How to get started with multi-cloud threat hunting

Why is threat hunting important in cloud environments?

Let's start by defining threat hunting and the value it provides in both single and multi-cloud deployments.

Threat hunting employs intelligence-driven analysis to determine if and where attackers have already gained access to your resources. While this description is a grand oversimplification, in a nutshell, threat hunting involves positing hypotheses -- based on known adversary tradecraft -- about how an attacker might have already surreptitiously gained access to your environment and then working out test conditions to prove or disprove those perceptions.

Threat hunting is important because sophisticated attackers can evade detection and bypass alarms. By staying vigilant for signs that attackers may have already notched a foothold in its network, an organization can increase its ability to detect those adversaries and, ideally, disrupt them before they can act on their intended objectives.

The same principles apply in a cloud context. The differences lie in how you obtain and analyze the information that goes into the process and the tools available to act in response.

Cloud-based threat hunting rests on three fundamental precepts:

1. Just because your organization is in the cloud doesn't mean that attacker activity stops.
2. It is beneficial to your defense strategy to understand adversaries' objectives and the tradecraft they use to act on those objectives.
3. Visibility across all layers -- even those layers where operational management is on the cloud service provider's (CSP) side of the shared responsibility model -- help you better understand the adversary or their methods.

Multi-cloud makes things more complex

Logistically, the cloud makes threat hunting more complex. As Abbas Kudrati, Binil Pillai and Chris Peiris, authors of Threat Hunting in the Cloud: Defending AWS, Azure and Other Cloud Platforms Against Cyberattacks, wrote:

As organizations migrate from a physical infrastructure/on-premise environment to a cloud environment, threat identification will be more challenging due to difficulties in compliance and configuration transparency, remote data sources and infrastructures, core security capabilities and the number of APIs. In a nutshell, as the attack surface is expanding, threat hunting requires more attention.

The point the authors are making is that analysts need more information and training when threat hunting in the cloud. That's because hunters must understand and use the tool sets, security models, architectures, technology stacks and other elements deployed not only by their own organizations, but also by their CSPs, cloud suppliers and other providers.

Multi-cloud threat hunting further ups the ante. It means even more tools, more concepts, more APIs and more data sources. Cross-environment analysis and data correlation must also be factored in. Consider a three-way conversation among an on-premises user, an application front end in a PaaS and a back-end API in an IaaS VM, for example. Determining if a request made in that conversation was legitimate could involve various log repositories and different monitoring tools across each environment.

Extending threat hunting to multi-cloud

If your organization wants to roll out multi-cloud threat hunting, first, ask what practices you can establish to make that a reality. Ultimately, creating a strategy is unique to your company. It depends on your cloud usage, your threat hunting capability and approach, and your business needs. There's no one-size-fits-all approach, but there are some basic steps you can take to get started.

First, normalize the data and event information that flows between your multiple environments, including CSPs and on premises. This is already a known bugbear of multi-cloud; for example, consider that the foundational pillars of cybersecurity mesh architecture include security analytics and intelligence, as well as consolidated dashboards.

Understanding events across environments is a core component of multi-cloud security management, operations, incident response and -- for our purposes here -- threat hunting. To do that, you must understand the cloud environments and services in use, know the security model(s) employed, and confirm you can and are collecting the right data from each location.

Second, address systematic threat modeling. Consider an application that spans multiple cloud environments. How do you know when a threat is a priority and how and where to apply resources to gather the information you need? Threat modeling can help. By taking an attacker's eye view of the application, you can start to develop hypotheses that gauge where and how adversaries might be more likely to attack. By extension, you can prioritize those areas for further exploration. This can help you know what data to collect from each environment and help you formulate the hypotheses you'll test to determine if an attacker is present in the environment.

Finally, there is education and actualization. Get educated about what you have fielded over different environments -- for example, building a reliable and systematic inventory -- and understand how components fit together, what native services are in use and how the services you use tie into the bigger, more sweeping narrative. This may sound basic, but it's the rare organization above a certain size that can do this reliably, accurately and completely.

Just like everything security-related, approach multi-cloud threat hunting through the lens of knowing your own usage, understanding your own security and business goals, and putting in the necessary thought and planning. Threat hunting can and should play the same role in your cloud security strategy -- multi-cloud or otherwise -- as it does for your on-premises environments.