Let’s Talk About Cloud Threat Hunting

22 dg 040 adversaries target weak points
NETSCOUT

Threat hunting is a proactive approach for finding and remediating undetected cyber-attacks. It is a process that involves searching for indicators of compromise (IoC), investigating, classifying, and remediating. Threat hunting can be IoC-Driven, in which the hunter investigates an indicator provided by external or internal sources. It can also be hypothesis-driven, in which the hunt begins with an initial hypothesis or question. For example, have we been affected by a recent campaign covered in the news? 

It’s Best to Assume You’ve Been Compromised

Threat hunting is necessary simply because no cybersecurity protections are always 100% effective. An active defence is needed, rather than relying on ‘set it and forget it’ security tools. Since adversaries have followed the journey to the cloud, threat hunting is required to detect and disrupt advanced threats originating, operating, and persisting in the cloud. 

Today, more than 70% of application code used is open source. Attackers look to include their malicious code in common projects e.g. GitHub. After poisoning the well, they patiently wait as the new version makes its way into your cloud applications. Remaining undetected is vital to the success of this and most attacks. Unfortunately, most attacks succeed at remaining undetected. The average time required to identify and contain a breach is 280 days.

Threat hunting involves using manual and software-assisted techniques to detect possible threats that have eluded other security systems. These threat hunting tasks can include hunting for malicious activity within your account. Attackers will do everything in their power to hide their actions, but usually will leave some traces of their activity - like breadcrumbs you can only see if you look in the right places.

The Threat Hunting Process

There are three things you need to do to hunt threats effectively:

Step 1: Collect quality data

Data collected can come from log files, servers, network devices, databases, and endpoints. In the cloud some of the most useful threat hunting data will come from traffic flow logs and event activity logs. 

Step 2: Analyse this data in the context of known threats

Threat hunters must search for patterns and potential indicators of compromise (IOCs). In order to monitor properly, you should always be looking at your logs. Too often, organisations don’t have enough resources and manpower to dedicate to ongoing intrusion detection monitoring. 

Step 3: Analyse the tools to make sense of it all

There are certain things that are obvious signs of potential malicious activity. Do you have outbound traffic to a Tor exit node? Access tokens are being abused by brand new sources? What you really want is a cloud security solution that will alert you of these things automatically. Even the most skilled threat hunter might not pick up on obviously malicious activity if it is buried under a mountain of cloud logs. 

Finding and Investigating Indicators of Misconfiguration, Indicators of Compromise and Attack

Threat hunting requires a scope of what to look for and a way to identify anything that doesn’t fit in, such as irregular traffic, abnormal account activity, registry and file system changes, commands used in remote sessions that were not seen before.

In order to find anomalies, it’s important to first have a basic understanding of regular activity. Once indicators are detected, follow the trail. This is often done by establishing a hypothesis and then identifying if each IoM or IoC is a threat. Some IoCs may use a blunt approach and present obvious evidence. For example, an increased amount of traffic to a country that the organisation does not do any business with. It is highly recommended to utilise a security system that can automatically scan for known malware signatures or IOCs within your environment.  

Enterprise environments often have diverse traffic, making detection more of a challenge. Most security solutions tend to be effective against malicious codes that have already been mapped and analysed, whereas completely new malicious code is more challenging to detect.

Tips for Effective Cloud Threat Hunting

Sophisticated malware often hides inside something else to infiltrate service hosts, such as Windows processes that your system is always running. If they manage to inject malicious code, they can perform malicious operations in an undetectable way. Windows registry is another key location where malware might hide. Compare with the default system registry and investigate any changes. Microsoft Active Directory has been utilised in many of the major breaches of the last year. Consider moving your organisation away from this system to protect against lateral movement and other attack techniques. 

The level of detail you go into with threat hunting depends on your organisation’s priorities and the level of freedom each system has. Checking the integrity of critical system processes that are always active is an important part of the forensics side of threat hunting.

Embracing the cloud is critical to digital transformation initiatives, but for them to be successful, security must transform alongside the business. Quite simply, it is time for enterprises to rethink cloud security to keep pace with an evolving landscape of risks.

CrowdStrike Cloud Security goes beyond ad hoc approaches by unifying cloud security posture management (CSPM) together with breach protection for cloud workloads and containers, AND our human threat detection engine. When threat hunters operate as an extension of your team, to relentlessly identify and stop threats in the cloud, you can count on securing your cloud environments—and your potential for growth. 

Written by Guilherme (Gui) Alvarenga
Senior Product Marketing Manager, Cloud Security - CrowdStrike

Connect with CrowdStrike here or contact our CrowdStrike APJ Cloud Expert: Chris Hosking.

Related:

Copyright © 2022 IDG Communications, Inc.