Threat Hunting in the Cloud

IMPLEMENT A VENDOR-NEUTRAL AND MULTI-CLOUD CYBERSECURITY AND RISK MITIGATION FRAMEWORK WITH ADVICE FROM SEASONED THREAT HUNTING PROS

In Threat Hunting in the Cloud: Defending AWS, Azure and Other Cloud Platforms Against Cyberattacks, celebrated cybersecurity professionals and authors Chris Peiris, Binil Pillai, and Abbas Kudrati leverage their decades of experience building large scale cyber fusion centers to deliver the ideal threat hunting resource for both business and technical audiences. You'll find insightful analyses of cloud platform security tools and, using the industry leading MITRE ATT&CK framework, discussions of the most common threat vectors.

You'll discover how to build a side-by-side cybersecurity fusion center on both Microsoft Azure and Amazon Web Services and deliver a multi-cloud strategy for enterprise customers. And you will find out how to create a vendor-neutral environment with rapid disaster recovery capability for maximum risk mitigation.

With this book you'll learn:

* Key business and technical drivers of cybersecurity threat hunting frameworks in today's technological environment
* Metrics available to assess threat hunting effectiveness regardless of an organization's size
* How threat hunting works with vendor-specific single cloud security offerings and on multi-cloud implementations
* A detailed analysis of key threat vectors such as email phishing, ransomware and nation state attacks
* Comprehensive AWS and Azure "how to" solutions through the lens of MITRE Threat Hunting Framework Tactics, Techniques and Procedures (TTPs)
* Azure and AWS risk mitigation strategies to combat key TTPs such as privilege escalation, credential theft, lateral movement, defend against command & control systems, and prevent data exfiltration
* Tools available on both the Azure and AWS cloud platforms which provide automated responses to attacks, and orchestrate preventative measures and recovery strategies
* Many critical components for successful adoption of multi-cloud threat hunting framework such as Threat Hunting Maturity Model, Zero Trust Computing, Human Elements of Threat Hunting, Integration of Threat Hunting with Security Operation Centers (SOCs) and Cyber Fusion Centers
* The Future of Threat Hunting with the advances in Artificial Intelligence, Machine Learning, Quantum Computing and the proliferation of IoT devices.

Perfect for technical executives (i.e., CTO, CISO), technical managers, architects, system admins and consultants with hands-on responsibility for cloud platforms, Threat Hunting in the Cloud is also an indispensable guide for business executives (i.e., CFO, COO CEO, board members) and managers who need to understand their organization's cybersecurity risk framework and mitigation strategy.

CHRIS PEIRIS, PHD, has advised Fortune 500 companies, Federal and State Governments, and Defense and Intelligence entities in the Americas, Asia, Japan, Europe, and Australia New Zealand. He has 25+ years of IT industry experience. He is the author of 10 published books and is a highly sought-after keynote speaker.

BINIL PILLAI is a Microsoft Global Security Compliance and Identity (SCI) Director for Strategy and Business Development focusing on the Small Medium Enterprise segment. He has 21+ years of experience in B2B cybersecurity, digital transformation, and management consulting. He is also a board advisor to several start-ups to help grow their businesses successfully. ABBAS KUDRATI is a CISO and cybersecurity practitioner. He is currently Microsoft Asia’s Lead Chief Cybersecurity Advisor for the Security Solution Area and serves as Executive Advisor to Deakin University, LaTrobe University, HITRUST ASIA, and EC Council ASIA. Foreword xxxi

