Sometimes you don’t know what you don’t know until you get your hands dirty.

When I took responsibility for producing an automated cloud solution, my first step was mapping my skills to available toolsets. Unfortunately few of those tools were mature, which meant I had to create an initial build roadmap with incomplete knowledge on how to best perform forensics in the cloud … and then rewrite portions of code to fill in previous unknowns.

Today, I’m hoping to save you some time and effort by sharing lessons learned.

Depending on the engagement, my team — the people from Accenture’s Security, Cyber Investigation and Forensics Response (CIFR) — traditionally works in three digital forensics ‘zones.’ We either 1) use a client’s infrastructure and tools, 2) copy data to an off-domain incident response (IR) workstation or 3) copy data to an IR team’s physical lab.

But lately we’ve increasingly been performing forensics in the cloud, which provides many advantages. But as I found out, it also takes considerable forethought.

For teams new to forensics in the cloud, keep the following in mind.

Common questions and considerations

How does the data’s location affect formally commencing an investigation?

Data sources can exist anywhere — the client’s physical location, its cloud provider, or even on portable media — with each posing varying levels of retrieval difficulty. For an IR consultant who is onsite with the client, it may be as easy as, “I’m local to my data.” But many consultant teams can be offsite and scattered globally. What’s important is that no matter their location, all consultants need access to the same data. Therefore, consider the following questions:

  • Is source-to-target throughput and link saturation in line with delivery expectations? Does your source’s connection support high latency/low throughput? Throughput is a concern in countries where infrastructure is still maturing. Your clients may be in big cities, but would a one-off, out-of-region job throw off your entire plan?
  • Do privacy controls disallow data transfer across country lines? Does a cross-region transfer incur an undesired cloud data transfer fee?

What are the new deployment requirements?

There are several things to keep in mind here that involve both technical and non-technical staff.

  • Who: Can junior or non-technical staff deploy resources? Can analysts maximize their billable time by minimizing infrastructure efforts?
  • What: Is a deployment repeatably consistent, and can it avoid human error? Can it support multiple clients while keeping each fully segmented? Is your IR procedure tested to ensure proper self-logging? Can you follow the artifact? Are client and consultant credentials kept off-host and protected?
  • When: Can you provision resources within a few hours?
  • Where: Is the solution geo-agnostic, meaning can you deploy to any region without special considerations? For the answer to this, it’s important to never rely on theoretical throughput.
  • How: Can all types of investigations support third-party applications requiring dongles?
Don’t forget resource management

Cloud or not, resource management is important. Consider what your current IT solutions can address. For example, are you:

  • Ensuring there is enough prepared hardware to support current and burst demands?
  • Aware of the accessibility of sensitive data stores, the hosts used to access them and mitigations in place to restrict access?
  • Minimizing attack surfaces to reduce access to only those who need to know?
  • Watching your resource inventory to ensure new host policy adoption?
  • Assuring accurate billing for each engagement?
  • Monitoring host logs for malicious activity?
  • Gathering proper metrics for audit purposes?
  • Destroying unneeded resources for cost control and data compliance?
  • Able to prove to your clients that retrieved artifacts are deleted?

Cloud deployments can answer all these questions, but those answers are not turnkey.

For more information, please contact a member of our CIFR team 24/7/365 by phone 888-RISK-411 or email CIFR.hotline@accenture.com.

 

About Accenture

Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions – underpinned by the world’s largest delivery network – Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 425,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com.

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture help organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.

This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates.

Copyright © 2020 Accenture. All rights reserved. Accenture and its logo are trademarks of Accenture.

Suggested steps for a turnkey deployment of cloud-based forensics

The second of this three-part blog series about how to implement and get the most from cloud-based cybersecurity forensics

Want cloud-based forensics? Consider these technical tips from the trenches.

The third of this three-part blog series about how to implement and get the most from cloud-based cybersecurity forensics

Mark McCurdy

Security Analyst

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog