussionID=15136432

Any further comments welcome ;-)

[Craig Balding]

To save people from clicking, I'm pasting here the original thread from the (now dead) linkedin group:

Andrew said:

Incident response in the cloud

I know this is something that has been touched on in other discussions but is something that I wanted to pull out as an individual concern. How does moving services to the 'cloud' impact incident response procedures and capability?

My primary concern is that if I have a sufficiently large incident to warrant it I can't go to my machine room and physically pull the plug, attach files to a write-blocker and work off a copy of the system to see what went wrong. I know a few providers allow some imaging capabilities, but does this guarantee the preservation of deleted files and other forensic artifacts? Would it stand up as evidence in court? What happens if the machine seamlessly migrated between the cloud providers hardware/datacentres after or during the incident you're trying to respond to?

I'm sure I'm not the first to have considered this, but I'm yet to find a satisfactory answer, standard response I've been given is "doesn't' matter, kill one instance and start a new, clean image" keeps you running, doesn't fix the problem. I'm hoping one of you guys can help point me to a better option.


John said:

The write blocker can be virtual, along with the rest of the system. Simply configure the VM host to make the virtual drive read-only. Additionally, you can accomplish this by taking a snapshot of the virtual drive - this gives you all the benefits of a write blocker - you can see what the drive looked like at that specific point in time - plus you or the malaligns can continue to write to the drive, and you can see what changed between the snapshot and time deltas since then. Either way, you've got an exact image of the system's drive (s) at time of investigation, which I believe will qualify as a "bit-wise copy" of the system.

There's other benefits to performing forensics in a VM situation, as you can examine the state of the compromised machine from "outside" the machine - look at memory contents and what the cpu is doing.

Actually, I'd think from an operational point of view a virtualized system provides another forensic benefit - you can bring up a new system based off the "clean" image and take the compromised system off-net but leave it running and do a live investigation without worrying about the provided service being down.

Note - all of this goes out the window if the attacker manages to penetrate the guest vm and get to the host. At that point, there's all sorts of ugly going on and the VM system goes from being better for forensics to way worse, compared to a non-virtualized system.

The legal/court aspect is a good question, I haven't researched that for cloud yet, not sure if the technology is certified for use as evidence. Would love to hear feedback from others...


Craig said:

Great question.

From experience, my take is that as long as you can substantiate chain of custody, you can do live forensics, offline forensics, whatever (within reason).

Again, we need to think differently depending on the cloud layer we are using and who has management responsibility.

For SaaS, forensics boils down to log analysis...

For PaaS, forensics boils down to datastore/database queries and log analysis

For IaaS, forensics is normal from layer 2 up ;-). Clearly with IaaS there is a lot more scope for traditional forensics (acquisition is obviously different though). If its your own private cloud, its down to whatever policy you have senior managements' agreement on (i.e. blanket approval that if mission critical VMs get hacked, you can take down the host itself...).

For public IaaS, as John indicates, its gonna be 100% virtual. I haven't seen any IaaS provider state that they offer IR services beyond the usual high level "buy premium support and we'll help you" fluff. If I had time, I would offer a cloud based forensics service - definite gap in the market (if there is a market for it yet). If anyone wants to talk about doing that, ping me .

You're right to be concerned about machine migrations as it is completely possible. That could happen before you get to take the image or even during. You won't know about it.. I suspect its gonna boil down to wheeling in the cloud providers security guru as an expert witness if the other side is smart enough to even pick up on this.

Personally, I think cloud is great for forensics. It removes the physical friction involved in acquisition, you have "unlimited" storage on a pay-as-you-basis and can spin up multiple VMs to do parallel image data mining. Very cool.

I don't think our processes are going to be affected as long as we stay committed to documenting what we are doing, noting anomalies, and ensuring we are provably competent with the tech before we have an incident.

Probably doesn't answer your whole question but does it get you part way?


Tomasz said:

I'm not a lawyer nor expert in cloud computing or forensics, but here are my impressions or rather questions/doubts I have. One thing is certain - I'd like to have a bit more time for experiments with IR/forensics in the 'clouds'.

Craig, I really like the concept of using multiple instances for data mining - kind of essence of cloud computing. That opens a lot of new cool possibilities and potentially not so cool liabilities. It may be very interesting experiment in fact!

