Threat hunting -- the process of proactively searching for signs of malware or an unauthorized intruder -- is a critical part of modern cybersecurity programs. Traditional antivirus programs and intrusion detection systems often miss cutting-edge malware, such as Emotet, or the subtle signs of an advanced persistent threat. An informed, manual threat hunting program can help to find these threats in time to prevent the next stage of attacks, such as ransomware installation.
But what happens when threats invade your cloud environment? Effective cloud threat hunting depends on strong threat intelligence: you need good information in order to successfully hunt down invaders. Many organizations have advanced threat intelligence capabilities in their on-premises environment, but when it comes to the cloud, they are nearly blind.
Now is the time to build your cloud threat hunting program. The problem is that, unlike in on-premises environments, defenders do not have ready access to the same wealth of threat intelligence in the cloud. Here are some of the challenges to threat hunting in the cloud, and tips for surmounting them.
Availability. The cloud is just "someone else's computer," goes the joke. When it comes to logging and monitoring, this is often painfully clear. Many cloud providers offer only very limited event logs, such as records of user authentication, and some do not even provide that. Under pressure from customers, some providers are expanding logging and monitoring capabilities, but security professionals are often foiled by decision-makers who see these features as nice to have rather than as required.
Advanced environments, such as AWS and Azure, offer you an enormous amount of control over "your" systems -- but due to the nature of their shared environments, the ability for users to monitor network traffic is limited. In on-premise environments, defenders can collect network flow records and sniff traffic to detect malicious activity. In the cloud, tools for monitoring virtual networks are not as readily accessible. Amazon and Microsoft both introduced virtual network terminal access point (TAP) capabilities in recent years, but few security professionals have experience using these tools, and the Azure virtual network TAP appears to be under development (the feature has not been consistently available).
Aggregation. To hunt for threats efficiently, practitioners need to be able to easily access intelligence from various sources, ideally using one central console. In on-premise environments, it's easy enough to set up a central server orSIEM to collect logs from various applications and pieces of network equipment. When it comes to the cloud, however, aggregating logs is not so simple. Cloud providers may or may not support log export. When they do, the format of data can vary widely -- and it may change without notice, unexpectedly foiling SIEM ingestion.
This brief video outlines threat hunting's objectives and the key ingredients for a fruitful hunting program.
Expense. Detailed logging in the cloud is rarely on by default. In AWS, for example, CloudWatch monitoring is disabled unless explicitly turned on -- and then a pop-up warns, "additional charges apply." In Microsoft's Office 365, exchange mailbox auditing is now on by default for all new commercial instances -- a change that took place in 2019 after a huge number of customers suffered business email compromise breaches and found that they did not have mailbox logs that they needed to investigate. However, the default retention time is limited to 90 days for many tenants, and customers have to pay for longer retention times.
When it comes to aggregating threat intelligence in the cloud, customers may be charged at every step of the way: for turning logging on, for storing log data in the cloud, for the bandwidth or processing power needed to transfer data to another system, and more. For example, let's say you want to collect log data from AWS and send it to a central Splunk server on Azure. Enabling CloudWatch on AWS requires opening a new Simple Storage Service bucket for local log storage, which costs money. You can use the firehose to push data to another source, which means you are charged for processing power. On Azure, you have to pay for the underlying VM that you use to set up Splunk, as well as for the Splunk license itself. All of this adds up.
Analysis Tools. Tools for cloud threat hunting are nascent. More advanced cloud providers, such as Microsoft and Amazon, have built-in analysis tools, but they often have surprising -- and poorly understood -- limitations. For example, security professionals frequently use Microsoft's graphical Security & Compliance Center to pull Unified Audit Logs (UAL) from Office 365 -- not realizing that the results are limited to 5,000 sorted records or 50,000 unsorted records. Incomplete threat intelligence, of course, leads to shoddy results! Instead, hunters need to use third-party products or custom Powershell scripts to recursively extract large volumes of UAL records. For analysis, products such as Splunk, Extrahop or the open-source Kibana are invaluable.
The cloud is the emerging battleground for bleeding-edge cybersecurity threats. Unfortunately, the constant evolution of threat intelligence, difficulty and expense of aggregation, and nascent cloud-based analysis tools are all challenges for today's defenders. The good news is that cloud monitoring and logging is slowly maturing, and security professionals who push for cloud threat hunting capabilities will reap the rewards.
