Conducting Cloud Incident Response

What Is This

The "Conducting Cloud Incident Response" skill for Happycapy enables technical teams to efficiently and effectively respond to security incidents in public cloud environments such as AWS, Azure, and GCP. This skill focuses on the unique requirements of cloud-native incident response (IR), including identity-based containment, analysis of cloud-native logs, resource isolation, and forensic evidence acquisition that is tailored to the dynamic and ephemeral nature of cloud infrastructure. It is particularly designed for scenarios involving compromised cloud identities, unauthorized cloud resource modifications, and attacks that leverage cloud service APIs or cloud-native services.

Why Use It

Traditional incident response practices often fall short in cloud environments due to the abstraction of infrastructure, rapid resource provisioning, and pervasive use of identity and access management (IAM). The "Conducting Cloud Incident Response" skill addresses these challenges by:

• Enabling rapid identification and containment of compromised cloud identities, such as leaked AWS access keys or Azure service principals.
• Leveraging cloud-native audit logs (e.g., AWS CloudTrail, Azure Activity Logs, GCP Audit Logs) for precise detection and investigation of malicious activity.
• Supporting resource isolation techniques that minimize business disruption while preventing further attacker actions.
• Facilitating forensic acquisition of volatile and distributed evidence, which is often lost if not captured quickly in the cloud.
• Adhering to best practices and compliance frameworks such as NIST CSF and MITRE ATT&CK (e.g., T1078: Valid Accounts, T1537: Transfer Data to Cloud Account).

Using this skill ensures that incident responders follow a cloud-adapted workflow, reducing the risk of incomplete containment, evidence loss, or compliance violations.

How to Use It

1. Preparation

• Ensure that cloud-native logging (AWS CloudTrail in all regions, Azure Activity and Sign-in Logs, GCP Cloud Audit Logs) is enabled and centrally collected.
• Establish IR-specific IAM roles with least-privilege permissions for investigation and containment activities.
• Document and test resource isolation playbooks for critical cloud assets.

2. Detection and

Triage

• Monitor for alerts from Cloud Security Posture Management (CSPM) tools, GuardDuty, Azure Security Center, or GCP Security Command Center.
• Review cloud audit logs for suspicious API calls such as iam:CreateUser, iam:AttachRolePolicy, or abnormal login locations.

Example: Querying AWS CloudTrail for suspicious activity using AWS CLI

aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=CreateUser \
  --start-time 2024-06-01T00:00:00Z \
  --end-time 2024-06-08T23:59:59Z

3. Identity-Based

Containment

• Immediately deactivate or revoke compromised credentials (access keys, passwords, OAuth tokens).
• Remove suspicious permissions from impacted IAM users, roles, or service principals.
• Rotate credentials and enforce MFA for all privileged accounts.

Example: Disabling an AWS IAM user’s access keys

aws iam update-access-key \
  --user-name compromised-user \
  --access-key-id AKIAEXAMPLE \
  --status Inactive

4. Resource

Isolation

• Isolate affected compute resources (EC2, Azure VMs, GCP Compute Instances) by removing them from load balancers, restricting security group rules, or suspending network interfaces.
• Apply deny-all policies or network ACLs to restrict outbound and inbound traffic during analysis.

Example: Detaching an EC2 instance from its load balancer

aws elb deregister-instances-from-load-balancer \
  --load-balancer-name my-load-balancer \
  --instances i-0123456789abcdef0

5. Cloud-Native Log

Analysis

• Aggregate and correlate logs to reconstruct attacker activity.
• Focus on identity-related events, resource creation/deletion, and privilege escalation attempts.

Example: Filtering Azure Activity Logs for privilege escalations

Search-AzGraph -Query "ResourceType == 'microsoft.authorization/roleassignments' and properties.roleDefinitionId contains 'Owner'"

6. Forensic Evidence

Acquisition

• Snapshot affected virtual machine disks (EBS snapshots, Azure Managed Disks, GCP Persistent Disks) before shutting down instances.
• Export and preserve logs, memory dumps, and configuration states.

Example: Creating an EBS snapshot of a compromised EC2 instance

aws ec2 create-snapshot \
  --volume-id vol-0123456789abcdef0 \
  --description "Incident response snapshot"

When to Use It

Activate this skill in the following scenarios:

• Detection of unauthorized changes to cloud resources or suspicious API activity.
• Suspected compromise or misuse of cloud identity credentials.
• Discovery of unauthorized compute instances, storage buckets, or IAM modifications.
• Cloud-hosted applications exhibit signs of breach impacting multiple services.
• Requests involving cloud incident response, AWS security incidents, Azure compromise, GCP breach, cloud forensics, or cloud identity compromise.

Do not use this skill for incidents limited to traditional on-premises systems without a cloud component - in such cases, follow standard enterprise IR procedures instead.

Important Notes

• Cloud environments are highly dynamic and resources may be ephemeral. Evidence acquisition must be prioritized, as logs or instances may disappear quickly.
• Always use least-privilege permissions for incident response activities to avoid accidental data exposure or privilege escalation.
• Ensure all actions are logged and documented for compliance and potential legal review.
• Regularly review and test cloud IR playbooks to ensure readiness for real-world incidents.
• Be aware of provider-specific nuances in IAM, logging, and resource isolation techniques.
• Familiarize your team with NIST CSF and MITRE ATT&CK mappings relevant to cloud incident response.

By integrating this skill into your incident response workflows, you enhance your organization’s ability to contain, investigate, and remediate cloud-native threats in AWS, Azure, and GCP environments.