BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  • Introduction
  • Ensuring access when it matters most
  1. 21_Incident Response

Cloud Incident Readiness

A Practical Playbook for CISOs and Teams

Introduction

For a CISO, mastering cloud incident readiness means more than just adopting new technology—it requires a paradigm shift in how you approach risk, visibility, and response. By recognizing and addressing the common shortcomings mentioned below, you can build a robust, proactive defense that minimizes risk and enhances your organization's resilience in the face of evolving threats.Call to Action: Review your current cloud incident readiness strategies in light of these insights. Identify gaps, update your IR plans, and schedule regular training sessions to ensure your team remains vigilant and prepared.

Ensuring access when it matters most

Every incident starts with an intake call, where we will go over common questions such as "What happened?" and "What have you done so far?", at some point in this conversation it will pivot to "What logs do you have available and can we get access to the logs?". Oftentimes this is where it gets interesting especially for larger organizations, because most onboarding processes are not that flexible and not fit for emergency access. This results in unwanted delays in your incident response. So let's figure out what access your incident response team or external provider needs.

Azure & Entra ID

Let's start with the Microsoft cloud covering Azure and Entra ID permissions. Here are some common challenges and pitfalls we see in real life cases:

  • Access limited to specific subscriptions, we have had cases where the security team only had access to specific subscriptions. The issue is that you don't know what you can't see, effectively you're trying to protect a border, but you don't know where the border is or where it ends.

  • Insufficient permissions, in a lot of cases the security teams only have access to logging and security tools in the cloud, but not to resources and Entra ID details. One of the issues here is that your team is able to see potentially malicious logins, but not what actions were taken with that account against Azure resources.

To make sure the right access is available for the right situation we differentiate between Standard and Emergency access, where standard can be used in day-to-day scenarios and emergency should only be used in active breaches to "stop the bleeding". The below table outlines the access we recommend setting up beforehand:

Scenario
Permission
Description

Standard

Reader Role on Root Management Group

Allows read-only access to all resources within the Azure subscriptions.

Standard

Global Reader Role

Provides read-only access to Entra ID logs and settings.

Emergency

Contributor Role (PIM)

Enables modification of Azure resources during critical remediation efforts.

Emergency

User Access Administrator Role (PIM)

Manage user accounts, such as blocking accounts or resetting passwords.

AWS

Permissions in AWS are very different to Microsoft, to start of you have different types of policies, you can set permissions directly on a user or leverage an IAM group with attached policies or an IAM role and attach permissions. Here are some challenges we have faced in the past while doing incident response in AWS environments:

  • No point of contact for an AWS account, this is especially a problem in larger organizations where teams have the control over their own AWS accounts. Having a list or overview of accounts and who is responsible helps, it's even better if there's information on what services are used. This will help in scenario's where you would see an often abused service like Amazon SES used by an account that should only be running workloads in ECS for example.

  • No AWS organization, it can get worse when you are responding ‍to incidents especially if there are stand-alone accounts. Without an organization it's not possible to use Service Control Policies (SCP) and most importantly an organization allows you to setup a central CloudTrail trail, which is invaluable in an incident response scenario.

In AWS we can use built-in policies that can be assigned to roles, those roles should only be assumable by the security team, ideally from a separate Security/IR account. The table below shows the policies you should configure:

Scenario
Permission
Description

Standard

ReadOnlyAccess

Provides read-only access to AWS resources for monitoring and auditing without making any changes.

Emergency

AdministratorAccess

Full access to all AWS resources, enabling modifications during critical incident remediation.

Google Cloud

For Google Cloud there are also several ways in which you can provide access and managed IAM. For the purpose of this blog we have assumed the Google Cloud built-in IAM solution is used. With that we can use the Basic roles to arrange access to Google Cloud resources. Let's look at some example of common challenges we faced when doing incident response in Google Cloud:

  • Access setup at the 'wrong' level, for example at the project level, the concept of a project in Google is quite similar to an AWS account. That's why sometimes you will only get access on the Project or Folder level. This causes the same issue as described before you can only see what you have access to and not the rest of the organization.

  • Insufficient expertise on IAM, from the big cloud providers it seems to be that Google Cloud skills are the more unique one. Especially when it comes to IAM this can be quite the challenge and in an IR scenario you don't really want to start reading the docs.

The table below shows the Basic roles we can use for Google Cloud:

Scenario
Permission
Description

Standard

Viewer

Provides read-only access to all Google Cloud resources for monitoring and auditing without making any changes.

Emergency

Owner

Full access to all Google Cloud resources, enabling modifications and management during critical incident remediation.

Conclusion

In this post we went over what kind of access your teams and consultants should have in case of an incident. We consider this a starting point, for most of our client we would tailor the access to their environment and services and we recommend you do that too. For example one of our clients uses Kubernetes in AWS and sends the logs to CloudWatch we need to be able to access that too in case of an incident. Generally speaking you want to make sure that your teams are able to read all relevant information and for specific scenario's have the ability to elevate to write permissions to contain an incident.

Previous21_Incident Response

Last updated 1 month ago