Home Page Icon
Home Page
Table of Contents for
Threat Hunting in the Cloud
Close
Threat Hunting in the Cloud
by Chris Peiris, Binil Pillai, Abbas Kudrati
Threat Hunting in the Cloud
Cover
Title Page
Foreword
Introduction
Part I: Threat Hunting Frameworks
Part II: Hunting in Microsoft Azure
Part III: Hunting in AWS
Part IV: The Future
Part V: Appendices
Index
Copyright
Dedication
About the Authors
About the Technical Editors
Acknowledgments
End User License Agreement
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Cover
Next
Next Chapter
Title Page
Table of Contents
Cover
Title Page
Foreword
Introduction
What Does This Book Cover?
Additional Resources
How to Contact the Publisher
Part I: Threat Hunting Frameworks
CHAPTER 1: Introduction to Threat Hunting
The Rise of Cybercrime
What Is Threat Hunting?
The Key Cyberthreats and Threat Actors
The Necessity of Threat Hunting
Threat Modeling
Threat-Hunting Maturity Model
Human Elements of Threat Hunting
Summary
CHAPTER 2: Modern Approach to Multi-Cloud Threat Hunting
Multi-Cloud Threat Hunting
Building Blocks for the Security Operations Center
Cyberthreat Detection, Threat Modeling, and the Need for Proactive Threat Hunting Within SOC
Cyber Resiliency and Organizational Culture
Skillsets Required for Threat Hunting
Threat-Hunting Process and Procedures
Metrics for Assessing the Effectiveness of Threat Hunting
Threat-Hunting Program Effectiveness
Summary
CHAPTER 3: Exploration of MITRE Key Attack Vectors
Understanding MITRE ATT&CK
Threat Hunting Using Five Common Tactics
Other Methodologies and Key Threat-Hunting Tools to Combat Attack Vectors
Analysis Tools
Summary
Part II: Hunting in Microsoft Azure
CHAPTER 4: Microsoft Azure Cloud Threat Prevention Framework
Introduction to Microsoft Security
Understanding the Shared Responsibility Model
Microsoft Services for Cloud Security Posture Management and Logging/Monitoring
Using Microsoft Secure and Protect Features
Microsoft Detect Services
Detecting “Privilege Escalation” TTPs
Detecting Credential Access
Detecting Lateral Movement
Detecting Command and Control
Detecting Data Exfiltration
Microsoft Investigate, Response, and Recover Features
Using Machine Learning and Artificial Intelligence in Threat Response
Summary
CHAPTER 5: Microsoft Cybersecurity Reference Architecture and Capability Map
Introduction
Microsoft Security Architecture versus the NIST Cybersecurity Framework (CSF)
Microsoft Security Architecture
Using the Microsoft Reference Architecture
Understanding the Security Operations Solutions
Understanding the People Security Solutions
Summary
Part III: Hunting in AWS
CHAPTER 6: AWS Cloud Threat Prevention Framework
Introduction to AWS Well-Architected Framework
AWS Services for Monitoring, Logging, and Alerting
AWS Protect Features
AWS Detection Features
How Do You Detect Privilege Escalation?
How Do You Detect Credential Access?
How Do You Detect Lateral Movement?
How Do You Detect Command and Control?
How Do You Detect Data Exfiltration?
How Do You Handle Response and Recover?
Summary
References
CHAPTER 7: AWS Reference Architecture
AWS Security Framework Overview
AWS Reference Architecture
Summary
Part IV: The Future
CHAPTER 8: Threat Hunting in Other Cloud Providers
The Google Cloud Platform
The IBM Cloud
Oracle Cloud Infrastructure Security
The Alibaba Cloud
Summary
References
CHAPTER 9: The Future of Threat Hunting
Summary
References
Part V: Appendices
APPENDIX A: MITRE ATT&CK Tactics
APPENDIX B: Privilege Escalation
APPENDIX C: Credential Access
APPENDIX D: Lateral Movement
APPENDIX E: Command and Control
APPENDIX F: Data Exfiltration
APPENDIX G: MITRE Cloud Matrix
Initial Access
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Data Exfiltration
Impact
APPENDIX H: Glossary
Index
Copyright
Dedication
About the Authors
About the Technical Editors
Acknowledgments
End User License Agreement
List of Tables
Chapter 2
Table 2.1: Comparing SIEM, SOC, and Threat Hunting
Table 2.2: Example of Threat-Hunting Metrics
Chapter 6
Table 6.1: Options for Automated Responses
List of Illustrations
Chapter 1
Figure 1.1: Phishing lifecycle implemented by cybercriminals
Figure 1.2: Global ransomware damage costs
Figure 1.3: Ransomware tactics and lifecycle
Figure 1.4: Industry breakdown of nation state attacks
Figure 1.5: Nation state attack adversaries list
Figure 1.6: Breakdown of major nation state actors
Figure 1.7: Components of threat modeling
Figure 1.8: Microsoft Security Development Lifecycle
Figure 1.9: MITRE ATT&CK framework
Figure 1.10: Threat Hunting Maturity Model
Figure 1.11: Organizations show their willingness to implement human-led thr...