Introduction xxxiii

PART I THREAT HUNTING FRAMEWORKS 1

CHAPTER 1 INTRODUCTION TO THREAT HUNTING 3

The Rise of Cybercrime 4

What Is Threat Hunting? 6

The Key Cyberthreats and Threat Actors 7

Phishing 7

Ransomware 8

Nation State 10

The Necessity of Threat Hunting 14

Does the Organization’s Size Matter? 17

Threat Modeling 19

Threat-Hunting

Maturity Model 23

Organization Maturity and Readiness 23

Level 0: INITIAL 24

Level 1: MINIMAL 25

Level 2: PROCEDURAL 25

Level 3: INNOVATIVE 25

Level 4: LEADING 25

Human Elements of Threat Hunting 26

How Do You Make the Board of Directors Cyber-Smart? 27

Threat-Hunting Team Structure 30

External Model 30

Dedicated Internal Hunting Team Model 30

Combined/Hybrid Team Model 30

Periodic Hunt Teams Model 30

Urgent Need for Human-Led Threat Hunting 31

The Threat Hunter’s Role 31

Summary 33

CHAPTER 2 MODERN APPROACH TO MULTI-CLOUD THREAT HUNTING 35

Multi-Cloud Threat Hunting 35

Multi-Tenant Cloud Environment 38

Threat Hunting in Multi-Cloud and Multi-Tenant Environments 39

Building Blocks for the Security Operations Center 41

Scope and Type of SOC 43

Services, Not Just Monitoring 43

SOC Model 43

Define a Process for Identifying and Managing Threats 44

Tools and Technologies to Empower SOC 44

People (Specialized Teams) 45

Cyberthreat Detection, Threat Modeling, and the Need for Proactive Threat Hunting Within SOC 46

Cyberthreat Detection 46

Threat-Hunting Goals and Objectives 49

Threat Modeling and SOC 50

The Need for a Proactive Hunting Team Within SOC 50

Assume Breach and Be Proactive 51

Invest in People 51

Develop an Informed Hypothesis 52

Cyber Resiliency and Organizational Culture 53

Skillsets Required for Threat Hunting 54

Security Analysis 55

Data Analysis 56

Programming Languages 56

Analytical Mindset 56

Soft Skills 56

Outsourcing 56

Threat-Hunting Process and Procedures 57

Metrics for Assessing the Effectiveness of Threat Hunting 58

Foundational Metrics 58

Operational Metrics 59

Threat-Hunting Program Effectiveness 61

Summary 62

CHAPTER 3 EXPLORATION OF MITRE KEY ATTACK VECTORS 63

Understanding MITRE ATT&CK 63

What Is MITRE ATT&CK Used For? 64

How Is MITRE ATT&CK Used and Who Uses It? 65

How Is Testing Done According to MITRE? 65

Tactics 67

Techniques 67

Threat Hunting Using Five Common Tactics 69

Privilege Escalation 71

Case Study 72

Credential Access 73

Case Study 74

Lateral Movement 75

Case Study 75

Command and Control 77

Case Study 77

Exfiltration 79

Case Study 79

Other Methodologies and Key Threat-Hunting Tools to Combat

Attack Vectors 80

Zero Trust 80

Threat Intelligence and Zero Trust 83

Build Cloud-Based Defense-in-Depth 84

Analysis Tools 86

Microsoft Tools 86

Connect To All Your Data 87

Workbooks 88

Analytics 88

Security Automation and Orchestration 90

Investigation 91

Hunting 92

Community 92

AWS Tools 93

Analyzing Logs Directly 93

SIEMs in the Cloud 94

Summary 95

Resources 96

PART II HUNTING IN MICROSOFT AZURE 99

CHAPTER 4 MICROSOFT AZURE CLOUD THREAT PREVENTION FRAMEWORK 101

Introduction to Microsoft Security 102

Understanding the Shared Responsibility Model 102

Microsoft Services for Cloud Security Posture Management and Logging/Monitoring 105

Overview of Azure Security Center and Azure Defender 105

Overview of Microsoft Azure Sentinel 108

Using Microsoft Secure and Protect Features 112

Identity & Access Management 113

Infrastructure & Network 114

Data & Application 115

Customer Access 115

Using Azure Web Application Firewall to Protect a Website Against an “Initial Access” TTP 116

Using Microsoft Defender for Office 365 to Protect Against an “Initial Access” TTP 118

Using Microsoft Defender Endpoint to Protect Against an “Initial Access” TTP 121

Using Azure Conditional Access to Protect Against an “Initial Access” TTP 123

Microsoft Detect Services 127

Detecting “Privilege Escalation” TTPs 128

Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Privilege Escalation” TTP 128