I would say migrations can be a big issue not even related to forensics. If they happen across country borders (which is possible) there may cause legal issues as there are some limitations on moving certain types of data for example from EU to the US (data protection and privacy laws, etc).
Personally I would be more concerned about possibility of instance being destroyed or replaced with a clean one before you can gather any evidence - this agility is the core spirit of cloud computing, but at the same time I see it as a kind of a race condition with scenarios like auto-scaling features killing unused instance (of course it has to be the one we will want to investigate - see Murphy's Law).

John has some very good points about benefits of virtual environment in IR/forensics. I think if we take forensic limitations that come out of the cloud environment specifics, slightly modify the acquisition procedure (if needed for the case), document the process to acquire evidence, then it can be explained in the court in a logical way and I don't see a reason why the evidence couldn't stand. Will it stand - that's to be tested, but assuming that a logical approach was used to gather it in the first place, I can only hope it wouldn't be much of problem.

Any thoughts?


Craig said:

Tomasz - I agree with everything you've written - all solid points. The generic data privacy/cross border data transfer issues of hypervisor mobility (the fancy term is definitely recognised...but beyond that awareness, I haven't heard more. The key in my mind is not to store this kind of data on the compute instances. Instead, use cloud storage with meta data containing 'data mobility' restrictions and mount the volume across (when I say mount, I don't mean NFS/CIFS...more like EBS from Amazon). Again though, the capability to do this "intelligent", policy based access isn't common yet


Andrew said:

Thanks for the input guys, believe you've confirmed my thinking that cloud computing will have it's advantages over traditional models from a practical standpoint, but as usual the law and procedures will spend a while playing catch-up and likely drop the ball for a while in the meantime.

On the issue of data migration, think this just comes down to points raised in other threads, you really need to read the contract and SLA to understand exactly what you are getting from your provider. If your data can't (or you don't want it to) leave a particular geographical location, pick a provider that stays in that are, or provides the ability to define acceptable locations.

Likewise if data migrations could cause a problem with data acquisition and related evidence gathering choose a provider that provides you greater control of what is migrated and when (not sure if this is current;y possible?).


Craig said:

 Agreed.

The bigger issues are incident response/forensics of the cloud platform itself. Obviously as a customer you have no control over this. Hence in your due diligence of cloud providers it becomes vital to establish what demonstrable capability they have.


Tomasz said:

Yes Craig, the key is to keep data on the proper data store and not the compute instance, but if I was the bad guy I would use an instance to siphon out the data from the data store, doing my best to not leave a trace at the data store itself.

If I could only contaminate an instance that is quite likely to be destroyed as soon as it's not needed, then you loose any chance of doing forensics on how I got in, what were my interactions with the system, what software I used to siphon the data. Cloud environments are much more dynamic than VPSes or any other kind of VMs. This dynamics can actually help attackers :-(

Normally you do IR and then move into forensics if needed. I'm thinking that for cloud environments part of the IR should be linked with the initial part of forensics - data acquisition - just by pure assumption that the lifetime of a compute instance may be too short to do anything else. I'm talking about loosing the only opportunity to get a snapshot of what happened at the instance that had access to the data.

I'm short on caffeine so the above text is a bit chaotic, but I hope you see my point.

[Craig Balding]

I agree that the dynamics of cloud introduce challenges to the classical methods of forensics.  And you know what?  I'm happy about that.  I *love* to see innovation in this area (I'll save you from my rants here).

In terms of handling the dynamism of cloud, and in particular transient VMs that only live for short periods of time before destruction...I would say that if you are running tasks where you consider the potential threat to be worth it, you can devise an approach that reduces the downside.  Its hard to be prescriptive here as I do think it depends heavily on what you're doing and what you care most about (integrity vs. confidentiality vs. availability) but some examples:
- with cloud its easy to snapshot each VM prior to its death (I should note this is disk snapshot only today, not memory)
- or, if that is overwhelming, define and script what you consider to be a set of reasonable host integrity checks (not talking perfection here, just "reasonable" enough) and run that on hosts at some pre-determined frequency or on some event (e.g. prior to host destruction)
- take a memory image prior to vm destruction (or again, a partial memory image...e.g. kernel structures and memory associated with non-expected processes).

