How do you approach threat hunting in cloud environments?

When Gabrielle Hempel (System Engineer at Netwitness) started to apply her threat hunting skills in cloud environments, she quickly realised there were serious gaps in knowledge and processes in this space.

“Attackers can evade detections and sometimes bypass alarms, so hunting is a really important addition to a security program,” Hempel said – and this is just as true in the cloud as it is off the cloud.

So she took her extensive experience as a threat hunter in on-premises environments, and built out a new methodology for applying threat hunting techniques in cloud and multi-cloud settings.

Hempel came to Black Hat MEA 2022 to share her maturity model for threat hunting in the cloud.

The different forms of threat hunting

Hempel outlined three types of threat hunt. The first is the structured direct hunt. These are formal searches for tactics that are already known to be used by attackers. And the second is the unstructured hunt. These are “a little bit more free-flowing,” Hempel said. They’re more opportunistic, “and they can be hard for newer programmers to get experience with.”

Within these two types of hunting there’s also intel-based hunting (a reactive approach that relies on intelligence from sources such as sharing platforms); and the hypothesis hunting model, which uses a threat library and global detection playbooks to identify advanced persistent threat groups.

And the third threat hunt method is situational awareness: “We’ll identify anomalies and customise these hunts based on customer requirements.”

These are proactively executed hunts that are based on an understanding of factors like geopolitical instability or high-profile attacks – “things happening out there that create potential risks that we know we need to look out for.”

A threat will have clear parameters that need to be met in order for it to be considered a threat in the first place:

“When we talk about crime, we talk about someone who has the means, motive, and opportunity to commit that crime. So if it fulfils all three of those parameters then it is considered to be a crime. Threats are the same way. When you see something, if you are going to consider it a threat, there has to be means, motive, and opportunity.”

And so a hunt needs a methodology in order to be strategic, efficient, and have the best possible chance of successfully identifying a threat.

How is threat hunting different in the cloud?

“It’s estimated that 50% of the world’s data will be stored in cloud infrastructure by 2025,” Hempel noted, so it’s crucial that methodologies are developed for effective threat hunting within cloud environments.

But how does threat hunting change in cloud-based environments, compared to onsite environments?

Hempel said the two main differences are “how information is obtained and analysed, and tools for response. These change a lot when you’re starting to work in cloud environments.”

And there are three important truths to keep in mind:

1. “Just because an organisation is in the cloud doesn’t mean attackers stop.”
2. “It’s really beneficial to a defence strategy to understand an adversary’s objectives, and the trade crafts they use to act on them.”
3. Visibility is important. You don’t know what you don’t know, so if you can’t see everything there might be things going on that you don’t know about.

There’s a misconception that as soon as information is in the cloud, it’s secure – but that’s simply not true.

When you have an on-premises environment, the responsibility for the sharing, storage, and security of that data is all on you. But when you’re working with a cloud environment, both you and the cloud service provider have responsibilities – and this division of responsibility becomes even more complex in a multi-cloud environment.

Hempel’s maturity model for threat hunting in multi-cloud environments

To threat hunt in multi-cloud environments you need to be able to:

• Consolidate data
• Understand all the events that happen across those environments
• Take an attacker’s view of applications and infrastructure, so you can develop hypotheses
• Understand the information you’re gathering, and how to fit all the pieces together in a bigger narrative

And for Hempel, a maturity model is a useful way to bring all of that together. You can use this outline to identify the maturity of your threat hunting model – and work towards greater sophistication.

At the first stage you have an initial program: you’re relying on automated alerting tools, and not actively hunting for threats.

At the second stage, you have a minimal program: you use daily IT data, you might be starting to leverage threat intel feeds, and coordinating some of the data you’re feeding into those tools.

Then at the third stage you’ve implemented a procedural approach: your researchers and analysts are beginning to develop procedures for threat hunting – but for the most part, you’re “limited to known or public procedures.”

At the fourth stage, you have an innovative program. “This is when you start to obtain data and use data visibility, machine learning, developing your own procedures using that information,” Hempel said. “At this stage it’s easy to get overwhelmed by scale,” because you have a lot of information from different environments, and it’s hard to organise it and understand exactly what to do with it.

Then you enter the final stage of the maturity model: you have a leading program.

“This is your ideal threat hunting program for a multi-cloud environment. You’re automating repetitive processes and you’re spending a lot of time building processes. You’re doing some automated risk scoring, you’re defining different metrics, you’re doing some horizon scanning, you’re doing regular scheduled hunts, and you’ve got an environment that has some really high data visibility.”

When your threat program reaches this level of maturity, “you’re able to see everything you need to see across the environment.” And you can correlate the data that comes in from all the different cloud environments you’re working with – forming the basis for an educated, proactive, and successful threat hunting approach.