Customers
Why Mitiga
Request a DemoEmergency Assistance
Home
»
Blog Main

An excerpt from Cloud Threat Detection, Investigation, and Response for Dummies®

Hunting complements detection. Once you’ve identified an indicator of an attack, you need to dig into the details. Is that authentication failure a legitimate user mistyping their password? Or, is it an attacker trying to compromise someone else’s account? Looking at an indicator in isolation often isn’t enough to know for sure when you have a true positive indicator of an attack or when you’re dealing with a benign event.

A-Hunting We Will Go

Threat hunting is the process of investigating security events using a hypothesis-driven exploratory analysis and investigation. Cloud threat hunts, as you may have guessed, focus on hunting threats in cloud environments. Cloud hunts entail deep dives into logs using more complicated logic than typically used for detection. With detection, you’re willing to generate false positive indicators of attacks rather than miss a potential true attack indicator. Detection uses more lightweight pattern recognition to quickly find targets of interest. When you’re hunting, however, you’ve decided to invest time and resources into investigating what appears to be an actual attack, which can cause harm to the organization. There are a few different ways to approach hunts.

Strategic cloud hunts

A strategic cloud hunt looks at what adversaries do when they conduct attacks. These hunts tend to focus on a particular technology or platform, such as exfiltrating data from a cloud provider’s object storage service or compromising the authentication process of a SaaS provider.

Event-driven hunts

Event-driven hunts take advantage of some malicious event that happened to someone else’s system. For example, a technology vendor might have had proprietary information stolen using some form of a persistent threat. During event hunts, researchers gather as much information as possible to understand the attack, identify indicators of the attack, and in some cases, try to replicate the attack in a research and development environment.


Continuous cloud hunts

Continuous cloud hunts are ongoing operations running checks in your cloud and SaaS environments against all indicators of attacks. If some malicious activity is identified, then you can run mitigation processes.

Cloud Hunts Depend on Logs

If you’ve worked with logs in on-premises systems, you’ve probably seen how easy it is to control the level of detail captured in logs. When you shift to using cloud services, especially SaaS services, it becomes more challenging to capture log data. One of the issues is that you need access to cloud provider’s logs. These aren’t always accessible to cloud users. In some cases, the amount of log data available depends on the licensing of a service.

For example, an enterprise license for a collaboration tool may provide for logging while the free version of the same product doesn’t. Not only is this a problem because logs aren’t available for some users, but an attacker can use this two-tiered approach to logging to their advantage. An attacker could temporarily remove the license from a user, perform some malicious act using that user’s account, and then restore the license. The user may never notice the difference, and no logs will be left detailing the malicious activity.


Another thing to consider when using a PaaS or SaaS, is that there are limits to how long the vendor will keep logs. It’s important to capture those logs into a security data lake before they’re deleted by the cloud vendor, so you’ll have what you need to hunt.

Want to go deeper on this topic, and read more expert guidance on cloud investigation? Download a free copy of Cloud Threat Detection, Investigation, and Response for Dummies®.

LAST UPDATED:

July 10, 2024

Don't miss these stories:

Frost & Sullivan’s Latest 2025 Frost Radar: The Need for Runtime Cloud Security in a Cloud-First World

Cloud breaches rose 35% year over year in 2024, and legacy security tools are failing to keep up. The rapid sprawl of multi-cloud and SaaS has shattered the assumptions baked into legacy, on-prem, and endpoint-focused security stacks, which can’t keep pace with today’s dynamic attack surfaces.

The Remote Worker Scam: Understanding the North Korean Insider Threat

Recent investigations have uncovered a sophisticated scheme by North Korean operatives to exploit remote work policies in the U.S. tech industry.

Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs – Part 2

This second part of the blog series continues the path to understanding principals and identities in Google Cloud Platform (GCP) Audit Logs. Part one introduced core concepts around GCP logging, the different identity types, service accounts, authentication methods, and impersonation.

Mitiga Security Advisory: Lack of Forensic Visibility with the Basic License in Google Drive

Mitiga's advisory highlights critical gaps in forensic visibility with Google Drive's Basic license, affecting security and incident investigations. Read on.

Cloud Detection vs Cloud Threat Hunting: Insights for Cyber Leaders

As cyber threats evolve, security teams need to detect and mitigate cloud attacks. Learn why cloud detection and threat hunting are key defense strategies.

Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots

A recent Mitiga Research Team investigation found the well-regarded Amazon Relational Database Service is leaking PII via exposed RDS Snapshots.