Two things you DO NOT DO when hit by a cybersecurity incident


28 July 2018
Sami Zuhuruddin of Google

Two things you DO NOT DO when hit by a cybersecurity incident, says Sami Zuhuruddin, Staff Solutions Architect, Google Cloud, delivering Cloud Forensics 101 during a breakout session at the Google Next 2018 conference:

1)      You DO NOT immediately terminate and delete all instances and disks, because it obliterates the forensic trail that you want to follow. Think of it as a chess match, said Sami. “Someone is trying to figure out how to take advantage of your infrastructure and you have just made a naïve move: You have told the opponent that you don’t have a game plan.”


At some point, you have to terminate the infrastructure but do it at the right time. “Don’t reveal to the attacker that you know they are in your infrastructure.”


2)      You DO NOT log into the server to see if you can track it down. You may think it is okay because you are using SSH but when there is a machine that is compromised, it means someone has already figured out how to take advantage of it. If you log in, you are just handing over your credentials to the attacker.

In his presentation, Sami outlined the process of preparing the environment to deal with security incidents, which encompasses Prevention, Collection, Detection and Analysis.

He spoke at length on the Collection piece, highlighting its importance as part of the preparation process. “Collect info so that when something happens, you are able to curate the haystack to a small bundle of things.”

The information will include logs, disks and live info. But even before the collection begins, it is important to have a secure location to put it, he said. “You don’t want to put it into a leaky bucket. You want to put it into a vault” - a dedicated project designated for artefacts, with operational isolation, one way flow of data, and restricted access to a highly refined list of individuals.

Sami also highlighted some of the tools and frameworks that can help with the collection of data for forensics purposes. Examples include Stackdriver Logging, AuditD and GRR Rapid Response. Stackdriver Logging allows users to store, search, analyse, monitor, and alert on log data and events. Sami describes data ingestion as being “frictionless” – Stackdriver Logging is installed when the virtual machine is being created and is preconfigured to look at standard places on the OS and to send all logs to a centralised repository. This enables log info to be surfaced and managed at scale. AuditD is responsible for writing audit records to the disk while GRR Rapid Response is an incident response framework focused on remote live forensics.