- How Tencent is bringing the storm clouds to arch-rival Alibaba - Tech Wire Asia - July 6th, 2020
- Unsecured servers leaked data of millions of users of dating sites and apps - TEISS - July 6th, 2020
- How Ather Energy is leveraging the Cloud to build and scale smart mobility solutions for India - YourStory - July 6th, 2020
- Nextcloud, the open source platform that allows you to install and configure your own personal cloud on a web server - Explica - July 6th, 2020
- The Chinese Government is Accessing YOUR Network Through the Backdoor and There Still is NO Place to Hide - China Law Blog - July 6th, 2020
- Scientific Thinking: Processes, methods, and approaches with reference to Deep Tech - Web Hosting | Cloud Computing | Datacenter | Domain News - Daily... - July 6th, 2020
- 5 Best VPNs to consider in 2020 - Techiexpert.com - TechiExpert.com - July 6th, 2020
- Huawei Rotating Chairman Highlights Practices and Prospects of 5G in Digital Transformation for Industries at GSMA Thrive - Al-Bawaba - July 5th, 2020
- AIOps and the evolution of IT infrastructure monitoring - IT Brief Australia - July 5th, 2020
- 360Quadrants Releases Top 10 Cloud Computing Software In 2020 edited by leading research firm - WhaTech Technology and Markets News - July 5th, 2020
- How to Watch Netflix With NordVPN: Does it Work in 2020 ? - Cloudwards - July 5th, 2020
- Migrating SaaS to Cloud: How to do it without disruption - Techiexpert.com - TechiExpert.com - July 4th, 2020
- SaaS Company OWNZONES is Keeping the Post-Production Industry in Motion During the Coronavirus Pandemic - Programming Insider - July 4th, 2020
- Huawei Rotating Chairman Highlights Practices and Prospects of 5G - MENAFN.COM - July 4th, 2020
- Cloud Server Market Research Report, Segment by Industry Player, Type, Application, Global Marketing Channel, and Region 2020-2025 - Cole of Duty - July 4th, 2020
- 5 Ways the Cloud Can Benefit Your Business During the Pandemic - Entrepreneur - July 4th, 2020
- Gulf economies to shrink by 7.6% this year, says IMF - Arab News - July 4th, 2020
- Hyperion Forecast Headwinds in 2020 Won't Stifle Cloud HPC Adoption or Arm's Rise - HPCwire - July 4th, 2020
- Intel Forced To Stop Supplying Chips To Chinese Inspur Cloud Server Manufacturer - Research Snipers - July 4th, 2020
- Cloud Infrastructure Market Size and Growth Analysis and Forecast To 2025 - Daily Research Chronicles - July 4th, 2020
- AIOps and the evolution of IT infrastructure monitoring - IT Brief New Zealand - July 4th, 2020
- The Global Virtualization in Industrial Automation Market is expected to grow by $ 216.39 mn during 2020-2024 progressing at a CAGR of 4% during the... - July 4th, 2020
- Boeing 737 MAX certification flight tests to begin - Arab News - July 4th, 2020
- Edge Computing Is A Red-Hot Tech Trend, Here's How To Invest in It - TheStreet - June 27th, 2020
- Docker servers infected with DDoS malware in extremely rare attacks - ZDNet - June 27th, 2020
- Nebulon emerges with software-defined storage, but from the cloud - ComputerWeekly.com - June 27th, 2020
- Ampere's New 128-Core Altra CPU Targets Intel, AMD In The Cloud - CRN: Technology news for channel partners and solution providers - June 27th, 2020
- Cloud IT Infrastructure Spending Continued to Grow in Q1 2020 While Spending on Non-Cloud Environments Saw Double-Digit Declines, According to IDC -... - June 27th, 2020
- Empowering Edge Cloud in the 5G & IoT Hyper-Connected Era - insideHPC - June 27th, 2020
- Ampere's 128-Core Processor Challenges Intel and AMD in a Cloud-Based Processor Showdown - News - All About Circuits - June 27th, 2020
- This Ransomware Campaign is Being Orchestrated from the Cloud - Computer Business Review - June 27th, 2020
- Ad industry spots money in the cloud | Industry Trends | IBC - IBC365 - June 27th, 2020
- Want to work at Microsoft? Dice.com looks at top jobs, skills the tech giant is looking for - OnMSFT - June 27th, 2020
- The Winston-Salem Symphony Announces Newly Elected Directors - Yes! Weekly - June 27th, 2020
- The Best VPNs for Businesses and Teams - PCMag.com - June 27th, 2020
- NexTech AR Solutions tie-up with Fastly cloud platform leads to video security breakthrough - Proactive Investors USA & Canada - June 27th, 2020
- Moving to the cloud: Migrating Blazegraph to Amazon Neptune - idk.dev - June 27th, 2020
- Cloud-Based Automation Is a Reality; Now What? - Radio World - Radio World - June 27th, 2020
- How Azure, AWS, Google handle data destruction in the cloud - TechTarget - June 27th, 2020