Before I get hammered on the above suggestions, please realise they are just that...and to help lubricate this conversation along as its an interesting one .

Just to be balanced, the dynamism of cloud today *does* present numerous security challenges...however on the forensics side its less (to me) than say "network security"...i.e. your host migrated and your static security controls break :/ (but that's a different conversation than this thread IMHO).

What say you?

[Tomasz Miklas]

Prevention is ideal, detection is a must!

This sentence says it all. I'm not trying to say that network side is less important but if we are talking about IR, we have to assume that the Bad Thing® had already happened so our job at this point is to learn as much as we can - that's where my previous posts come from

Of course you can have compensating measures to reduce the risk, possibly even to the level that some would argue that you don't really care for forensics - you just reboot instance and start off again... and eventually get owned again, exactly the same way as before ;-)

Scripting - yes, more than ever but I have a few questions (as a cloud noob):
- before instance shutdown we do disk snapshot - can we download that snapshot and parse off-line - not in the cloud?
- we take snapshot to something like EBS... hey - if box got compromised, can the attacker access EBS we just dumped our data to (and why the answer seems to be YES)?
- more to come (I guess) so watch this space

There is no silver bullet here, as you said Craig it will all depend on the particular use of the cloud and data it processes. I use EC2 to offload my heavy lifting - it seems way cheaper to get CPU time on EC2 than provide power and cooling at my own place (seems because I don't see the bills but I know I can't scale above certain threshold because of cooling issues)

Sadly I don't know other providers than Amazon, I didn't have time nor need to test them. Amazon was first one I heard about - that sealed the deal. With Amazon you can easily create own AMIs, so you can build any logic into it - have any prevention/detection/reaction mechanisms you wish... Linux is trivia, but do you know how that works with Windows instances? How does it look with other providers? Do they give you that much freedom or is their solution kind of VMWare'ish with persistent OS on virtual disk?

If you use vanilla AMIs then you validate them, customize, run... every time you boot them up, right? Do you know what's in there? How many people (maybe you know, I don't) create their own AMIs before they properly start using 'cloud' based solution to offload their work? Cloud or not - it's yet another server that requires the same love as any other box you have in your own rack Finally, cloud is not really a managed solution, it's self-managed solution and that's something to keep in mind.

I'm trying to figure out (and test) an IR process on EC2 compute instance which by definition doesn't have system persistency (rebooted system starts from clean image, we'll think about adding EBS later on). Of course it's better to prevent than to fix it after the fact... but by definition IR is 'after' and for sure I don't have answers for most of the questions I asked above - maybe just some 'cloudy ideas' lol

It's a challenge - otherwise it wouldn't be worth our time 

[Craig Balding]

Wow, you've covering a lot of ground there .  I'll pick up on a few of your points:

- prevention/detection: I'm a firm believer that prevention always fails.  I'm a fan of the survivability concept: figure out how to continue operations in the face of a determined adversary to a level you need to continue operating your business.  But that's easier said than done as it requires senior level management to buy into the concept and potentially restructure operations to allow that.  The need for detection is critical in this arrangement as that is the basis for making operational decisions about what you turn off/live without.  Ultimately, if I had severe resource constraints I would go for slightly better than "proven practice" and invest the rest in detection AND response capabilities
- I keep loosely follow other IaaS providers offerings and I have to say they *really* vary.  There is probably some handy comparison matrix somewhere that differentiates the service offerings/cost.  If there is, I haven't found it yet (and no, I'm not volunteering to .  There is no 'standard' as such (Amazon is the defacto standard in terms of API) and I haven't found the "perfect" IaaS provider for my needs (Vmware images with suspend support where I don't get charged for offline time)
- the issue of AMI (generically VM) images is pretty darn important and only occasionally raised.  Amazon recommends you use their AMIs (where the bundler is marked as Amazon) for testing AWS.  Then when you know what OS features you really need, build your own.  There's a market emerging for trusted images (of course you ultimately have to trust someone, even if its your own people).  Sensepost built an image with a phone home capability and managed to get it on the top page of the default list of AMIs.  Their webserver logs revealed quite a few people booted that image .  I think the risks are pretty obvious here but we know that people generally choose convenience over security so expect to hear the odd horror story of zombified AMIs going forward

Cheers, good thread.

