Professional Documents
Culture Documents
Table of Contents:
1. Introduction
1.1 Purpose
1.2 Scope
1.3 Objectives
6. Evidence Collection
7. Communication Plan
1.2 Scope
This plan applies to all personnel responsible for managing and securing the organization's
cloud infrastructure, including but not limited to IT Cloud administrators, security
professionals, and relevant third-party service providers.
1.3 Objectives
Detect and Respond Promptly: Implement measures to detect security incidents in a
timely manner and respond swiftly to mitigate potential damage.
Ensure Compliance: Ensure compliance with relevant laws, regulations, and industry
standards pertaining to data protection and incident reporting.
High Incidents: Notify the Incident Response Coordinator within 1 hour. Prepare a
preliminary incident report.
Medium and Low Incidents: Notify the Incident Response Coordinator within 24
hours. Provide initial details and observations.
2. Logs and Artifacts: Collect relevant logs and artifacts for further analysis.
3. Notification: Notify the Incident Response Coordinator and other relevant team
members.
Network Isolation: Network backdoors including rogue VPC peering points and
simple modification to network security group rules can expose resources to
continued adversary control. And cloud-based infrastructure with excessive
outbound permissions, with policies such as allowing access to all IP ranges
belonging to a trusted cloud provider, can be abused by adversaries to blend in with
authorized traffic to that cloud provider. A comprehensive review of all possible
pivot points, persistence mechanisms, and outliers in configured access is required
to ensure thorough containment and subsequent ejection.
Malware Removal: Identify and remove any malware present in the cloud
environment.
6. Evidence Collection
6.1 Collection Tools and Procedures
The Cloud Security Analyst will use forensics tools and follow established procedures for
evidence collection:
Disk Imaging: Create forensic images of affected systems for offline analysis.
7. Communication Plan
7.1 Internal Communication
Internal communication will be coordinated through the Incident Response Coordinator.
Regular updates will be provided to the SOC team, IT Cloud, IT, and executive management.
Chain of Custody: Maintaining a detailed chain of custody log for all collected
evidence.
Lessons Learned: Identifying strengths and areas for improvement in the incident
response plan.
Simulation Exercises: Simulating realistic scenarios to test the team's response and
decision-making capabilities.
Response Actions: Steps taken to contain, eradicate, and recover from the incident.
Summary of Incident: Brief overview of the incident, including severity and impact.
Key Findings: Lessons learned, areas for improvement, and successful elements of
the incident response.