An excerpt from Cloud Threat Detection, Investigation, and Response for Dummies®

Malicious actors attack enterprises — now, they attack enterprises’ clouds and SaaS. You can prepare for these events with research, planning, and tooling, but that won’t prevent all attacks. Another part of preparing for and living with the risk of cloud attacks is being in a position to root out cloud threats early, in order to investigate them and respond to them appropriately. This requires a combination of tools, threat intelligence, and both detection and hunting skills.

Detecting Threats Early and Often

Detection is the process of looking for small indicators at a point in time that may indicate a security threat. The first step in this process is identifying indicators of attack.

Identifying indicators of attack

‍An indicator of attack (IoA) is an event that may be part of a larger pattern of an attack and warrants further investigation. For example, a user login failure could be an indicator worth investigating. Now, a single login failure followed by a successful login attempt is pretty common. Many of us occasionally mistype our passwords. A series of two or more failed attempts to authenticate, however, is more likely to be associated with an attempt to compromise an account.

An IoA can also be made up of a combination of different types of events. For example, a user logging in from an unusual location followed by a series of file downloads to a device or cloud account not managed by the organization could be indicative of an exfiltration attempt.

An IoA alone doesn’t mean that an attack is underway, but it does mean that someone should investigate to understand more about the context of the indicator.

Your identity is the target

‍Most on-premises attacks start with malware or exploiting a unpatched vulnerability, but these attack vectors are much less common in the cloud. In the cloud, where there’s no perimeter with firewalls, identity is a much more appealing target. Roughly 50 percent of breaches in the cloud start with an attack on an identity, including identity theft and phishing attacks.

One of the reasons identities are appealing targets is the widespread use of single sign-on. Once an identity is compromised in an environment using single sign-on, an attacker can gain access to a range of applications and data sources. For example, an analyst working on personnel cost management might have access to a human resources SaaS application, a finance system, document sharing, email, messaging, and other collaboration tools.

Multi-factor authentication (MFA) is one way to provide additional protection for identities. Even if an attacker were to get your login name and password for your company’s identity management system, they won’t be able to log in if they don’t have your authentication app or MFA device. That’s how it’s supposed to work in theory, anyway (see the nearby sidebar for examples of how attackers can sidestep MFA).

Attacks in the Cloud Are Different

On-premises attacks often exploit a weakness in software but as you move to the cloud, such exploits are less common. This is due, in part, because it’s much harder to attack the underlying systems that are managed by the cloud providers. Instead, attackers find it much easier to “log into” instead of “breaking into.” This is because identity is used to determine access. In the past, the network was the perimeter; you needed VPN or Citrix to provide access into the network when attacking. In the cloud era, the perimeter is the identity, so once you control an account, you have access.

Today, SaaS companies offer a platform that needs a “non-human identity” in order to work; usually an API key or something similar. If attackers are able to acquire those API keys, they’ll likely have access to an identity that isn’t tied to a specific employee and won’t have any type of multi-factor authentication attached to it. An example of exploiting non-human identities occurred when adversaries compromised a company’s code repository, where they found access keys. The attackers used those keys to access an AWS S3 bucket that had client information, including the access keys the victims were using to authenticate to their client’s systems.

Context Is Everything

Capturing the context of an event can require information from multiple systems, such as identity management systems, authentication systems, as well as activity logs from applications. It’s worth noting that SIEM systems don’t bring in nearly enough log data to provide a full context of events typically found in cloud investigations. While a SIEM might have connectors to bring in security logs, they’re not designed to capture details about emails sent, documents updated, features of applications used, or other activities. Integrating logs from a range of applications and services is challenging because logs have different formats and carry different types of information.

Real-time Cloud Threat Detection Has Barriers

The need to detect threats as soon as possible has led to real-time detection on-premises. Unfortunately, real-time detection isn’t available in the cloud. This is because it takes time from an event occurring until it’s processed by the providers and then shipped into the logs, and that change in the logs is provided to the client. The fastest logs in the cloud today are at least 5–10 minutes behind. So, even before you bring in any solution that focuses on getting the main content from your logs, the provider is delaying their shipment. These are good facts to understand when setting team KPIs and executive expectations. To detect any cloud threat, you need more than speed; you need intelligence.

‍Using Threat Intelligence in the Cloud

Threat intelligence is the process of collecting, analyzing, and sharing information about security threats to an organization.

Threat intelligence includes:

Strategic intelligence  – Includes high-level information about threats and risks. This type of threat intelligence is typically used by executives.

Tactical intelligence – Provides technical details on threats and indicators of attack.

Operations intelligence – Provides information about the motives and intents of malicious actors and potential attacks.

Cloud investigations benefit from all forms of threat intelligence. Threat detection and hunting in the cloud benefits from security tools and platforms that integrate threat intelligence with detection and hunting capabilities.