[ade]

WOW what a great thread and then it just died about a year ago (or is the timestamp wrong on the server?!)
This has been great reading, but as a real noob (you guys are an additional year in to this now!) I have a question
or two please.

Are all cloud providers using VMs?
Has there been much progress on all this in the last year?
What sort of incident were you thinking of with your IR? 
What if the image was tampered with at the source?
Are the cloud providers open to discussion and providing assistance with IR?

Thanks for the edification guys,
Adrian

[Tomasz Miklas]

Just quick answers to above questions - at least from my point of view

Are all cloud providers using VMs?
Haven't seen any that wouldn't do so... otherwise they would have to deliver so many physical machines that it couldn't cost what it costs right now. They have to provide some separation between clients so you go VM or separate hardware ($$$$$$$$)
Has there been much progress on all this in the last year?
I didn't have time to continue this project - life took over
What sort of incident were you thinking of with your IR?
Take even the very simple and common case - somebody gets access to the OS via bug in the web app... drops to shell, installs rootkits, owns you beyond repair.
What if the image was tampered with at the source?
That's exactly what can happen... compute instances are destroyed when not used - tampered or destroyed isn't much difference in this case - that is if I understand your question properly
Are the cloud providers open to discussion and providing assistance with IR?
Don't know personally, I never tried that.

[ade]

thanks for that.  You confirmed a few things that I couldn't find explicitly stated.
Will see what I can find re IR, but given our discussion in the legal thread, I think this is going to be a huge can of worms

[Tomasz Miklas]

I wish we finish with one and not more cans... but in fact unless 'clouds' get implemented according to some common standards (there is a few initiatives but focus mostly on cooperation, resolving vendor lock-in, etc) then as incident responder you never know what you get to work with - I can easily imagine, that in some situations you will not be able to take snapshot of the running instance because the platform may not (yet) support it or will support but not in a way that would let you have any meaningful evidence to take to forensics guys.

To do proper IR and forensics (which IMHO should be step 2) the process have to be repeatable, it can't be hit or miss. It has to work in all environments and not be a matter of luck (luckily those sectors were not overwritten although the offending process was killed, etc). If you take evidence off the running system and don't image RAM then you are ultimately destroying evidence - it's a fact.
Now how about taking RAM snapshot on a system that for some reason gets migrated when it happens - all of RAM is dumped via network to another node and instance continues there... your acquisition process was migrated as well but can you be sure, that the RAM image on the new host is matching the initial one? What happened with 'unallocated' memory - was it shaved off to save on data transfer and speed up migration time?

Sometimes I think that whoever nails this properly will have a great business case

[ade]

all great stuff.  Re unallocated space, I would imagine that the image itself being a file on a server would include the unallocated space when moved.  I would suggest that the RAM would be the last thing on the mind of the admin who moves, destroys, etc an image.  Afterall, why would the end user want the clipboard moved as well!?

Let's hope that the can or worms is restricted nice and early by a bit of international co-operation and definitions of IR policies!

When yuo finish your current project, maybe you could start up such an organisation

[Tomasz Miklas]

Yes, starting 'cloud IR' business would be surely fun - you could have clients like Sony and similar (although they got owned not because of cloud but because they clearly don't know what they do - as proven by consecutive breaches).

International co-op? Not really... vendors have to talk together and take input from IR/Forensics community and there are no such thing as policies there, at best you get 'best practices' but in the heat of action many of us make silly mistakes (myself included) and it's not as good as it could be.

HINT:
Not entirely cloud related but... Using VMware's vMotion to migrate guest to another host all of RAM is sent over... including text that is on the screen (like terminal window) and if you sniff the cable, you can read the text from memory dump :-P
I actually consider it a feature - migrate machine to sniff and do RAM capture (not easy but doable), then take HDD snapshot and process separately.

[ade]

now that last bit was very very interesting.  That's the MOTD now!
(mission of the day now that match of the day is over!)
Found your website and twitter name. What is it that you do Tomasz?

[TylerFarell]

Cloud hosted network server for a very small amount of money, Even if it offers an affordable amount, cloud hosting can accord your business website to reach all locations of the world.

_______________________________
Best Place for Cloud Computing Information