Chapter 2
Figure 2.1: Flexera's state of the cloud report
Figure 2.2: Simplified multi-cloud environment
Figure 2.3: Elements of a modern SOC
Figure 2.4: SOC tooling
Figure 2.5: SOC teams reference model
Figure 2.6: SOC reference architecture
Figure 2.7: SOC using a three-tier approach: Tier 1 addresses high-speed rem...
Figure 2.8: Cyber resilience is the ability to prepare for, respond to, and ...
Figure 2.9: Threat-hunting data collection steps
Figure 2.10: Threat hunting components
Chapter 3
Figure 3.1: Enterprise ATT&CK matrix with sub-techniques
Figure 3.2: The Initial Access tactic, found on the ATT&CK Framework
Figure 3.3: Tactics and techniques representing the MITRE ATT&CK...
Figure 3.4: PARINACOTA attack with multiple lateral movement methods
Figure 3.5: Zero Trust is a security methodology with several aspects.
Figure 3.6: Control number filters
Figure 3.7: Microsoft Azure Sentinel
Figure 3.8: Azure Sentinel Data Connectors
Figure 3.9: Azure Sentinel Workbooks
Figure 3.10: Azure Sentinel Incidents
Figure 3.11: Security Orchestration Playbook
Figure 3.12: Interactive Graph for Investigation
Figure 3.13: Azure Sentinel's hunting tools
Figure 3.14: Azure Sentinel Community
Figure 3.15: Amazon CloudWatch
Figure 3.16: The Amazon Athena service
Chapter 4
Figure 4.1: Microsoft's end-to-end integrated security features
Figure 4.2: Shared responsibility on the cloud
Figure 4.3: Azure Security Center vs. Azure Sentinel
Figure 4.4: Azure Security Center overview
Figure 4.5: The ASC overview dashboard
Figure 4.6: The Azure Defender dashboard
Figure 4.7: Azure Defender plans
Figure 4.8: Azure Sentinel Overview
Figure 4.9: Azure Sentinel search
Figure 4.10: Add Sentinel to a workspace
Figure 4.11: Data Connectors
Figure 4.12: Built-in Analytics rule
Figure 4.13: Threat kill chain protection with M365
Figure 4.14: Microsoft Security and Prevention Services with Azure
Figure 4.15: WAF policy window
Figure 4.16: Create WAF Policy
Figure 4.17: Create WAF Rule Set
Figure 4.18: Custom Rule Configuration page
Figure 4.19: Create an anti-phishing policy
Figure 4.20: Set the phishing threshold and other settings
Figure 4.21: Microsoft Defender for Endpoint services
Figure 4.22: Microsoft Defender for Endpoint console
Figure 4.23: Azure AD Conditional Access
Figure 4.24: Azure Conditional Access
Figure 4.25: Set Conditional Access in Azure AD
Figure 4.26: Grant permission on Authenticator App when prompted to share yo...