Detecting Credential Access 131

Using Azure Identity Protection to Detect Threats Against a “Credential Access” TTP 132

Steps to Configure and Enable Risk Polices (Sign-in Risk and User Risk) 134

Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Credential Access” TTP 137

Detecting Lateral Movement 139

Using Just-in-Time in ASC to Protect and Detect Threats Against a “Lateral Movement” TTP 139

Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Lateral Movement” TTP 144

Detecting Command and Control 145

Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Command and Control” TTP 146

Detecting Data Exfiltration 147

Using Azure Information Protection to Detect Threats Against a “Data Exfiltration” TTP 148

Discovering Sensitive Content Using AIP 149

Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Data Exfiltration” TTP 153

Detecting Threats and Proactively Hunting with Microsoft 365 Defender 154

Microsoft Investigate, Response, and Recover Features 155

Automating Investigation and Remediation with Microsoft Defender for Endpoint 157

Using Microsoft Threat Expert Support for Remediation and Investigation 159

Targeted Attack Notification 159

Experts on Demand 161

Automating Security Response with MCAS and Microsoft Flow 166

Step 1: Generate Your API Token in Cloud App Security 167

Step 2: Create Your Trigger in Microsoft Flow 167

Step 3: Create the Teams Message Action in Microsoft Flow 168

Step 4: Generate an Email in Microsoft Flow 168

Connecting the Flow in Cloud App Security 169

Performing an Automated Response Using Azure Security Center 170

Using Machine Learning and Artificial Intelligence in Threat Response 172

Overview of Fusion Detections 173

Overview of Azure Machine Learning 174

Summary 182

CHAPTER 5 MICROSOFT CYBERSECURITY REFERENCE ARCHITECTURE AND CAPABILITY MAP 183

Introduction 183

Microsoft Security Architecture versus the NIST Cybersecurity Framework (CSF) 184

