The challenges of cloud-native forensics

Benjy Portnoy, Senior Director of Solution Architecture at Aqua Security, says companies must take a new approach to cybersecurity forensic analysis

Any business could be the victim of the next-large scale cyberattack, and it’s the companies that treat this as an inevitability which will be better prepared and more able to protect themselves. The key to this is forensic analysis. Performing forensic analysis will give businesses valuable insights into vulnerabilities and the best steps to take in order to mitigate attacks. This must all sound pretty obvious, so what’s the problem? Well, as we transition into cloud-native environments things start to get a bit more complicated. So what can companies do? Businesses need to take on a new approach to forensics to account for the intricacies of cloud-native. High-speed operations The benefits of cloud native, namely speed and dynamism, are also what create challenges for forensics. One of the big appeals of cloud native is that developers can deploy code changes at high speed. Added to that is the fact that containers are short-lived and lightweight so tasks can easily be moved about and stopped by the orchestrator as needed. Indeed, containers have an average lifecycle of a couple of hours and for serverless functions, such as AWS Lambda, it’s a mere 15 minutes.

Benjy Portnoy

In comparison, physical servers or virtual machine (VM) servers can be left untouched for months. This longer life cycle means that the teams know which data is written where, which makes it easier to spot when attacks occur. In the fast moving and ephemeral life cycle of container environments this is not the case. Instead, orchestration tools like Kubernetes decide which workload should run on which machine and when containers shut down the data written to the container filesystem is deleted, or moved to another location. The result is that teams do not have the same level of visibility as with physical or VM servers and often do not know which host will run the application until it is deployed. This creates complications when it comes to spotting attacks and conducting post-breach analysis. Attacks against container environments often go unnoticed for a significant period of time. Because they don’t leave any evidence they’re very difficult to spot. By the time the attack has been identified, the container probably won’t exist anymore, so tracing the attack becomes very difficult. As the sophistication of attacks specifically targeting the cloud-native stack grows, incident response becomes ever more complex.

Creating visibility Spotting these attacks is made more complicated by the fact that traditional forensic tools simply do not have visibility into container workloads. And this visibility is vital for understanding what bad actors wanted from the attack, whether that be to compromise the host, exploit your infrastructure, or extract data. The question then is how to achieve visibility without traditional forensics tools? The first thing to do is to take advantage of the tools your cloud provider offers already. For example, native logging capabilities are a good starting point for conducting your own forensic analysis. These native logs tend to provide in-depth control plane and OS log data. But, to get full visibility it is necessary to build on this. This is where security information and event management (SIEM) systems come in handy. These third-party analytics tools can search and analyse attacks even when the exploited container has already been deleted, helping you diagnose the vulnerability. A centralised logging mechanism of this kind ensures that every action, both successful and blocked, is logged continuously. The result is visibility over all activity within the containers and serverless functions. One step ahead of the attackers Attackers are quick to adapt to defences, so as security evolves so too do the attackers’ techniques. Therefore, the next step in protecting your container environment is to implement dynamic threat analysis. Static malware and vulnerability scanning is vital but it cannot be the last line of defence. This is because bad actors can launch sophisticated attacks that bypass these tools. Indeed, fileless malware attacks are increasing and these attacks are difficult to spot and then even more difficult to decipher. Dynamic tools match the dynamic container environment by analysing containers as they are running. Images are run in a secure sandbox which enables any malicious elements to be uncovered either before the images are deployed or when a breach has been suspected. Once the malicious images have been detected, dynamic analysis tools can trace them back to the source. This is an important element of forensics for a cloud-native environment as it enables the all-important kill chain of the attack to be established post-breach. Conducting forensics in a cloud native environment may seem complicated, but once organisations have accepted that they cannot simply map traditional tools over to cloud-native, it is just a process of adapting. Container environments are popular because of their dynamism so it is important to apply this to the process of securing them. Static tools, such a built in OS logs, are a great starting point but alone will not be enough. Instead, organisations must embrace dynamic threat analysis tools and work to build a centralised logging mechanism that can provide complete visibility. With these tools at the ready, businesses can feel confident that even if they are the next target of a large-scale attack, they’ll be able to spot it, mitigate it, and prevent it from recurring.