Figure 4.27: Grant permission prompt on your authenticator app
Figure 4.28: Microsoft Detect Services
Figure 4.29: Security Center service in Azure Portal
Figure 4.30: Security Alert and Filter in ASC
Figure 4.31: View Full details option in ASC
Figure 4.32: Detail Security Alert
Figure 4.33: Azure Sentinel Service
Figure 4.34: Azure Sentinel Hunting feature
Figure 4.35: Identity Protection policies examples
Figure 4.36: Policy Dashboard in Identity Protection
Figure 4.37: User risk policy
Figure 4.38: Sign in Risk Policy example
Figure 4.39: Checking Credential Access alert in ASC
Figure 4.40: Hunting Credential Access Tactics Query in Azure Sentinel
Figure 4.41: Just-in-time option in Azure Defender
Figure 4.42: Port configuration options
Figure 4.43: Edit JIT option
Figure 4.44: Request access window on ASC
Figure 4.45: Download the activity log
Figure 4.46: Selecting and detecting Lateral Movement alerts in ASC
Figure 4.47: Hunting Lateral Movement in Azure Sentinel
Figure 4.48: Checking Command and Control Alert in ASC
Figure 4.49: Hunting Command & Control Tactic in Azure Sentinel
Figure 4.50: Microsoft Cloud App Security (MCAS) dashboard
Figure 4.51: Add Network scan job example in Azure Information Protection
Figure 4.52: Scan job status in AIP
Figure 4.53: Azure Information Protection Repositories
Figure 4.54: Assign to content scan job option in AIP
Figure 4.55: Network Content Scan result window
Figure 4.56: Checking Data Exfiltration Alert in ASC
Figure 4.57: Hunting Data Exfiltration tactic in Azure Sentinel
Figure 4.58: Microsoft 365 Security Advanced Hunting option
Figure 4.59: Microsoft Investigate and Respond services
Figure 4.60: Review and approve pending actions in Action Center
Figure 4.61: Review and approve pending actions in Action Center
Figure 4.62: Microsoft Threat Experts
Figure 4.63: Microsoft Threat Expert Application Window
Figure 4.64: Microsoft Threat Expert Application Confirmation
Figure 4.65: Consult a Threat Expert option under support menu
Figure 4.66: Devices action page in Microsoft Defender for Endpoint
Figure 4.67: A left page action menu on Microsoft Defender for Endpoint
Figure 4.68: A left page action menu on Microsoft Defender for Endpoint
Figure 4.69: MTE screen
Figure 4.70: Consult a threat expert page
Figure 4.71: Generate new token in MCAS
Figure 4.72: Create new Flow in Microsoft Flow application
Figure 4.73: Create new Policy Alert in MCAS
Figure 4.74: Workflow automation tab in ASC
Figure 4.75: Alert Severity selection in Add workflow automation
Figure 4.76: Logic App Designer
Figure 4.77: Adding workflow automation in ASC
Figure 4.78: Example of a Fusion incident in Azure Sentinel
Figure 4.79: Enable/disable Fusion detections rule in Azure Sentinel
Figure 4.80: Example of Notebooks
Figure 4.81: Selection of Notebook ML Template in Azure Sentinel
Figure 4.82: Create the ML Workspace in Azure Sentinel
Figure 4.83: Validation pass window
Figure 4.84: Confirmation window
Figure 4.85: Selection of Notebooks in Azure Sentinel
Figure 4.86: Create a compute instance in Notebooks
Figure 4.87: Create Compute instance for Microsoft ML
Figure 4.88: Configuration settings window
Figure 4.89: Run Code window in Azure Notebook
Chapter 5
Figure 5.1: Microsoft 365 Security services aligned with NIST CSF
Figure 5.2: Microsoft 365 Security solutions
Figure 5.3: The Microsoft Cybersecurity Reference Architecture (MCRA)
Figure 5.4: Foundation of Microsoft Reference Architecture
Figure 5.5: Microsoft's Global threat activity portal
Figure 5.6: Service Trust Portal
Figure 5.7: Microsoft SDL portal
Figure 5.8: The Hybrid Infrastructure
Figure 5.9: Azure Marketplace portal
Figure 5.10: Azure Private Link
Figure 5.11: Azure Arc dashboard
Figure 5.12: Azure Lighthouse portal
Figure 5.13: Azure Lighthouse architecture
Figure 5.14: Azure Firewall
Figure 5.15: Azure Firewall architecture
Figure 5.16: WAF design
Figure 5.17: DDOS Plan dashboard
Figure 5.18: DDOS Protection Architecture
Figure 5.19: Azure Key Vault portal
Figure 5.20: Example of Azure Bastion for Firewall
Figure 5.21: Azure Bastion architecture
Figure 5.22: Azure Site Recovery
Figure 5.23: Azure Security Center (Azure Defender), view from the Azure por...
