Implement a vendor-neutral and multi-cloud cybersecurity and risk mitigation framework with advice from seasoned threat hunting pros
In Threat Hunting in the Cloud: Defending AWS, Azure and Other Cloud Platforms Against Cyberattacks, celebrated cybersecurity professionals and authors Chris Peiris, Binil Pillai, and Abbas Kudrati leverage their decades of experience building large scale cyber fusion centers to deliver the ideal threat hunting resource for both business and technical audiences. You'll find insightful analyses of cloud platform security tools and, using the industry leading MITRE ATT&CK framework, discussions of the most common threat vectors.
You'll discover how to build a side-by-side cybersecurity fusion center on both Microsoft Azure and Amazon Web Services and deliver a multi-cloud strategy for enterprise customers. And you will find out how to create a vendor-neutral environment with rapid disaster recovery capability for maximum risk mitigation.
With this book you'll learn:
- Key business and technical drivers of cybersecurity threat hunting frameworks in today's technological environment
- Metrics available to assess threat hunting effectiveness regardless of an organization's size
- How threat hunting works with vendor-specific single cloud security offerings and on multi-cloud implementations
- A detailed analysis of key threat vectors such as email phishing, ransomware and nation state attacks
- Comprehensive AWS and Azure "how to" solutions through the lens of MITRE Threat Hunting Framework Tactics, Techniques and Procedures (TTPs)
- Azure and AWS risk mitigation strategies to combat key TTPs such as privilege escalation, credential theft, lateral movement, defend against command & control systems, and prevent data exfiltration
- Tools available on both the Azure and AWS cloud platforms which provide automated responses to attacks, and orchestrate preventative measures and recovery strategies
- Many critical components for successful adoption of multi-cloud threat hunting framework such as Threat Hunting Maturity Model, Zero Trust Computing, Human Elements of Threat Hunting, Integration of Threat Hunting with Security Operation Centers (SOCs) and Cyber Fusion Centers
- The Future of Threat Hunting with the advances in Artificial Intelligence, Machine Learning, Quantum Computing and the proliferation of IoT devices.
Perfect for technical executives (i.e., CTO, CISO), technical managers, architects, system admins and consultants with hands-on responsibility for cloud platforms, Threat Hunting in the Cloud is also an indispensable guide for business executives (i.e., CFO, COO CEO, board members) and managers who need to understand their organization's cybersecurity risk framework and mitigation strategy.
Table of Contents
Foreword xxxi
Introduction xxxiii
Part I Threat Hunting Frameworks 1
Chapter 1 Introduction to Threat Hunting 3
The Rise of Cybercrime 4
What Is Threat Hunting? 6
The Key Cyberthreats and Threat Actors 7
Phishing 7
Ransomware 8
Nation State 10
The Necessity of Threat Hunting 14
Does the Organization’s Size Matter? 17
Threat Modeling 19
Threat-Hunting
Maturity Model 23
Organization Maturity and Readiness 23
Level 0: INITIAL 24
Level 1: MINIMAL 25
Level 2: PROCEDURAL 25
Level 3: INNOVATIVE 25
Level 4: LEADING 25
Human Elements of Threat Hunting 26
How Do You Make the Board of Directors Cyber-Smart? 27
Threat-Hunting Team Structure 30
External Model 30
Dedicated Internal Hunting Team Model 30
Combined/Hybrid Team Model 30
Periodic Hunt Teams Model 30
Urgent Need for Human-Led Threat Hunting 31
The Threat Hunter’s Role 31
Summary 33
Chapter 2 Modern Approach to Multi-Cloud Threat Hunting 35
Multi-Cloud Threat Hunting 35
Multi-Tenant Cloud Environment 38
Threat Hunting in Multi-Cloud and Multi-Tenant Environments 39
Building Blocks for the Security Operations Center 41
Scope and Type of SOC 43
Services, Not Just Monitoring 43
SOC Model 43
Define a Process for Identifying and Managing Threats 44
Tools and Technologies to Empower SOC 44
People (Specialized Teams) 45
Cyberthreat Detection, Threat Modeling, and the Need for Proactive Threat Hunting Within SOC 46
Cyberthreat Detection 46
Threat-Hunting Goals and Objectives 49
Threat Modeling and SOC 50
The Need for a Proactive Hunting Team Within SOC 50
Assume Breach and Be Proactive 51
Invest in People 51
Develop an Informed Hypothesis 52
Cyber Resiliency and Organizational Culture 53
Skillsets Required for Threat Hunting 54
