days
0
-95
-4
hours
-2
0
minutes
-5
-2
seconds
-3
-4
search
Collect data, analyze, and respond

Strategies for the Cloud Threat Hunter

Asaf Shahar
© Shutterstock / ranjith ravindran

Threat hunting, like all cloud security, is rendered additionally difficult by high volumes of transactions and the high velocity of deployments. Security professionals face constantly evolving landscapes as their company infrastructures change and cloud providers offer new tools. While standard and cloud threat modeling share basic methodologies and joint purposes, there are meaningful differences.

No matter how strong its security defenses are, your cloud infrastructure is not an impenetrable fortress. There will always be issues such as vulnerabilities or misconfigurations in the cloud, and it is vitally important to be prepared for that. While maximizing defenses to prevent attacks from succeeding is crucial, cybersecurity teams must also take the offensive and build an arsenal of tools and tactics to hunt threats.

The Unique Challenges of Cloud Threat Hunting

Threat hunting, like all cloud security, is rendered additionally difficult by high volumes of transactions and the high velocity of deployments. Security professionals face constantly evolving landscapes as their company infrastructures change and cloud providers offer new tools. While standard and cloud threat modeling share basic methodologies and joint purposes, there are meaningful differences.

Cloud threat hunting is a never-ending story. In a perpetual loop, we find threats and fix them, then attackers pivot, and the cycle repeats. Unfortunately, both the quantity of these loops and the speed at which they change increase exponentially in the cloud. In addition, cybersecurity professionals often must track multiple cloud vendors and multiple assets, many of which are ephemeral.

Reduce the Detection Gap to Limit Dwell Time

One growing strategy cyber attackers deploy is privilege escalation. Once they’ve accessed a cloud environment, attackers move laterally to access sensitive assets. It’s vital to detect threats swiftly in order to reduce the time they can dwell within your environment and cause damage.

For example, privilege escalation begins by an attacker accessing a user account with low privileges. Attackers then use techniques to remain undetected, such as inserting a payload into user data to avoid creating a new key pair to launch an EC2 instance, ultimately gaining access to credentials.

Unfortunately, most organizations are failing to limit dwell time. In fact, it takes an average of 111 days for an organization to realize they’ve been infiltrated. This is why it is important to rely on techniques, like those outlined in the MITRE ATT&K® framework, to detect and thwart attacks.

Identify: First Step to Cloud Threat Hunting

Threat hunting requires making observations, collecting information, creating hypotheses, analyzing data, and investigating to prove or disprove hypotheses. To collect data, analyze, and respond, the right tools and processes must be in place.

1. Collect Data – Hunt for Indicators of Compromise (IOCs)

Threat hunting starts with collecting quality data from various sources, including logs, servers, network devices, firewalls, databases, and endpoints. Spotting malicious activity here can enable you to lessen the impact of any breaches and prevent mega-breaches.

Doing so requires having a solid understanding of both normal use on your network and how attacks are perpetrated. Strong IOCs include a malware signature alert on your network and ransomware executables on your file system, picked up by your intrusion detection system (IDS) or anti-virus. Examples of weak IOCs are repeated failed user login attempts and login times which align with typical use.

Set IDS alerts only on strong IOCs to help avoid alert fatigue. When chained together, weak IOCs can build a strong indication of compromise. Human insight is needed to do the work of chaining indicators together.

2. Analyze

When investigating suspicious activity in your cloud infrastructure, try to break down threats into the following detectable components:

  • How the threat entered their environment;
  • What it affected;
  • How it currently impacts their organization wherever it persists.

Next, analyze the data gathered to search for patterns and detect IOCs. Again, identifying anomalies such as abnormal account activity requires having an established baseline of normal use.

3. Respond

After progressing through an iterative pattern of collecting and analyzing data, you must draw conclusions and respond accordingly.

Visibility + Tools

Effective threat hunting is dependent on the quality of your tools and the visibility you have into your environment. Unfortunately, visibility in the cloud is a challenge for most organizations, especially when it comes to what data is within their cloud applications. If you don’t know where your high value data is, you can’t protect it. Inability to monitor data in transit to and from cloud applications is a common blind spot.

Threat modeling is the act of identifying potential threats and then modeling avenues of attack. This exercise enables you to prioritize and mitigate risks. When threat modeling, consider questions such as what do you want to protect, what are the consequences if you fail, and how much trouble are you willing to go through in order to prevent those consequences.

Recently, the Cloud Security Alliance (CSA) released a Cloud Threat Modeling guide which features a framework that organizations can use to create their own cloud threat model. Similarly, Microsoft outlines attack trees, “a way of identifying and documenting the potential attacks on your system in a structured and hierarchical manner.”

Be sure to conduct tests by simulating a variety of threats in the cloud, such as mimicking cross-tenant attacks, and study real-world attacks against cloud infrastructure. For those seeking to learn, there are many to choose from. Furthermore, threat hunters should produce attack patterns and “misuse cases,” and map out the processes of attack and defense or countermeasures sequences.

Threat Hunting at Scale

For the vast majority of organizations, collecting and analyzing data cannot be done manually. Conducting ongoing intrusion detection and monitoring manually requires an exorbitant amount of resources and manpower, and is simply impossible in modern cloud environments. Automation is necessary, and threat hunting must be part of a unified approach. Be careful, however, as an excess of tools can convolute threat hunting. SIEM, for example, doesn’t extract information in a way that’s easy to understand.

It’s important also to set real time alerts that correspond to different attack techniques outlined in the MITRE ATT&CK framework. Alerts must be prioritized based on risk, and as a breach persists and escalates, continue to alert users to IOCs as they occur.

In order to stay ahead of the attacker, you need to leverage these methodologies across your cloud and on-premise environments. The more you can consolidate and integrate your tooling, the greater visibility and operational efficiency you will have. Along with the use of automation and alerts in context will allow you to scale and hunt for the next critical threats jeopardizing your cloud.

Author

Asaf Shahar

Asaf Shahar is the Sr. Product Manager, Cloud Native Security at Check Point Software Technologies
Asaf is a senior technology and product executive, with a proven track record of over 18 years of defining and delivering large scale complex products, architectures and technologies. Vast experience in security, cloud and networking.


guest
0 Comments
Inline Feedbacks
View all comments