Figure 5.24: Azure Secure Score
Figure 5.25: Microsoft Endpoint Manager
Figure 5.26: Microsoft Endpoint Manager Center
Figure 5.27: Microsoft Defender for Endpoint
Figure 5.28: Intune architecture
Figure 5.29: Windows 10 Security
Figure 5.30: Threat and risk against identities and access
Figure 5.31: Identity and Access Management
Figure 5.32: Azure Conditional Access Policies example
Figure 5.33: Azure AD Identity Protection portal
Figure 5.34: Azure PIM
Figure 5.35: Microsoft Defender for Identity Architecture
Figure 5.36: Azure AD B2C portal
Figure 5.37: Identity Governance portal
Figure 5.38: SaaS challenges
Figure 5.39: MCAS Dashboard and Portal
Figure 5.40: MCAS architecture
Figure 5.41: Protecting information and data
Figure 5.42: Azure Purview dashboard
Figure 5.43: MIP service
Figure 5.44: Azure Information Protection portal
Figure 5.45: AIP File Scanner architecture
Figure 5.46: Core and Advanced eDiscovery portal
Figure 5.47: Compliance Manager dashboard
Figure 5.48: IoT and Operational Technology challenges
Figure 5.49: Defender for IoT
Figure 5.50: Azure Defender (Security Center for IoT Security)
Figure 5.51: IoT Reference Architecture
Figure 5.52: Threat Modeling example
Figure 5.53: IoT Agentless Deployment design
Figure 5.54: IoT Agent-based integration flow
Figure 5.55: SOC solutions
Figure 5.56: People Security solutions
Figure 5.57: Attack Simulator
Figure 5.58: Insider Risk Management dashboard
Figure 5.59: Insider Risk Management workflow
Figure 5.60: Communication Compliance dashboard
Chapter 6
Figure 6.1: The AWS Well-Architected Framework
Figure 6.2: The AWS Shared Responsibility Model
Figure 6.3: The CloudTrail console dashboard page
Figure 6.4: The CloudWatch Logs console
Figure 6.5: The VPC flow logs console
Figure 6.6: View of the GuardDuty dashboard
Figure 6.7: View of the Security Hub dashboard
Figure 6.8: Amazon API Gateway and AWS WAF
Figure 6.9: Create Example API
Figure 6.10: Deploy API screen
Figure 6.11: Create Stage name screen
Figure 6.12: AWS WAF screen
Figure 6.13: Describe Web ACL screen
Figure 6.14: Add AWS Resource screen
Figure 6.15: Associated AWS Resources screen
Figure 6.16: Add Rules and Rule Groups screen
Figure 6.17: Rule Builder screen
Figure 6.18: Action screen
Figure 6.19: Confirmation of Web ACL Creation screen
Figure 6.20: GuardDuty Welcome screen
Figure 6.21: Generate Sample Findings screen
Figure 6.22: GuardDuty Findings screen
Figure 6.23: Privilege Escalation screen, upper portion
Figure 6.24: Privilege Escalation screen, lower portion
Figure 6.25: S3 bucket
Figure 6.26: Macie screen
Figure 6.27: Enable Macie screen
Figure 6.28: Configure S3 Bucket screen
Figure 6.29: Macie Jobs screen
Figure 6.30: Select S3 Buckets screen
Figure 6.31: Scope screen
Figure 6.32: Name and Description screen
Figure 6.33: Findings screen
Figure 6.34: SensitiveData:S3Object/Credentials Screen 1
Figure 6.35: SensitiveData:S3Object/Credentials Screen 2
Figure 6.36: GuardDuty Findings menu
Figure 6.37: GuardDuty Findings screen
Figure 6.38: UnauthorizedAccess:IAMUser overview screen
Figure 6.39: UnauthorizedAccess:IAMUser resources screen
Figure 6.40: UnauthorizedAccess:IAMUser action screen
Figure 6.41: GuardDuty Findings screen
Figure 6.42: Findings screen
Figure 6.43: Backdoor:EC2/C&CActivity.B!DNS screen
Figure 6.44: Backdoor:EC2/C&CActivity.B!DNS screen
Figure 6.45: Backdoor:EC2/C&CActivity.B!DNS screen
Figure 6.46: GuardDuty Findings screen
Figure 6.47: Findings screen
Figure 6.48: Exfiltration:IAMUser/AnomalousBehavior screen
Figure 6.49: Exfiltration:IAMUser/AnomalousBehavior screen
Figure 6.50: Exfiltration:IAMUser/AnomalousBehavior screen
Figure 6.51: Exfiltration:IAMUser/AnomalousBehavior screen
Figure 6.52: Differences in technical attributes across automated response a...