Security Analysis 55
Data Analysis 56
Programming Languages 56
Analytical Mindset 56
Soft Skills 56
Outsourcing 56
Threat-Hunting Process and Procedures 57
Metrics for Assessing the Effectiveness of Threat Hunting 58
Foundational Metrics 58
Operational Metrics 59
Threat-Hunting Program Effectiveness 61
Summary 62
Chapter 3 Exploration of MITRE Key Attack Vectors 63
Understanding MITRE ATT&CK 63
What Is MITRE ATT&CK Used For? 64
How Is MITRE ATT&CK Used and Who Uses It? 65
How Is Testing Done According to MITRE? 65
Tactics 67
Techniques 67
Threat Hunting Using Five Common Tactics 69
Privilege Escalation 71
Case Study 72
Credential Access 73
Case Study 74
Lateral Movement 75
Case Study 75
Command and Control 77
Case Study 77
Exfiltration 79
Case Study 79
Other Methodologies and Key Threat-Hunting Tools to Combat
Attack Vectors 80
Zero Trust 80
Threat Intelligence and Zero Trust 83
Build Cloud-Based Defense-in-Depth 84
Analysis Tools 86
Microsoft Tools 86
Connect To All Your Data 87
Workbooks 88
Analytics 88
Security Automation and Orchestration 90
Investigation 91
Hunting 92
Community 92
AWS Tools 93
Analyzing Logs Directly 93
SIEMs in the Cloud 94
Summary 95
Resources 96
Part II Hunting in Microsoft Azure 99
Chapter 4 Microsoft Azure Cloud Threat Prevention Framework 101
Introduction to Microsoft Security 102
Understanding the Shared Responsibility Model 102
Microsoft Services for Cloud Security Posture Management and Logging/Monitoring 105
Overview of Azure Security Center and Azure Defender 105
Overview of Microsoft Azure Sentinel 108
Using Microsoft Secure and Protect Features 112
Identity & Access Management 113
Infrastructure & Network 114
Data & Application 115
Customer Access 115
Using Azure Web Application Firewall to Protect a Website Against an “Initial Access” TTP 116
Using Microsoft Defender for Office 365 to Protect Against an “Initial Access” TTP 118
Using Microsoft Defender Endpoint to Protect Against an “Initial Access” TTP 121
Using Azure Conditional Access to Protect Against an “Initial Access” TTP 123
Microsoft Detect Services 127
Detecting “Privilege Escalation” TTPs 128
Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Privilege Escalation” TTP 128
Detecting Credential Access 131
Using Azure Identity Protection to Detect Threats Against a “Credential Access” TTP 132
Steps to Configure and Enable Risk Polices (Sign-in Risk and User Risk) 134
Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Credential Access” TTP 137
Detecting Lateral Movement 139
Using Just-in-Time in ASC to Protect and Detect Threats Against a “Lateral Movement” TTP 139
Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Lateral Movement” TTP 144
Detecting Command and Control 145
Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Command and Control” TTP 146
Detecting Data Exfiltration 147
Using Azure Information Protection to Detect Threats Against a “Data Exfiltration” TTP 148
Discovering Sensitive Content Using AIP 149
Using Azure Security Center and Azure Sentinel to Detect Threats Against a “Data Exfiltration” TTP 153
Detecting Threats and Proactively Hunting with Microsoft 365 Defender 154
Microsoft Investigate, Response, and Recover Features 155
Automating Investigation and Remediation with Microsoft Defender for Endpoint 157
Using Microsoft Threat Expert Support for Remediation and Investigation 159
Targeted Attack Notification 159
Experts on Demand 161
Automating Security Response with MCAS and Microsoft Flow 166
Step 1: Generate Your API Token in Cloud App Security 167
Step 2: Create Your Trigger in Microsoft Flow 167
Step 3: Create the Teams Message Action in Microsoft Flow 168
Step 4: Generate an Email in Microsoft Flow 168
Connecting the Flow in Cloud App Security 169
Performing an Automated Response Using Azure Security Center 170
Using Machine Learning and Artificial Intelligence in Threat Response 172
Overview of Fusion Detections 173
Overview of Azure Machine Learning 174
Summary 182
Chapter 5 Microsoft Cybersecurity Reference Architecture and Capability Map 183
Introduction 183
Microsoft Security Architecture versus the NIST Cybersecurity Framework (CSF) 184
Microsoft Security Architecture 185
The Identify Function 186
The Protect Function 187
The Detect Function 188
The Respond Function 189
The Recover Function 189
Using the Microsoft Reference Architecture 190
Microsoft Threat Intelligence 190
Service Trust Portal 192
Security Development Lifecycle (SDL) 193
