EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

Guests:

• Matt Linton, Chaos Specialist @ Google
• John Stone, Chaos Coordinator @ Office of the CISO, Google Cloud

Topics:

• Let's talk about security incident response in the cloud. Back in 2014 when I [Anton] first touched on this, the #1 challenge was getting the data to investigate as cloud providers had few logs available. What are the top 2022 cloud incident response challenges?
• Does cloud change the definition of a security incident? Is "exposed storage bucket" an incident? Is vulnerability an incident in the cloud?
• What should I have in my incident response plans for the cloud? Should I have a separate cloud IR plan?
• What is our advice on running incident response jointly with a CSP like us?
• How would 3rd party firms (like, well, Mandiant) work with a client and a CSP during an investigation?
• We all read the Threat Horizons reports, but can you remind us of the common causes for cloud incidents we observed recently? What goals do the attackers typically pursue there?

Resources:

• "Building Secure and Reliable Systems" book (especially ch 14-16, and ch17)
• Google Cybersecurity Action Team Threat Horizons Report #4 Is Out! (#3, #2, #1)
• "Incident Plan vs Incident Planning?" blog (2013)