Microsoft Security Architecture 185

The Identify Function 186

The Protect Function 187

The Detect Function 188

The Respond Function 189

The Recover Function 189

Using the Microsoft Reference Architecture 190

Microsoft Threat Intelligence 190

Service Trust Portal 192

Security Development Lifecycle (SDL) 193

Protecting the Hybrid Cloud Infrastructure 194

Azure Marketplace 194

Private Link 195

Azure Arc 196

Azure Lighthouse 197

Azure Firewall 198

Azure Web Application Firewall (WAF) 200

Azure DDOS Protection 200

Azure Key Vault 201

Azure Bastion 202

Azure Site Recovery 204

Azure Security Center (ASC) 205

Microsoft Azure Secure Score 205

Protecting Endpoints and Clients 206

Microsoft Endpoint Manager (MEM) Configuration Manager 207

Microsoft Intune 208

Protecting Identities and Access 209

Azure AD Conditional Access 210

Passwordless for End-to-End

Secure Identity 211

Azure Active Directory (aka Azure AD) 211

Azure MFA 211

Azure Active Directory Identity Protection 212

Azure Active Directory Privilege Identity

Management (PIM) 213

Microsoft Defender for Identity 214

Azure AD B2B and B2C 215

Azure AD Identity Governance 215

Protecting SaaS Apps 216

Protecting Data and Information 219

Azure Purview 220

Microsoft Information Protection (MIP) 221

Azure Information Protection Unified Labeling Scanner (File Scanner) 222

The Advanced eDiscovery Solution in Microsoft 365 223

Compliance Manager 224

Protecting IoT and Operation Technology 225

Security Concerns with IoT 226

Understanding That IoT Cybersecurity Starts with a Threat Model 227

Microsoft Investment in IoT Technology 229

Azure Sphere 229

Azure Defender 229

Azure Defender for IoT 230

Threat Modeling for the Azure IoT Reference Architecture 230

Azure Defender for IoT Architecture (Agentless Solutions) 233

Azure Defender for IoT Architecture (Agent-based solutions) 234

Understanding the Security Operations Solutions 235

Understanding the People Security Solutions 236

Attack Simulator 237

Insider Risk Management (IRM) 237

Communication Compliance 239

Summary 240

PART III HUNTING IN AWS 241

CHAPTER 6 AWS CLOUD THREAT PREVENTION FRAMEWORK 243

Introduction to AWS Well-Architected Framework 244

The Five Pillars of the Well-Architected Framework 245

Operational Excellence 246

Security 246

Reliability 246

Performance Efficiency 246

Cost Optimization 246

The Shared Responsibility Model 246

AWS Services for Monitoring, Logging, and Alerting 248

AWS CloudTrail 249

Amazon CloudWatch Logs 251

Amazon VPC Flow Logs 252

Amazon GuardDuty 253

AWS Security Hub 254

AWS Protect Features 256

How Do You Prevent Initial Access? 256

How Do You Protect APIs from SQL Injection Attacks Using API

Gateway and AWS WAF? 256

Prerequisites 257

Create an API 257

Create and Configure an AWS WAF 259

AWS Detection Features 263

How Do You Detect Privilege Escalation? 263

How Do You Detect the Abuse of Valid Account to Obtain High-Level Permissions? 264

Prerequisites 264

Configure GuardDuty to Detect Privilege Escalation 265

Reviewing the Findings 266

How Do You Detect Credential Access? 269

How Do You Detect Unsecured Credentials? 269

Prerequisites 270

Reviewing the Findings 274

How Do You Detect Lateral Movement? 276

How Do You Detect the Use of Stolen Alternate Authentication Material? 277

Prerequisites 277

How Do You Detect Potential Unauthorized Access to Your AWS Resources? 277

Reviewing the Findings 278

How Do You Detect Command and Control? 280

How Do You Detect the Communications to a Command and Control Server Using the Domain Name System (DNS)? 281

Prerequisites 281

How Do You Detect EC2 Instance Communication with a Command and Control (C&C) Server Using DNS 281

Reviewing the Findings 282

How Do You Detect Data Exfiltration? 284

Prerequisites 285

How Do You Detect the Exfiltration Using an Anomalous API Request? 285

Reviewing the Findings 286

How Do You Handle Response and Recover? 289

Foundation of Incident Response 289

How Do You Create an Automated Response? 290

Automating Incident Responses 290

Options for Automating Responses 291

Cost Comparisons in Scanning Methods 293

Event-Driven Responses 294

How Do You Automatically Respond to Unintended Disabling of CloudTrail Logging? 295

Prerequisites 296

Creating a Trail in CloudTrail 296

Creating an SNS Topic to Send Emails 299

Creating Rules in Amazon EventBridge 302

How Do You Orchestrate and Recover? 305

Decision Trees 305

Use Alternative Accounts 305

View or Copy Data 306

Sharing Amazon EBS Snapshots 306

Sharing Amazon CloudWatch Logs 306

Use Immutable Storage 307

Launch Resources Near the Event 307

Isolate Resources 308

Launch Forensic Workstations 309

Instance Types and Locations 309

How Do You Automatically Recover from Unintended Disabling of CloudTrail Logging? 310