Protecting the Hybrid Cloud Infrastructure 194
Azure Marketplace 194
Private Link 195
Azure Arc 196
Azure Lighthouse 197
Azure Firewall 198
Azure Web Application Firewall (WAF) 200
Azure DDOS Protection 200
Azure Key Vault 201
Azure Bastion 202
Azure Site Recovery 204
Azure Security Center (ASC) 205
Microsoft Azure Secure Score 205
Protecting Endpoints and Clients 206
Microsoft Endpoint Manager (MEM) Configuration Manager 207
Microsoft Intune 208
Protecting Identities and Access 209
Azure AD Conditional Access 210
Passwordless for End-to-End
Secure Identity 211
Azure Active Directory (aka Azure AD) 211
Azure MFA 211
Azure Active Directory Identity Protection 212
Azure Active Directory Privilege Identity
Management (PIM) 213
Microsoft Defender for Identity 214
Azure AD B2B and B2C 215
Azure AD Identity Governance 215
Protecting SaaS Apps 216
Protecting Data and Information 219
Azure Purview 220
Microsoft Information Protection (MIP) 221
Azure Information Protection Unified Labeling Scanner (File Scanner) 222
The Advanced eDiscovery Solution in Microsoft 365 223
Compliance Manager 224
Protecting IoT and Operation Technology 225
Security Concerns with IoT 226
Understanding That IoT Cybersecurity Starts with a Threat Model 227
Microsoft Investment in IoT Technology 229
Azure Sphere 229
Azure Defender 229
Azure Defender for IoT 230
Threat Modeling for the Azure IoT Reference Architecture 230
Azure Defender for IoT Architecture (Agentless Solutions) 233
Azure Defender for IoT Architecture (Agent-based solutions) 234
Understanding the Security Operations Solutions 235
Understanding the People Security Solutions 236
Attack Simulator 237
Insider Risk Management (IRM) 237
Communication Compliance 239
Summary 240
Part III Hunting in AWS 241
Chapter 6 AWS Cloud Threat Prevention Framework 243
Introduction to AWS Well-Architected Framework 244
The Five Pillars of the Well-Architected Framework 245
Operational Excellence 246
Security 246
Reliability 246
Performance Efficiency 246
Cost Optimization 246
The Shared Responsibility Model 246
AWS Services for Monitoring, Logging, and Alerting 248
AWS CloudTrail 249
Amazon CloudWatch Logs 251
Amazon VPC Flow Logs 252
Amazon GuardDuty 253
AWS Security Hub 254
AWS Protect Features 256
How Do You Prevent Initial Access? 256
How Do You Protect APIs from SQL Injection Attacks Using API
Gateway and AWS WAF? 256
Prerequisites 257
Create an API 257
Create and Configure an AWS WAF 259
AWS Detection Features 263
How Do You Detect Privilege Escalation? 263
How Do You Detect the Abuse of Valid Account to Obtain High-Level Permissions? 264
Prerequisites 264
Configure GuardDuty to Detect Privilege Escalation 265
Reviewing the Findings 266
How Do You Detect Credential Access? 269
How Do You Detect Unsecured Credentials? 269
Prerequisites 270
Reviewing the Findings 274
How Do You Detect Lateral Movement? 276
How Do You Detect the Use of Stolen Alternate Authentication Material? 277
Prerequisites 277
How Do You Detect Potential Unauthorized Access to Your AWS Resources? 277
Reviewing the Findings 278
How Do You Detect Command and Control? 280
How Do You Detect the Communications to a Command and Control Server Using the Domain Name System (DNS)? 281
Prerequisites 281
How Do You Detect EC2 Instance Communication with a Command and Control (C&C) Server Using DNS 281
Reviewing the Findings 282
How Do You Detect Data Exfiltration? 284
Prerequisites 285
How Do You Detect the Exfiltration Using an Anomalous API Request? 285
Reviewing the Findings 286
How Do You Handle Response and Recover? 289
Foundation of Incident Response 289
How Do You Create an Automated Response? 290
Automating Incident Responses 290
Options for Automating Responses 291
Cost Comparisons in Scanning Methods 293
Event-Driven Responses 294
How Do You Automatically Respond to Unintended Disabling of CloudTrail Logging? 295
Prerequisites 296
Creating a Trail in CloudTrail 296
Creating an SNS Topic to Send Emails 299
Creating Rules in Amazon EventBridge 302
How Do You Orchestrate and Recover? 305
Decision Trees 305
Use Alternative Accounts 305
View or Copy Data 306
Sharing Amazon EBS Snapshots 306
Sharing Amazon CloudWatch Logs 306
Use Immutable Storage 307
Launch Resources Near the Event 307
Isolate Resources 308
Launch Forensic Workstations 309
Instance Types and Locations 309
How Do You Automatically Recover from Unintended Disabling of CloudTrail Logging? 310
Prerequisites 311
Aggregate and View Security Status in AWS Security Hub 311
