Many open-source tools are available to investigate adversary activity in cloud environments, and some can help network defenders map threat actor behavior to the MITRE ATT&CK framework. Here are some examples of open-source tools that can assist with on-site investigation and remediation in cloud environments:
• The Cybersecurity Evaluation Tool (CSET) (CISA)
• SCuBAGear (CISA)
• The Untitled Goose Tool (CISA)
• Decider (CISA)
• Memory Forensic on Cloud (JPCERT/CC)
Please note that these open-source tools are not all-encompassing, and paid tools/services can complement open-source. Most cloud service providers offer platform-specific monitoring and analysis tools, typically allowing network defenders to perform queries and write custom detection.
Asset assessment and management are crucial when evaluating an organization's security posture in hybrid cloud operations. The organization and its cloud service provider (CSP) likely share the responsibility of securing critical assets. Here are some best practices for asset assessment and management in hybrid cloud operations:
1. Develop practices that evaluate industrial control systems (ICS) and IT security practices that best fit your organization before using cloud services.
2. Use built-in security capabilities from CSPs and free CISA- and partner-developed tools/applications to fill security gaps and complement existing security features.
3. Create a design phase aligned with Secure-by-Design concepts and strategies to architect the required solutions, forecast security needs, and use free tools fitting with the organization.
By following these best practices, organizations can help mitigate the risk of information theft, data encryption and extortion, and information exposure.