Malware analysis can be risky, however. A completely isolated network and sandbox system are needed to prevent the malware from accidentally moving into the production network. A simple mistake in a configuration or a shortcut used for convenience could lead to a companywide outbreak. Another risk to take into consideration is the potential for the sandboxed malware to beacon back to the attacker’s infrastructure. This will leave a trail for that attacker to follow back to a potentially compromised network. The attacker can then check for already infected machines or try to slightly adjust the attack method, based on the (partially) failed first attempt. The use of a third-party cloud platform is the perfect solution for all these issues. Other than a web-interface or some form of remote desktop (for instance via RDP or VNC), there is no need for any other connection between the production network and the cloud platform. Any return communication from the tested malware back to the initial attacker will also be anonymous and hard to trace back to the intended target. The source would simply be the cloud platform in which the test environment operates. One of the most important roles any security professional has is to ensure the availability and integrity of security logs. Not only are these logs critical from an operational perspective (reporting, analysis, threat hunting, correlation), most companies also need to adhere to compliance regulations around retention of this data. When it comes to cost per Gigabyte and redundancy options, cloud solutions tick all the boxes. Being based on off-site storage, data is also much more secure in case an attacker tries to hide his tracks by directly targeting the logs. Many more comprehensive security services are available which can leverage this cloud data storage, such as SIEM as a Service or even SOC as a Service. A cloud environment is a perfect platform to build and test systems without affecting the company’s production environment. Security professionals in the architecture or design areas or even attempting to troubleshoot an issue with for instance a firewall cluster, can quickly set up an environment to proof whether a specific outcome can be achieved. Virtual machines and appliances and virtual networks avoid delays and costs associated with sourcing the required hardware and software, and once the proof of concept is completed, the environment can simply be reset or removed. This concept links in with penetration testing as well; An application or environment can be cloned into a cloud instance where security exploits and their impact can be safely tested, even during production hours. Cloud solutions also significantly enhance accessibility to the platform. A security professional has access to the lab from anywhere and only needs an internet connection. For this same reason, vendors and specialized training providers offer training via a cloud model these days, greatly enhancing the accessibility of their offerings while reducing the requirements for the customer. There simply is no way around it; the cloud is here to stay and has become invaluable to any security professional.