Reviewing the Findings 312
Create Lambda Function to Orchestrate and Recover 314
How Are Machine Learning and Artificial Intelligence Used? 317
Summary 318
References 319
Chapter 7 AWS Reference Architecture 321
AWS Security Framework Overview 322
The Identify Function Overview 323
The Protect Function Overview 324
The Detect Function Overview 325
The Respond Function Overview 325
The Recover Function Overview 325
AWS Reference Architecture 326
The Identify Function 326
Security Hub 328
AWS Config 329
AWS Organizations 330
AWS Control Tower 331
AWS Trusted Advisor 332
AWS Well-Architected Tool 333
AWS Service Catalog 334
AWS Systems Manager 335
AWS Identity and Access Management (IAM) 337
AWS Single Sign-On (SSO) 338
AWS Shield 340
AWS Web Application Firewall (WAF) 340
AWS Firewall Manager 342
AWS Cloud HSM 343
AWS Secrets Manager 345
AWS Key Management Service (KMS) 345
AWS Certificate Manager 346
AWS IoT Device Defender 347
Amazon Virtual Private Cloud 347
AWS PrivateLink 349
AWS Direct Connect 349
AWS Transit Gateway 350
AWS Resource Access Manager 351
The Detect and Respond Functions 353
GuardDuty 354
Amazon Detective 356
Amazon Macie 357
Amazon Inspector 358
Amazon CloudTrail 359
Amazon CloudWatch 360
Amazon Lambda 361
AWS Step Functions 362
Amazon Route 53 363
AWS Personal Health Dashboard 364
The Recover Functions 365
Amazon Glacier 366
AWS CloudFormation 366
CloudEndure Disaster Recovery 367
AWS OpsWorks 368
Summary 369
Part IV The Future 371
Chapter 8 Threat Hunting in Other Cloud Providers 373
The Google Cloud Platform 374
Google Cloud Platform Security Architecture alignment to NIST 376
The Identify Function 376
The Protect Function 378
The Detect Function 380
The Respond Function 382
The Recover Function 383
The IBM Cloud 385
Oracle Cloud Infrastructure Security 386
Oracle SaaS Cloud Security Threat Intelligence 387
The Alibaba Cloud 388
Summary 389
References 389
Chapter 9 The Future of Threat Hunting 391
Artificial Intelligence and Machine Learning 393
How ML Reduces False Positives 395
How Machine Intelligence Applies to Malware Detection 395
How Machine Intelligence Applies to Risk Scoring in a Network 396
Advances in Quantum Computing 396
Quantum Computing Challenges 398
Preparing for the Quantum Future 399
Advances in IoT and Their Impact 399
Growing IoT Cybersecurity Risks 401
Preparing for IoT Challenges 403
Operational Technology (OT) 405
Importance of OT Security 406
Blockchain 406
The Future of Cybersecurity with Blockchain 407
Threat Hunting as a Service 407
The Evolution of the Threat-Hunting Tool 408
Potential Regulatory Guidance 408
Summary 409
References 409
Part V Appendices 411
Appendix A MITRE ATT&CK Tactics 413
Appendix B Privilege Escalation 415
Appendix C Credential Access 421
Appendix D Lateral Movement 431
Appendix E Command and Control 435
Appendix F Data Exfiltration 443
Appendix G MITRE Cloud Matrix 447
Initial Access 447
Drive-by
Compromise 447
Exploiting a Public-Facing
Application 450
Phishing 450
Using Trusted Relationships 451
Using Valid Accounts 452
Persistence 452
Manipulating Accounts 452
Creating Accounts 453
Implanting a Container Image 454
Office Application Startup 454
Using Valid Accounts 455
Privilege Escalation 456
Modifying the Domain Policy 456
Using Valid Accounts 457
Defense Evasion 457
Modifying Domain Policy 457
Impairing Defenses 458
Modifying the Cloud Compute Infrastructure 459
Using Unused/Unsupported Cloud Regions 459
Using Alternate Authentication Material 460
Using Valid Accounts 461
Credential Access 461
Using Brute Force Methods 461
Forging Web Credentials 462
Stealing an Application Access Token 462
Stealing Web Session Cookies 463
Using Unsecured Credentials 464
Discovery 464
Manipulating Account Discovery 464
Manipulating Cloud Infrastructure Discovery 465
Using a Cloud Service Dashboard 466
Using Cloud Service Discovery 466
Scanning Network Services 467
Discovering Permission Groups 467
Discovering Software 468
Discovering System Information 468
Discovering System Network Connections 469
Lateral Movement 469
Internal Spear Phishing 469
Using Alternate Authentication Material 470
Collection 471
Collecting Data from a Cloud Storage Object 471
Collecting Data from Information Repositories 471
Collecting Staged Data 472
Collecting Email 473
Data Exfiltration 474
Detecting Exfiltration 474
Impact 475
Defacement 475
Endpoint Denial of Service 475
Resource Hijacking 477
Appendix H Glossary 479
Index 489