Figure 6.53: Cost comparison of automation options scanning methods (events ...
Figure 6.54: CloudTrail screen
Figure 6.55: Create a Trail screen
Figure 6.56: Trail Attributes screen
Figure 6.57: Create S3 Bucket screen
Figure 6.58: Enable Encryption screen
Figure 6.59: Enable Advanced Option screen
Figure 6.60: Events screen
Figure 6.61: Management Events screen
Figure 6.62: CloudTrail Details screen
Figure 6.63: Simple Notification Service screen
Figure 6.64: Create Topic screen
Figure 6.65: Create SNS Subscription screen
Figure 6.66: Create Subscription screen
Figure 6.67: EventBridge screen
Figure 6.68: Event Create Rule screen
Figure 6.69: GuardDuty Settings screen
Figure 6.70: Select Event Bus screen
Figure 6.71: Select Targets screen
Figure 6.72: Rules screen
Figure 6.73: GuardDuty screen
Figure 6.74: Summary screen
Figure 6.75: Findings screen
Figure 6.76: CloudTrailLoggingDisabled screen
Figure 6.77: Lambda screen
Figure 6.78: Create Function screen
Figure 6.79: Add Trigger screen
Chapter 7
Figure 7.1: Amazon NIST Cybersecurity Framework (CSF)
Figure 7.2: AWS Reference Architecture aligned to the MITRE ATT&CK Framework...
Figure 7.3: Identify components of AWS Reference Architecture
Figure 7.4: Security Hub architecture
Figure 7.5: AWS Config components
Figure 7.6: AWS Organizations components
Figure 7.7: AWS Control Tower components
Figure 7.8: AWS Trusted Advisor components
Figure 7.9: AWS Well-Architected Tool components
Figure 7.10: AWS Systems Manager components
Figure 7.11: Protect components of AWS Reference Architecture
Figure 7.12: AWS Single Sign-On components
Figure 7.13: AWS Web Application Firewall components
Figure 7.14: AWS Cloud HSM components
Figure 7.15: AWS PrivateLink components
Figure 7.16: AWS Direct Connect components
Figure 7.17: AWS Transit Gateway components
Figure 7.18: AWS Resource Access Manager components
Figure 7.19: Detect components of the AWS Reference Architecture
Figure 7.20: AWS GuardDuty components and architecture
Figure 7.21: AWS Amazon Detective components
Figure 7.22: Amazon Macie components
Figure 7.23: AWS CloudTrail components
Figure 7.24: Amazon CloudWatch components and architecture
Figure 7.25: AWS Lambda components
Figure 7.26: AWS Step Functions components and architecture
Figure 7.27: Recover components of the AWS Reference Architecture
Figure 7.28: AWS CloudFormation components
Chapter 8
Figure 8.1: Chronicle overview
Figure 8.2: IBM Cloud Security
Figure 8.3: Oracle threat intelligence lifecycle
Chapter 9
Figure 9.1: Traditional approach vs. ML approach
Appendix G
Figure G-1: MITRE ATT&CK Framework Cloud Matrix
Guide
Cover
Title Page
Copyrigt
Dedication
About the Authors
About the Technical Editors
Acknowledgments
Foreword
Introduction
Table of Contents
Begin Reading
APPENDIX A MITRE ATT&CK Tactics
APPENDIX B Privilege Escalation
APPENDIX C Credential Access
APPENDIX D Lateral Movement
APPENDIX E Command and Control
APPENDIX F Data Exfiltration
APPENDIX G MITRE Cloud Matrix
APPENDIX H Glossary
Index
End User License Agreement
Pages
iii
xxxi
xxxii
xxxiii
xxxiv
xxxv
xxxvi
xxxvii
xxxviii
xxxix
1
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
99
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
371
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
413
414
415
416
417
418
419
421
422
423
424
425
426
427
428
429
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
iv
v
vii
viii
ix
xi
xii
xiii
xiv
xv
505
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset