Mitiga at RSAC 2025: Visit our booth, attend our speaking sessions, and schedule a meeting with us!

Customers
Why Mitiga
Request a DemoEmergency Assistance

Cloud Threat Hunts Explained

Video Transcript

I'm Matthew Steven, Chief Architect at Mitiga. In this video I'll discuss Mitiga's comprehensive threat hunting program.

But first I'll provide a background on indicators of attack or IOAs, which are core components of threat hunting. Mitiga uses IOAs to identify potential leads for malicious activity.

IOAs include behaviors and strategies used by threat actors as well as atomic indicators to compromise or IOC’s using in a threat actor underlying infrastructure.
Behavior-based IOAs search for the tactics techniques and procedures or TTPs used by threat actors to gain initial access to an environment as well as perform post-compromise activity such as privilege escalation, establishing persistence or completing objectives. Some IOAs are designed to search for a specific action or sequence of actions such as creating a new user and then granting them elevated privileges. Whereas other IOAs are designed to search for anomalous activity or deviations from a baseline, such as a user logging in from a new geolocation potentially followed by adding a new MFA device or access key for persistence. Atomic IOCs such as IP addresses and domains can also be used to identify malicious activity.

However a threat actor's infrastructure is typically easier to change than their general behaviors or TTPs. As Mitiga responds to more incidents and performs research on new threats, we create and fine-tune IOAs in our library.

Now that you know what IOAs are I'll discuss the four types of threat hunts that can comprise Mitiga’s threat hunting program.

Continuous Hunting

The first is Continuous Hunting which includes daily searches using higher fidelity IOAs as well as our threat Intel feeds. We use a wide range of IOAs covering multiple cloud platforms and scenarIOAs to increase the chances of catching early signs of an attack. As with the other types of hunts, Mitiga analysts review any results to reduce noise and lower the effort required by customer SOCs to validate malicious activity.

Event-Driven Hunting

The second type of threat hunt is Event-Driven. Event-Driven hunting is initiated when we identify new threats or campaigns. These types of threats include global events that affect a large number of organizations such as major supply chain compromise or vulnerabilities and widely used software.

It also includes incidents reported by other organizations, research performed by Mitiga, as well as incidents to respond to for our customers. If we identify malicious activity in one customer's environment, we can check to see if there's similar activity in other customer environments.

As part of Event-Driven hunting, we search for evidence of a previous or ongoing compromise. As part of Continuous Hunting we can search for those same indicators going forward.

Strategic Hunting

The third is Strategic Hunting. Like with Event- driven Hunting, Strategic uses historical data. However it doesn't require a lead like Event-driven, and it goes more in depth on a specific scenario than Continuous.

Mitiga has a library of predefined hunts, and we work with our customers to identify relevant scenarios in their environment. The library grows over time as we expand to new Cloud platforms or identify new threats and existing platforms.

Current hunts in our library include persistence and data exfiltration in AWS, Azure, GCP, Microsoft 365 and several other SaaS platforms.

Tailored Hunting

The fourth type of hunting is Tailored Hunting. Some of our customers may have additional priorities that are not covered by the other types of hunts or existing library of IOAs. In that case, we offer Tailored Hunting where we work with the customer to identify specific concerns and build a custom scenario.

As part of tailored hunting we research and build new IOAs for the relevant platform. With this comprehensive approach to hunting Mitiga can identify early signs of an attack as well as uncover previously unidentified threats.

Also with our library of predefined strategic hunts and the flexibility of Tailored Hunting, we offer both the breadth and the depth required to give confidence in the security of your cloud and SaaS environments.

If you'd like to learn more about our threat hunting program visit us at Mitiga.io

Request a Demo
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyGot it!
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyGot it!