Prerequisites 311

Aggregate and View Security Status in AWS Security Hub 311

Reviewing the Findings 312

Create Lambda Function to Orchestrate and Recover 314

How Are Machine Learning and Artificial Intelligence Used? 317

Summary 318

References 319

CHAPTER 7 AWS REFERENCE ARCHITECTURE 321

AWS Security Framework Overview 322

The Identify Function Overview 323

The Protect Function Overview 324

The Detect Function Overview 325

The Respond Function Overview 325

The Recover Function Overview 325

AWS Reference Architecture 326

The Identify Function 326

Security Hub 328

AWS Config 329

AWS Organizations 330

AWS Control Tower 331

AWS Trusted Advisor 332

AWS Well-Architected Tool 333

AWS Service Catalog 334

AWS Systems Manager 335

AWS Identity and Access Management (IAM) 337

AWS Single Sign-On (SSO) 338

AWS Shield 340

AWS Web Application Firewall (WAF) 340

AWS Firewall Manager 342

AWS Cloud HSM 343

AWS Secrets Manager 345

AWS Key Management Service (KMS) 345

AWS Certificate Manager 346

AWS IoT Device Defender 347

Amazon Virtual Private Cloud 347

AWS PrivateLink 349

AWS Direct Connect 349

AWS Transit Gateway 350

AWS Resource Access Manager 351

The Detect and Respond Functions 353

GuardDuty 354

Amazon Detective 356

Amazon Macie 357

Amazon Inspector 358

Amazon CloudTrail 359

Amazon CloudWatch 360

Amazon Lambda 361

AWS Step Functions 362

Amazon Route 53 363

AWS Personal Health Dashboard 364

The Recover Functions 365

Amazon Glacier 366

AWS CloudFormation 366

CloudEndure Disaster Recovery 367

AWS OpsWorks 368

Summary 369

PART IV THE FUTURE 371

CHAPTER 8 THREAT HUNTING IN OTHER CLOUD PROVIDERS 373

The Google Cloud Platform 374

Google Cloud Platform Security Architecture alignment to NIST 376

The Identify Function 376

The Protect Function 378

The Detect Function 380

The Respond Function 382

The Recover Function 383

The IBM Cloud 385

Oracle Cloud Infrastructure Security 386

Oracle SaaS Cloud Security Threat Intelligence 387

The Alibaba Cloud 388

Summary 389

References 389

CHAPTER 9 THE FUTURE OF THREAT HUNTING 391

Artificial Intelligence and Machine Learning 393

How ML Reduces False Positives 395

How Machine Intelligence Applies to Malware Detection 395

How Machine Intelligence Applies to Risk Scoring in a Network 396

Advances in Quantum Computing 396

Quantum Computing Challenges 398

Preparing for the Quantum Future 399

Advances in IoT and Their Impact 399

Growing IoT Cybersecurity Risks 401

Preparing for IoT Challenges 403

Operational Technology (OT) 405

Importance of OT Security 406

Blockchain 406

The Future of Cybersecurity with Blockchain 407

Threat Hunting as a Service 407

The Evolution of the Threat-Hunting Tool 408

Potential Regulatory Guidance 408

Summary 409

References 409

PART V APPENDICES 411

APPENDIX A MITRE ATT&CK TACTICS 413

APPENDIX B PRIVILEGE ESCALATION 415

APPENDIX C CREDENTIAL ACCESS 421

APPENDIX D LATERAL MOVEMENT 431

APPENDIX E COMMAND AND CONTROL 435

APPENDIX F DATA EXFILTRATION 443

APPENDIX G MITRE CLOUD MATRIX 447

Initial Access 447

Drive-by

Compromise 447

Exploiting a Public-Facing

Application 450

Phishing 450

Using Trusted Relationships 451

Using Valid Accounts 452

Persistence 452

Manipulating Accounts 452

Creating Accounts 453

Implanting a Container Image 454

Office Application Startup 454

Using Valid Accounts 455

Privilege Escalation 456

Modifying the Domain Policy 456

Using Valid Accounts 457

Defense Evasion 457

Modifying Domain Policy 457

Impairing Defenses 458

Modifying the Cloud Compute Infrastructure 459

Using Unused/Unsupported Cloud Regions 459

Using Alternate Authentication Material 460

Using Valid Accounts 461

Credential Access 461

Using Brute Force Methods 461

Forging Web Credentials 462

Stealing an Application Access Token 462

Stealing Web Session Cookies 463

Using Unsecured Credentials 464

Discovery 464

Manipulating Account Discovery 464

Manipulating Cloud Infrastructure Discovery 465

Using a Cloud Service Dashboard 466

Using Cloud Service Discovery 466

Scanning Network Services 467

Discovering Permission Groups 467

Discovering Software 468

Discovering System Information 468

Discovering System Network Connections 469

Lateral Movement 469

Internal Spear Phishing 469

Using Alternate Authentication Material 470

Collection 471

Collecting Data from a Cloud Storage Object 471

Collecting Data from Information Repositories 471

Collecting Staged Data 472

Collecting Email 473

Data Exfiltration 474

Detecting Exfiltration 474

Impact 475

Defacement 475

Endpoint Denial of Service 475

Resource Hijacking 477

APPENDIX H GLOSSARY 479

Index 489