Getty Images/iStockphoto


Use cloud threat intelligence to protect critical data and assets

Cloud threat intelligence helps identify and analyze cloud-based threats, enabling security teams to better understand attacks and more proactively defend against them.

Many organizations now store more sensitive data and assets in the cloud than on premises -- and attackers have taken notice. Organizations need to know the threats attackers in the cloud pose. One way to keep abreast of potential attacks is using cloud threat intelligence.

Threat intelligence involves the collection, classification and exploitation of knowledge about adversaries. Teams collect security intelligence data from a variety of sources, including logs, security controls and third-party threat intelligence feeds, and then analyze that data to mitigate risks.

As the cloud becomes more ubiquitous, it must become an integral part of the threat intelligence process. Security engineering and operations teams should dedicate time and resources to the development, collection and implementation of cloud-specific threat intelligence.

Organizations can collect cloud-specific threat intelligence from several external sources, including cloud service providers (CSPs), threat intelligence providers and managed security service providers.

Strategic and operational cloud threat intelligence

Security teams need to develop both strategic and operational threat intelligence. Strategic threat intelligence involves executives and nontechnical stakeholders shaping risk management decisions.

Examples of strategic cloud threat intelligence include the following:

  • Current attack trends and campaigns targeting an existing CSP, such as the Chinese-sponsored attacks that targeted Microsoft in 2022 and 2023.
  • Reputational changes with cloud services that could affect a customer organization.
  • New vulnerabilities or attacks targeting specific cloud workloads or service types in use, such as serverless, Kubernetes or containers.

Operational threat intelligence is more tactical in nature. It helps inform security operations center (SOC), threat hunting, DevOps and other technical teams.

Examples of operational threat intelligence include the following:

  • Specific patterns of attacks against cloud resources, including password spraying, abuse and misuse of API keys and privileged roles, and cryptocurrency miner deployment and operation in containers.
  • Use of cloud storage and other services to host and disseminate malware.
  • CSP logs and event data that might indicate illicit use of resources, unusual access attempts, attempted outbound connectivity for data exfiltration or command and control, etc.

Key components of a cloud threat intelligence program

To effectively implement cloud threat intelligence, organizations need the proper team and technologies.

A cloud-focused threat intelligence team should, depending on an organization's size and capabilities, include the following primary participants:

  • Cloud architecture and engineering teams.
  • DevOps.
  • Security architecture and engineering.
  • SOC teams.
  • Dedicated threat intelligence or threat hunting teams and roles.

Secondary participants might include internal risk management teams and executive leadership. Third-party analysts can also provide threat intelligence and cloud security insights.

To facilitate building a base of consistent and usable cloud threat intelligence, organizations should implement and monitor the following technologies:

  • Cloud log creation and collection services, such as AWS CloudTrail or Amazon CloudWatch, Azure Monitor and Google Cloud Logging.
  • Network flow data collection in any major IaaS cloud.
  • Security services that align with or provide threat intelligence within CSP environments, such as Microsoft Sentinel, Amazon GuardDuty or Google Cloud Security Command Center.
  • Any workload protection platforms in use, such as leading endpoint detection and response tools or cloud-native application protection platforms.
  • Cloud security posture management and cloud access security broker platforms that provide insight and context into both configuration state and interactive cloud behaviors.

Security teams should define use cases and develop integration playbooks that make collected data actionable. This helps make informed risk decisions and enables more accurate and targeted threat hunting and response investigations. Building a dashboard of risk changes detected and monitored over time can also help distill cloud threat intelligence into metrics and KPIs for executives.

Dave Shackleford is founder and principal consultant with Voodoo Security; SANS analyst, instructor and course author; and GIAC technical director.

Next Steps

Threat intelligence programs need updating -- and CISOs know it

CISOs on how to improve cyberthreat intelligence programs

Dig Deeper on Cloud security

Enterprise Desktop
Cloud Computing