Incident containment in a cloud environment

As reported by WBALTV, Baltimore, Attorney General Eric Holder is calling on Congress to require companies to more quickly alert customers when their personal information is put at risk in cyber breaches. While there are some states that have notification laws following customer data breaches, there isn’t a Federal law for similar disclosure.

The article also points out that the Attorney General’s proposal, in some ways, contrasts with how law enforcement has dealt with past breaches.

“During past cyber break-ins, investigators have asked companies to not immediately make the information public. In some cases, cybercriminals are known to return to exploit the vulnerabilities, and investigators may be able to gather evidence as new breaches occur.”

Regardless of the approach to incident response and the timing of disclosure of cybersecurity incidents, a necessary and key phase of any incident response is containment. The primary purpose of this phase is to limit the damage and prevent any further damage from happening. Containment also prevents the destruction of any evidence that may be needed later for prosecution.

In the cloud, however, where we do not have access to the physical hardware and resources are shared, traditional containment and computer forensic techniques are not easily implemented. In the light of the growing adoption of cloud computing, responding to cybersecurity incidents in an effective manner will require tools that support effectively being able to contain a potential breach and enable gathering of forensic evidence.

At CloudPassage, we have written a tool that can be of tremendous value in the containment phase of an incident response process. The tool is called “Quarantine”, and it’s available in our Halo Community Toolbox.

The purpose of Quarantine is to place a server instance(s) into an isolated Halo server group, which acts as a quarantine. The server group can then be used as a ‘remote analysis’ group, for Forensics-Response investigation or a data capture group.

You can use the script to manually quarantine servers or trigger server quarantines automatically, based on occurrence of Halo generated events. In either case, the script creates a very restrictive firewall policy and assigns it to the “quarantine” server group and moves the Halo-managed server into that group.

Once the impacted servers have been quarantined, you are then in a position to run additional and more detailed and specific checks and also place additional controls on the servers using the Halo platform policies.

You can also perform other forensics-related tasks such as remotely imaging the drive(s), capturing memory, and saving the state of the cloud server as a server image, etc. by using one of many forensic tools available or the cloud provider’s APIs.

Here are some screenshots of the CloudPassage quarantine script in action:

Server before being quarantined:

The quarantine script in action below. It’s reading a constant stream of Halo events to see if any matches the events it is meant to trigger a quarantine on:


Sample of how the quarantine_filter.txt script looks like, with events to trigger quarantine on listed in it:


A “Quarantine” server group created, new firewall policies created and assigned and the server automatically moved from it’s previous group to the group with quarantine policies enforced:

The quarantine script is available for free download here.


Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts