Mitiga at RSAC 2025: Visit our booth, attend speaking sessions, and schedule a meeting with us!

Customers
Why Mitiga
Request a DemoEmergency Assistance
Home
»
Blog Main

An excerpt from Cloud Threat Detection, Investigation, and Response for Dummies®

Hunting complements detection. Once you’ve identified an indicator of an attack, you need to dig into the details. Is that authentication failure a legitimate user mistyping their password? Or, is it an attacker trying to compromise someone else’s account? Looking at an indicator in isolation often isn’t enough to know for sure when you have a true positive indicator of an attack or when you’re dealing with a benign event.

A-Hunting We Will Go

Threat hunting is the process of investigating security events using a hypothesis-driven exploratory analysis and investigation. Cloud threat hunts, as you may have guessed, focus on hunting threats in cloud environments. Cloud hunts entail deep dives into logs using more complicated logic than typically used for detection. With detection, you’re willing to generate false positive indicators of attacks rather than miss a potential true attack indicator. Detection uses more lightweight pattern recognition to quickly find targets of interest. When you’re hunting, however, you’ve decided to invest time and resources into investigating what appears to be an actual attack, which can cause harm to the organization. There are a few different ways to approach hunts.

Strategic cloud hunts

A strategic cloud hunt looks at what adversaries do when they conduct attacks. These hunts tend to focus on a particular technology or platform, such as exfiltrating data from a cloud provider’s object storage service or compromising the authentication process of a SaaS provider.

Event-driven hunts

Event-driven hunts take advantage of some malicious event that happened to someone else’s system. For example, a technology vendor might have had proprietary information stolen using some form of a persistent threat. During event hunts, researchers gather as much information as possible to understand the attack, identify indicators of the attack, and in some cases, try to replicate the attack in a research and development environment.


Continuous cloud hunts

Continuous cloud hunts are ongoing operations running checks in your cloud and SaaS environments against all indicators of attacks. If some malicious activity is identified, then you can run mitigation processes.

Cloud Hunts Depend on Logs

If you’ve worked with logs in on-premises systems, you’ve probably seen how easy it is to control the level of detail captured in logs. When you shift to using cloud services, especially SaaS services, it becomes more challenging to capture log data. One of the issues is that you need access to cloud provider’s logs. These aren’t always accessible to cloud users. In some cases, the amount of log data available depends on the licensing of a service.

For example, an enterprise license for a collaboration tool may provide for logging while the free version of the same product doesn’t. Not only is this a problem because logs aren’t available for some users, but an attacker can use this two-tiered approach to logging to their advantage. An attacker could temporarily remove the license from a user, perform some malicious act using that user’s account, and then restore the license. The user may never notice the difference, and no logs will be left detailing the malicious activity.


Another thing to consider when using a PaaS or SaaS, is that there are limits to how long the vendor will keep logs. It’s important to capture those logs into a security data lake before they’re deleted by the cloud vendor, so you’ll have what you need to hunt.

Want to go deeper on this topic, and read more expert guidance on cloud investigation? Download a free copy of Cloud Threat Detection, Investigation, and Response for Dummies®.

LAST UPDATED:

July 10, 2024

Don't miss these stories:

Make Cloud Attacks Yesterday’s Problem with Mitiga at RSA Conference 2025

Visit Mitiga at booth number N-4618 at RSA Conference 2025 to learn about cloud detection and response.

Uncovering Hidden Threats: Hunting Non-Human Identities in GitHub

In the last few days, two compromised GitHub Actions are actively leaking credentials, and a large-scale OAuth phishing campaign is exploiting developer trust.

Can vulnerabilities in on-prem resources reach my cloud environment?

What risk does this Zoho password manager vulnerability present, and could this on-prem vulnerability impact cloud environments as well?

Log4Shell - identify vulnerable external-facing workloads in AWS

Cloud-based systems should be thoroughly searched for the new Log4j vulnerability (CVE-2021-44228). But this is a daunting task, since you need to search each and every compute instance, from the biggest EC2 instance to the smallest Lambda function. This is where Mitiga can help.

How Transit Gateway VPC Flow Logs Help Incident & Response Readiness

In this blog, we will focus on the security and forensic aspects of Transit Gateway VPC flow logs and expand the way they can be used by organizations to respond to cloud incidents.

Uber Cybersecurity Incident: Which Logs Do IR Teams Need to Focus On?

On September the 16th, Uber announced they experienced a major breach in their organization in which malicious actor was able to log in and take over multiple services and internal tools used at Uber. What are some of the logs that IR teams should be focusing on in their investigation?