See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/312183828

Cloud incident response model

Conference Paper · October 2016

DOI: 10.1109/EWDTS.2016.7807665

CITATIONS READS

2 75

2 authors:

Alexander Adamov Anders Carlsson

Kharkiv National University of Radio Electronics Blekinge Institute of Technology
13 PUBLICATIONS   33 CITATIONS    26 PUBLICATIONS   148 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Nioguard Security Lab View project

EU Tempus ENGENSEC View project

All content following this page was uploaded by Alexander Adamov on 14 June 2021.

The user has requested enhancement of the downloaded file.

 Cloud Incident Response Model
Alexander Adamov
NioGuard Security Lab,
Kharkiv National University of Radio
Electronics
[email protected]
Abstract
This paper addresses the problem of incident
response in clouds. A conventional incident response
model is formulated to be used as a basement for the
cloud incident response model. Minimization of
incident handling time is considered as a key criterion
of the proposed cloud incident response model that can
be done at the expense of embedding infrastructure
redundancy into the cloud infrastructure represented
by Network and Security Controllers and introducing
Security Domain for threat analysis and cloud
forensics. These architectural changes are discussed
and applied within the cloud incident response model.
1. Introduction
The growing popularity of cloud technologies with
an increased degree of virtualization rises new
challenges for the investigation of cyberattacks and
early incident response. The modern cloud architecture
dictates the requirements for the forensic investigation
and incident response model such as being scalable,
elastic, easy to integrate - integration with data plane,
and easy to manage - integration with control plane. It
is just a matter of time when an organization will be
compromised. Therefore, it is essential to develop an
incident response model taking in consideration IT
infrastructure of an organization at the design stage
when a cloud is to be deployed.
2. State of the Problem
Current incident response guidelines NIST 800-61
[1], ISO 27035 [2], and SANS’s Incident Handler's
Handbook [3] are comprehensive but they do not take
into account complexity of cloud environments in their
recommendations. The incident response model for
978-1-5090-0693-9/16/$31.00 ©2016 IEEE
Anders Carlsson
Blekinge Institute of Technology,
[email protected]
clouds must consider cloud-related features such as
distributed computing, high availability, and network
function virtualization to be efficient. Efficiency of the
model can be estimated based on time criteria.
Early threat discovery and fast incident response are
security challenges for an organization. The goal
function in such case is to minimize both time since
infection till threat discovery (TD) and incident
handling time (IH) since threat discovery till
remediation and prevention making the whole incident
response process more efficient.
Z = min[T(TD)] + min[T(IH)] (1)
This expression states two type of security problems:
● early threat discovery,
● fast incident response
To address fast incident response problem, the
incident response model is used to organize all
mitigation, investigation, and remediation activities in
an efficient way.
3. Conventional Incident Response Model
Let us formulate the main steps of the conventional
incident response model based on NIST 800-61 [1],
ISO 27035 [2], SANS’s Incident Handler's Handbook
[3], Common Incident Response model [4], and Agile
Incident Response model [5].
1. Preparation
a. creation of an incident response team
(IRT)
b. development of the incident response
strategy
2. Discovery. A security scanner (IDS, firewalls,
or sandbox) or an operator triggers a security
alert.
3. Containment. Limiting damage caused by the
incident.
 4. Investigation
a. data collection including forensic
image duplication
b. threat analysis using collected data to
create a report with information
about penetration, payload,
remediation, and prevention
specifying indicators-of-compromise
(IoCs).
c. information losses such as stolen
password, keys, certificates, and
other confidential information if any
5. Remediation
a. Remediation recommendations
created by IRT include:
i. removal of malicious code
and signs of its presence on
the infected hosts
ii. changing compromised
password, keys, certificates
b. Recovering hosts or/and network
devices from backups
c. Scan the recovered hosts, and
networks
d. Get back recovered hosts, and
networks to operation.
6. Prevention. IRT also describes incident
prevention steps, for example:
a. revision of enabled protocols
b. install security updates to address
vulnerabilities
c. update IDS, firewalls, and sandbox
with new rules based on mined IoCs
7. Lessons learned
4. Minimizing Incident Handling Time
The incident response model must be optimized to
minimize the incident handling time - an interval
between the moment when an attack is discovered (D)
and the moment when the attack is responded (R):
Z = min[T(IH)] = min[t(R) - t(D)] (2)
Minimizing incident handling time implies reducing
time at every step of the incident response procedure
since the security issue has been discovered. Let us
denote every stage of the incident response procedure
as:
● D - discovery;
● I - investigation;