- AMD EPYC Processor Adoption Expands with New Supercomputing and High-Performance Cloud Computing System Wins - GlobeNewswire - June 27th, 2020
- What it Means To Be Software-Defined in Retail and How We Got Here - Retail Info Systems News - June 27th, 2020
- Cloud Storage Market 2020: Challenges, Growth, Types, Applications, Revenue, Insights, Growth Analysis, Competitive Landscape, Forecast- 2025 - Cole... - June 27th, 2020
- Why This Cloud ETF Can Keep up its Torrid Pace - ETF Trends - June 20th, 2020
- FaceApp Privacy: What You Need To Know About The Viral Russian App - Forbes - June 20th, 2020
- Cloud flash storage: SSD options from AWS, Azure and GCP - ComputerWeekly.com - June 20th, 2020
- Could the European Cloud Deliver Data Protection by Default? - CPO Magazine - June 20th, 2020
- Private Cloud Server Market How the Business Will Grow in 2026? - Cole of Duty - June 20th, 2020
- How to Profit from the Growing Divide in Tech Stocks. - Barron's - June 20th, 2020
- Cloud Computing in Education Sector Market Size, Growth, Analysis, Outlook by 2019 Trends, Opportunities and Forecast to 2025 - Medic Insider - June 20th, 2020
- Lenovo announces ThinkSystem SR860 V2 and SR850 V2 servers - Gadgets Now - June 20th, 2020
- Here are 8 career options that are least impacted by recessions - Business Standard - June 20th, 2020
- Everything your business needs to know about VPS - Tom's Guide - June 20th, 2020
- Global Cloud Based Collaboration Software Market : Industry Analysis and Forecast (2020-2027) - WorldsTrend - June 20th, 2020
- AWS claims to have blocked the largest DDoS attack in history - Cloud Pro - June 20th, 2020
- Cloud Office Migration Tool Market to Grow at Robust 17.8% CAGR to 2027 AvePoint, Binarytree, BitTitan, CodeTwo sp. z oo sp. k - Personal Injury... - June 20th, 2020
- Healthcare Cloud Computing Market to Witness Robust Expansion by 2025 - 3rd Watch News - June 20th, 2020
- Renowned French Cloud, storage, computing and AI solution providers Actualis, has today formally rebranded to become part of the Boston Group of... - June 20th, 2020
- Startups, here's what you should know about telcos - CTech - June 18th, 2020
- US buildings firm saves big on HDDs with Nasuni cloud NAS - ComputerWeekly.com - June 18th, 2020
- Uptycs Announces $30 Million in Funding to Deliver Next-Generation Security Analytics - AiThority - June 18th, 2020
- Keeping Your Cloud-based Office Safe And Secure - ISBuzz News - June 18th, 2020
- Pensando positioned as high-performance alternative to cloud provider 'lock-in' - SiliconANGLE - June 18th, 2020
- How M&E organisations can enable remote work with cloud-based video and animation production studios - ITProPortal - June 18th, 2020
- Ampere donates Arm64 server hardware to Debian to fortify the Arm ecosystem - Stockhouse - June 18th, 2020
- Kia Motors partners with Google Cloud to develop AI-based owner's manual app - Automotive World - June 18th, 2020
- Function-as-a-Service Market Recent Trends, Development, Growth and Forecast 2017-2025 - 3rd Watch News - June 18th, 2020
- How Lenovo, Cellnex, Nearby Computing Are Delivering on the Edge - eWeek - June 18th, 2020
- Dell Technologies Shifts AI Adoption into the Fast Lane with Simplified Advanced Computing - CXOToday.com - June 18th, 2020
- AWS mitigated a record-breaking 2.3 Tbps DDoS attack in February - SiliconANGLE - June 18th, 2020
- Deluxe Revolutionizes Distribution of Content to Theaters with Cloud-Based IP Delivery Solution through Deluxe One Platform - HostReview.com - June 18th, 2020
- Report: France and Germany team up on a cloud-computing ecosystem to take on Amazon, Microsoft and Google - FierceTelecom - June 6th, 2020
- Dive into the history of server hardware - TechTarget - June 6th, 2020
- COVID-19 Impact ON Private Cloud Server Market : What is the projected sales growth for 2026? - Cole of Duty - June 6th, 2020
- NextCloud gets bigger and better with Nextcloud Hub 19 - ZDNet - June 6th, 2020
- Micron Has the Potential to Rise 50% From Here - TheStreet - June 6th, 2020
- Kofax Partners with Microsoft to Enhance Cloud-Based Universal Print Solution with ControlSuite - Industry Analysts Inc - June 6th, 2020
- Dell and Intel answer the call for AI by building specific solutions for real problems - SiliconANGLE - June 6th, 2020
- Data Protection As A Service Market Projection of Each Major Segment over the Forecast Period - Cole of Duty - June 6th, 2020
- PAM as a Service: Its All a Matter of Trust - Security Boulevard - June 2nd, 2020
- How To Best Adapt Your Business When The World Is Moving Online - Forbes - June 2nd, 2020