EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster?

Guests: Matt Linton, Chaos Specialist @ Google John Stone, Chaos Coordinator @ Office of the CISO, Google Cloud Topics: Let’s talk about security incident response in the cloud.  Back in 2014 when I [Anton] first touched on this, the #1 challenge was getting the data to investigate as cloud providers had few logs available. What are the top 2022 cloud incident response challenges? Does cloud change the definition of a security incident? Is “exposed storage bucket” an incident? Is vulnerability an incident in the cloud? What should I have in my incident response plans for the cloud? Should I have a separate cloud IR plan? What is our advice on running incident response jointly with a CSP like us? How would 3rd party firms (like, well, Mandiant) work with a client and a CSP during an investigation? We all read the Threat Horizons reports, but can you remind us of the common causes for cloud incidents we observed recently? What goals do the attackers typically pursue there? Resources: “Building Secure and Reliable Systems” book (especially ch 14-16, and ch17) Google Cybersecurity Action Team Threat Horizons Report #4 Is Out! (#3, #2, #1) “Incident Plan vs Incident Planning?” blog (2013)