Use cloud threat intelligence to protect critical data and assets

Strategic and operational cloud threat intelligence

Security teams need to develop both strategic and operational threat intelligence. Strategic threat intelligence involves executives and nontechnical stakeholders shaping risk management decisions.

Examples of strategic cloud threat intelligence include the following:

• Current attack trends and campaigns targeting an existing CSP, such as the Chinese-sponsored attacks that targeted Microsoft in 2022 and 2023.
• Reputational changes with cloud services that could affect a customer organization.
• New vulnerabilities or attacks targeting specific cloud workloads or service types in use, such as serverless, Kubernetes or containers.

Operational threat intelligence is more tactical in nature. It helps inform security operations center (SOC), threat hunting, DevOps and other technical teams.

Examples of operational threat intelligence include the following:

• Specific patterns of attacks against cloud resources, including password spraying, abuse and misuse of API keys and privileged roles, and cryptocurrency miner deployment and operation in containers.
• Use of cloud storage and other services to host and disseminate malware.
• CSP logs and event data that might indicate illicit use of resources, unusual access attempts, attempted outbound connectivity for data exfiltration or command and control, etc.

Key components of a cloud threat intelligence program

To effectively implement cloud threat intelligence, organizations need the proper team and technologies.

A cloud-focused threat intelligence team should, depending on an organization's size and capabilities, include the following primary participants:

• Cloud architecture and engineering teams.
• DevOps.
• Security architecture and engineering.
• SOC teams.
• Dedicated threat intelligence or threat hunting teams and roles.

Secondary participants might include internal risk management teams and executive leadership. Third-party analysts can also provide threat intelligence and cloud security insights.

To facilitate building a base of consistent and usable cloud threat intelligence, organizations should implement and monitor the following technologies:

• Cloud log creation and collection services, such as AWS CloudTrail or Amazon CloudWatch, Azure Monitor and Google Cloud Logging.
• Network flow data collection in any major IaaS cloud.
• Security services that align with or provide threat intelligence within CSP environments, such as Microsoft Sentinel, Amazon GuardDuty or Google Cloud Security Command Center.
• Any workload protection platforms in use, such as leading endpoint detection and response tools or cloud-native application protection platforms.
• Cloud security posture management and cloud access security broker platforms that provide insight and context into both configuration state and interactive cloud behaviors.

Security teams should define use cases and develop integration playbooks that make collected data actionable. This helps make informed risk decisions and enables more accurate and targeted threat hunting and response investigations. Building a dashboard of risk changes detected and monitored over time can also help distill cloud threat intelligence into metrics and KPIs for executives.

Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.