Let’s Talk about Cloud Threat Hunting
Threat hunting is a proactive approach for finding and remediating undetected cyberattacks. It is a process that involves searching for indicators of compromise (IoC), investigating, classifying and remediating.
Threat hunting can be Infrastructure as Code-driven when the hunter investigates an indicator provided by external or internal sources. It can also be hypothesis-driven when the hunt begins with an initial hypothesis or question. For example, have we been affected by a recent campaign covered in the news?
It’s Best to Assume You’ve Been Compromised
Threat hunting is necessary simply because no cybersecurity protections are always 100% effective. An active defense is needed, rather than relying on “set it and forget it” security tools. Since adversaries have followed the journey to the cloud, threat hunting is required to detect and disrupt advanced threats originating, operating and persisting in the cloud.
Today, more than 70% of application code used is open source. Attackers look to include their malicious code in common projects such as GitHub. After poisoning the well, they patiently wait as the new version makes its way into your cloud applications. Remaining undetected is vital to the success of this and most attacks. Unfortunately, most attacks succeed at remaining undetected. The average time required to identify and contain a breach is 280 days.
Threat hunting involves using manual and software-assisted techniques to detect possible threats that have eluded other security systems. These threat-hunting tasks can include hunting for malicious activity within your account. Attackers will do everything in their power to hide their actions, but usually will leave some traces of their activity — like breadcrumbs you can only see if you look in the right places.
The Threat Hunting Process
There are three things you need to do to hunt threats effectively:
Step 1: Collect Quality Data
Data collected can come from log files, servers, network devices, databases and endpoints. In the cloud, some of the most useful threat-hunting data will come from traffic flow logs and event activity logs.
Step 2: Analyze This Data in the Context of Known Threats
Threat hunters must search for patterns and potential indicators of compromise (IOCs). You should always be looking at your logs to monitor properly. Too often, organizations don’t have enough resources and manpower to dedicate to ongoing intrusion detection monitoring.
Step 3: Analyze the Tools to Make Sense of it All
There are certain obvious signs of potential malicious activity. Do you have outbound traffic to a Tor exit node? Access tokens are being abused by new sources? What you really want is a cloud security solution that will alert you of these things automatically. Even the most skilled threat hunter might not pick up on obviously malicious activity if it is buried under a mountain of cloud logs.
Finding and Investigating Indicators of Misconfiguration, Indicators of Compromise and Attack
Threat hunting requires a scope of what to look for and a way to identify anything that doesn’t fit in, such as irregular traffic, abnormal account activity, registry and file system changes, and commands used in remote sessions that were not seen before.
To find anomalies, it’s important to first have a basic understanding of regular activity. Once indicators are detected, follow the trail. This is often done by establishing a hypothesis and then identifying if each indicator of misconfiguration or IoC is a threat.
Some IoCs may use a blunt approach and present obvious evidence. For example, an increased amount of traffic to a country that the organization does not do any business with. It is highly recommended to use a security system that can automatically scan for known malware signatures or IOCs within your environment.
Enterprise environments often have diverse traffic, making detection more of a challenge. Most security solutions tend to be effective against malicious codes that have already been mapped and analyzed, whereas completely new malicious code is more challenging to detect.
Tips for Effective Cloud Threat Hunting
Sophisticated malware often hides inside something else to infiltrate service hosts, such as Windows processes that your system is always running. If they manage to inject malicious code, they can perform malicious operations in an undetectable way. Windows registry is another key location where malware might hide. Compare with the default system registry and investigate any changes.
Microsoft Active Directory has been used in many of the major breaches of the past year. Consider moving your organization away from this system to protect against lateral movement and other attack techniques.
The level of detail you go into with threat hunting depends on your organization’s priorities and the level of freedom each system has. Checking the integrity of critical system processes that are always active is an important part of the forensics side of threat hunting.
Embracing the cloud is critical to digital transformation initiatives, but for them to be successful, security must transform alongside the business. Quite simply, it is time for enterprises to rethink cloud security in order to keep pace with an evolving landscape of risks.
CrowdStrike cloud security goes beyond ad hoc approaches by unifying cloud security posture management (CSPM) together with breach protection for cloud workloads and containers and our human threat detection engine. When threat hunters operate as an extension of your team to relentlessly identify and stop threats in the cloud, you can count on securing your cloud environments — and your potential for growth.
