Skip to main content
 
 
Splunk Lantern

Supporting a cloud forensics workflow

 

As the cloud becomes a viable replacement for on-premises infrastructure, the need to collect evidence to support a forensics or incident response investigation is crucial for some organizations.

Challenges for digital forensics and incident response (DFIR)

There might be issues investigating incidents using the Splunk platform due to the following:

  • Not having the required logs in the Splunk platform. For an incident to be effectively investigated, certain logs from your infrastructure must be ingested into the Splunk platform. Ideally, the following logs should be available:
    • Authentication logs (AWS, Azure, GCP, etc.)
    • Cloud security logs (GuardDuty, AWS Security Hub, Amazon Inspector, GCP audit, Azure, etc.)
    • Network logs (PCAP, Splunk Stream, NetFlow, etc.)
    • Endpoint logs (EDR, antivirus, anti-malware, etc.)
  • Not having access to necessary frameworks. Frameworks and standards such as MITRE, CIS, and NIST can be integrated into the Splunk platform to provide investigators additional insights into your environment.
  • Not having the necessary data to support frameworks. Lack of assets, identities, and threat intelligence data can affect workflows that might help in the investigation.

Cloud models

There are several cloud deployment models to consider when preparing to collect data that interacts with your organization. Other security tools such as a cloud access security broker (CASB) might also provide logs to aid in your investigation.

  • Public. Resources that are not typically owned by one organization, but might be used to enrich other data. Examples of this are shared threat intelligence files (IOCs, STIX/TAXII feeds) and other industry-related feeds.
  • Private. Resources owned by third party vendors such as EDR or DNS logs are typically for the exclusive use of the subscribed organization.
  • Hybrid. Leverages both public cloud and on-premises resources to provide a solution for an organization.

Data to support a forensic workflow

A traditional forensic workflow consists of the following:

  • Network information. Network capture or stream data such packet capture (PCAP) files are helpful to investigate threats.
  • Memory and disk forensics. Having metadata to support capture activities for assets involved in an investigation can give investigators and incident commanders the information they need to save time. For example, a dashboard can be built to keep track of all the interesting assets during an investigation.
  • Expected artifacts. Domain analysis information might come in handy to correlate suspicious activity to machines involved in an investigation. A newly created domain that was generated with an algorithm might be a helpful lead in determining the attack vector.
  • Storage. The Splunk platform can track metadata from a variety of cloud storage locations from all cloud providers.
  • Mobile devices. Most mobile devices synchronize with cloud storage providers; artifacts of interest might be present on these devices. A detection for this might include drive-by attacks. Potentially any malicious link that's initiated on a mobile device might also affect stored data. Also, proxy data might also be of interest on these devices. Even if mobile devices are sandboxed, there might be useful network activity.

Since every aspect of a forensic or incident response investigation has the potential of being defensible in a court of law, it's extremely important to maintain a proper chain of custody for any evidence collected.

Next steps

These resources might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.