● A - analysis;
● R - remediation;
● P - prevention.
It should be noted, that the incident handling time
does not include Preparation and Lessons learned
stages of the incident response procedure in this model.
Thus, the formula (2) turns into:
Z = min[T(IH)] = min[T(D) + T(I) + T(A) +
+T(R) + T(P)] = min[T(D)] + min[T(I)] + (3)
+min[T(A)] + min[T(R)] + min[T(P)]
This formula must be taken into consideration when
developing the time effective cloud incident response
model. The time reduction can be done at the expense
of introduction of new architectural elements such as
management and threat analysis infrastructure
embedded into the cloud.
5. Cloud Incident Response Model
In cloud environment the following issues arise
during incident handling:
● Security alerts aggregation and notification
(Discovery)
● Security policy management (Containment,
Prevention)
● Network reconfiguration (Containment,
Investigation)
● Data collection (Investigation)
● Scanning hosts, VMs, networks (Discovery,
Remediation)
● Running remediation and recovery scripts on
all nodes (Remediation)
● Changing passwords, keys, certificates for
compromised services (Remediation)
● Applying security updates on all nodes
(Prevention)
● Updating security tools with new rules
(Prevention)
To address them the following architectural
elements should be added to the cloud environment,
which will help to reduced incident handling time:
● Logging, monitoring, alerts (LMA) module
(Discovery)
● Software Defined Network (SDN) Controller
for easy network reconfiguration
(Containment, Investigation)
● Network Function Virtualization (NFV) for
easy security policy management, scanning
networks (Discovery, Containment,
Prevention, Remediation)
● Security Controller to manage security
policies, updates, passwords, keys, and
certificates. (Remediation, Prevention)
 Security Domain is a collection of forensic
● 6.
and threat analysis tools to be used for
collection and analysis of incident-related data
(Investigation). Security Domain may include
a network sniffer, IDS/IPS, a sandbox
It is essential to design a cloud environment with the
aforementioned elements that will help further to run
incident response smoothly with significant time and
IRT efforts reduction.
So, the cloud incident response model is as follows:
1. Preparation
a. creation of an incident response team
(IRT)
b. development of the incident response
strategy
c. enablement of SDN and NFV in the
cloud environment
d. creation of Security Controller
e. creation of Security Domain
2. Discovery. A security scanner (IDS, firewalls,
or sandbox) or an operator triggers a security
alert through the LMA module.
3. Containment. Limiting damage caused by the
incident by switching the compromised VM,
host, or network to Security Domain using
Security Controller.
4. Investigation
a. data collection including forensic
image duplication using Security
Domain via the cloud control plane
b. threat analysis within of Security
Domain.
c. information losses
5. Remediation
a. Remediation recommendations
created by IRT include:
i. removal of malicious code
and signs of its presence on
the infected hosts through
Security Controller by
running curing scripts
ii. changing compromised
password, keys, certificates
using Security Controller
b. Recovering hosts or/and network
devices from backups using the cloud
control plane
c. Scanning the recovered hosts, and
networks initiated by Security
Controller
d. Get back recovered hosts, and
networks to operation using the cloud
control plane
View publication stats
Prevention. IRT also describes incident
prevention steps, for example:
a. revision of enabled protocols through
Security Controller
b. install security updates to address
vulnerabilities through Security
Controller
c. update IDS, firewalls, and sandbox
with new rules based on mined IoCs
through Security Controller
7. Lessons learned
6. Conclusion
In this paper the problem of cloud incident response
was stated. The conventional and cloud incident
models were presented with an emphasis on
architectural redundancy needed to be embedded into
the cloud environment as a payment for incident
response time reduction. Namely, SDN enablement
with NFV support, extending the cloud control plane
with Security Controller, and introducing Security
Domain with threat analysis and forensic tools. The
main part of the cloud incident response model is
embedding security controls and tools into the cloud
environment and providing flexibility in network and
security management.
7. References
[1] Computer Security Incident Handling Guide, NIST 800-
61, Sep 2016,
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S
P.800-61r2.pdf
[2] Information security incident management (ISO/IEC
27035-1:2016), Sep 2016
https://www.iso.org/obp/ui/#iso:std:iso-iec:27035:-1:ed-
1:v1:en
[3] Incident Handler's Handbook, SANS Institute, Sep 2016,
https://www.sans.org/reading-
room/whitepapers/incident/incident-handlers-handbook-
33901
[4] Felix C. Freiling, Bastian Schwittay, A Common Process
Model for Incident Response and Digital Forensics, IMF
2007, Stuttgart, September 2007, http://www.imf-
conference.org/imf2007/2%20Freiling%20common_model.p
df
[5] G. Grispos, W. B. Glisson, T. Storer, Rethinking Security
Incident Response: The Integration of Agile Principles, Sep
2016, https://arxiv.org/ftp/arxiv/papers/1408/1408.2431.pdf