How Threat Hunting in the Cloud Can Help Organizations 

High up on mountains in four locations – two in Hawaii and one each in Chile and South Africa – the world’s most advanced space telescopes continually scan the night skies to detect threats to the Earth from asteroids and other near-Earth objects hurtling through space. NASA’s Asteroid Terrestrial-impact Last Alert System (or ATLAS for short) which became operational in 2017, before being expanded a few years later, has already successfully identified several hundreds of asteroids and comets that were headed our way, including some that impacted Earth.

Though it deals with the virtual world, Cloud Threat Hunting – which concerns the identification and remediation of cyber threats within an organization’s environments before they become full-blown – is quite akin to ATLAS.

What it is

Threat Hunting in the cloud, as its name suggests, is a systematic and ongoing search to detect malicious activity within an organization’s network, data, infrastructure, and cloud-based applications that might compromise its security posture. Though it serves the same purpose as its like-minded cousin Penetration Testing (Pentesting) – namely shoring up the organization’s cyber defenses –  it differs from Penetration Testing in one fundamental way. Pentesting starts out with possible threat scenarios that may compromise security.  Threat Hunting, on the contrary, works backward (1), first identifying a data breach that has taken place or ongoing malicious activity in the environment, and then honing in on the vulnerability. Its responsibility therefore is to discover threats that lie deep within the organization network that have eluded cyber defenses, and then remediate them. Though it essentially starts with ‘scraping’ the network to come up with Indicators of Compromise (IoC), it is also often used to conduct ‘hypothesis-driven’ searches, that have their genesis in the ideology adopted by organizations passionate about their cyber health – namely start with the assumption that you have been compromised.

Why the need

The primary function of Threat Hunting is to alert organizations as to whether their security has already been breached, and how to remediate the breach before the attack commences.

The introduction of the cloud environment brought with it its fair share of benefits and challenges. While flexibility, speed, storage, and scalability made it a runaway winner, it also created a new threat model and a new playing field for the bad actor. Cloud environments have seen bad actors weaponize the cloud, and evolve to an all-time high level of proficiency, deploying sophisticated tactics, techniques, and procedures (TTPs) to orchestrate attacks. Multiple cloud environments may be seen to offer safety thanks to the staggered/distributed state of data, but it has also created visibility issues, especially regarding configuration transparency, complex architectures, and multiple Application Programming Interfaces (APIs). In short, it has increased the attack surface and made threat identification more complex.

A heavy reliance on open-source code, vulnerabilities in supply chain ecosystems, the evolution of Ransomware as a Service (RaaS), and a continually evolving regulatory landscape that mandates organizations to commit to cyber health, have added to the need for Threat Hunting.

The threat-hunting process

The threat-hunting process necessarily has to commence with a clear understanding of regular organizational activity, one’s security setup, policies and processes, the on-premise environment and the business goals. This knowledge is a precursor to detecting anomalies. Threat-hunting experts look for red flags when there generally is a deviation along the lines of:

• Irregular traffic including that from hitherto unknown sources
• Abnormal account activity
• Unaccounted-for registry and file system changes
• Commands used in remote sessions that were not experienced before

That said, a typical threat-hunting process could be said to follow the following steps:

1. Collection of data from log files, servers, network devices, databases, and endpoints. Clouds provide key inputs for threat hunting via their traffic flow logs and event activity logs.
2. Analysis of data collected to determine intrusion and estimation of the scope of damage
3. Immediate and effective remediation and incident response steps
4. Assimilating learnings to ensure the security posture benefits from the incident

The benefits

Like Pentesting, Vulnerability Testing, and Red Teaming (2). Threat Hunting offers benefits that organizations find hard to ignore. Leaving aside the insulation it offers by way of prevention/mitigation of financial loss, service disruptions, erosion of stakeholder confidence and goodwill, and liabilities arising from non-compliance with regulatory mandates, some of the benefits are:

• Early identification of the threat and the area of compromise, before the breach is set in motion
• Enhanced security and situational awareness about cloud configurations from the point of view of data assets, attack surfaces, and security gaps
• Step up of the security posture due to assimilation of lessons learned from the exercise
• Increased management buy-in for threat-hunting investment, and resource upskilling covering both tools and specialists 

The challenges

Setting up and implementing a robust threat-hunting system has its fair share of challenges. Major among these are:

• Lack of data visibility and integration as a consequence of multiple platforms and complex architectures including legacy systems resulting in security teams often finding it hard to follow through on their roles
• Overcoming complexities on account of multi-cloud environments that have unique setups, security features, setup, and log-ins
• A dearth of specialists that possess the skill sets necessary to set up and implement best practice threat-hunting systems, security platforms, and remediation response plans
• Lack of conviction amongst decision-makers with regard to the choice of the cyber security system – whether Pentesting, Vulnerability Testing, Red Teaming, or Threat Hunting
• Continually evolving TTPs and skill levels of malicious actors
• Poorly defined Access Management Systems that often constitute a major vulnerability area
• Need for dedicated resources to ensure compliance with statutory mandates and regulations
• Improperly configured APIs that create weak spots that can be exploited by bad actors

Best practices

Cloud partner Wiz’s article (3) on the top features and capabilities of the threat-hunting system serves as a valuable guide. It explains how the vast multiple-cloud environment can be effectively negotiated only through ‘proper tooling’, that will ensure:

• Real-time alerting of threats so the threat-hunting team or the SOC can take immediate actions
• Increased visibility across the cybersecurity canvas
• Integration of the threat-hunting data with other sources of security intelligence available
• Scalability possibilities to account for multi-cloud environments
• Scope to integrate new-age tools like AI and ML to provide superior analytics of suspicious behaviors, patterns, and anomalies
• Cloud Access Security Broker (CASB), Cloud detection and response (CDR) and other cloud security tools (3) that correlate and automate the analysis of incidents

Outlook

The 2020 benchmark case of the Ghostcat Vulnerability (5) discovered in the open-source Apache Tomcat Java protocol is often cited to underscore the importance of threat hunting. To what extent inroads in cloud security have been made by threat actors, can be seen from the  2023 IBM report (4), which says that 82% of all data breaches involved cloud-stored data across various environments. The finding vindicates the need for organizations to take up threat-hunting and other proactive security measures on a war footing. The report goes on to say that some headway is already being seen – some 51% of global organizations plan to boost their investments in cloud security.

The issue however comes down to whether any amount of preparation and engagement will ever be enough. The analogy of ATLAS may provide an answer. Like the threats of potentially catastrophic Earth-bound asteroids and interstellar bodies that it is tasked with identifying on an ongoing basis, our cybersecurity world is just going to have to live with the endless threats that will arrive from the cloud.

So, the answer is no. Enough will never be enough. But any and every last bit of preparation will certainly help.

References:

• Pen testing vs. threat hunting: Understanding the differences (cybereason.com)
• White Hat hacking
• What Is Cloud Threat Hunting? | Wiz
• How To Secure Your Cloud From Being A Breeding Ground For Threats (forbes.com)
• Detailed Analysis of Ghostcat Vulnerability (Cve-2020–1938) in Apache Tomcat Servers | by Cyber Defecers | InfoSec Write-ups (infosecwriteups.com)