An excerpt from Cloud Threat Detection, Investigation, and Response for Dummies®

Hunting complements detection. Once you’ve identified an indicator of an attack, you need to dig into the details. Is that authentication failure a legitimate user mistyping their password? Or, is it an attacker trying to compromise someone else’s account? Looking at an indicator in isolation often isn’t enough to know for sure when you have a true positive indicator of an attack or when you’re dealing with a benign event.

A-Hunting We Will Go

Threat hunting is the process of investigating security events using a hypothesis-driven exploratory analysis and investigation. Cloud threat hunts, as you may have guessed, focus on hunting threats in cloud environments. Cloud hunts entail deep dives into logs using more complicated logic than typically used for detection. With detection, you’re willing to generate false positive indicators of attacks rather than miss a potential true attack indicator. Detection uses more lightweight pattern recognition to quickly find targets of interest. When you’re hunting, however, you’ve decided to invest time and resources into investigating what appears to be an actual attack, which can cause harm to the organization. There are a few different ways to approach hunts.

Strategic cloud hunts

A strategic cloud hunt looks at what adversaries do when they conduct attacks. These hunts tend to focus on a particular technology or platform, such as exfiltrating data from a cloud provider’s object storage service or compromising the authentication process of a SaaS provider.

Event-driven hunts

Event-driven hunts take advantage of some malicious event that happened to someone else’s system. For example, a technology vendor might have had proprietary information stolen using some form of a persistent threat. During event hunts, researchers gather as much information as possible to understand the attack, identify indicators of the attack, and in some cases, try to replicate the attack in a research and development environment.

Continuous cloud hunts

Continuous cloud hunts are ongoing operations running checks in your cloud and SaaS environments against all indicators of attacks. If some malicious activity is identified, then you can run mitigation processes.

Cloud Hunts Depend on Logs

If you’ve worked with logs in on-premises systems, you’ve probably seen how easy it is to control the level of detail captured in logs. When you shift to using cloud services, especially SaaS services, it becomes more challenging to capture log data. One of the issues is that you need access to cloud provider’s logs. These aren’t always accessible to cloud users. In some cases, the amount of log data available depends on the licensing of a service.

For example, an enterprise license for a collaboration tool may provide for logging while the free version of the same product doesn’t. Not only is this a problem because logs aren’t available for some users, but an attacker can use this two-tiered approach to logging to their advantage. An attacker could temporarily remove the license from a user, perform some malicious act using that user’s account, and then restore the license. The user may never notice the difference, and no logs will be left detailing the malicious activity.

Another thing to consider when using a PaaS or SaaS, is that there are limits to how long the vendor will keep logs. It’s important to capture those logs into a security data lake before they’re deleted by the cloud vendor, so you’ll have what you need to hunt.

Want to go deeper on this topic, and read more expert guidance on cloud investigation? Download a free copy of Cloud Threat Detection, Investigation, and Response for Dummies®.