The rise of cybercrime has created an insatiable appetite for threat hunting. Many organizations take a reactive approach to cybersecurity. Often, the first indication that something is happening on their network is when they receive an alert about an attack in progress. However, by this point, it may already be too late to stop the attack. In today's challenging and rapidly changing environment, cyberthreat actors are becoming increasingly sophisticated, and many of them can remain undetected until they achieve their objectives. By taking a proactive approach to security, security teams can identify infections while they are still in the “stealth” phase, allowing them to be remediated before they do significant damage to the organization. To do this, the security team needs to learn to threat hunt.

Threat hunting is a critical focus area to increase the cybersecurity posture of any organization. Threat hunting can be performed in a proactive context (referred to as ethical hacking) or in a defensive context to combat bad actors from penetrating the organization's defenses. Several industry best practices provide a threat-hunting framework that can act as a set of guidelines for organizations. The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) Framework is highly regarded in the cybersecurity industry as one of the most comprehensive catalogs of attacker techniques and tactics. Threat hunters use this framework to look for specific techniques that attackers often use to penetrate defenses.

Testing that incorporates a comprehensive view of an environment's ability to monitor and detect malicious activity with the existing tools that defenders have deployed across an organization is critical to safeguard against cyberattacks. There are some practical questions we are presented with on a daily basis while implementing cloud cybersecurity solutions to expedite digital transformation projects globally. These questions are specifically:

• What are the critical business and technical drivers of a threat-hunting framework in today's rapidly changing cloud environments?
• Is there an industry-leading framework to ensure whether we address all known attack vectors?
• What are the human elements that organizations need to focus on for building internal capability or source threat-hunting capability from external cloud providers?
• What metrics are available to assess threat-hunting effectiveness irrespective of the organization's size—from enterprise or small- to medium-sized businesses?
• Is there a catalog or a reference architecture artifact that can assist both business and technical users in addressing each attack vector?
• How does threat hunting work with vendor-specific single cloud security offerings?
• How does threat hunting work on multi-cloud implementations?
• What do industry-leading cloud providers, such as Amazon Web Services (AWS) and Microsoft Azure, provide as building blocks to combat offensive and defensive threat-hunting capabilities?
• What is the future of threat hunting?

These questions were confronted by Dr. Chris Peiris in a real-world scenario when he was presented with an opportunity to build a “side-by-side” cybersecurity fusion center implementation on the Microsoft Azure and AWS technology platforms. He noticed there is a growing customer requirement to enable a “multi-cloud” strategy with enterprise customers. Chris, in collaboration with Binil and Abbas, started to address this growing, ever-increasing customer demand.

They noticed that the primary motivations for customer organizations to have a tailored cybersecurity risk framework are to avoid “vendor locking” to a specific technology platform and to meet regulatory compliance requirements. This approach ensures vendor neutrality and rapid disaster recovery for the organization from a risk-mitigation perspective. This will help organizations strategize their security posture and build a threat-hunting ecosystem that ensures long-term sustainability. Therefore, counter to the popular sentiment of Cloud Service Providers (CSPs) competing for market share, there is a growing “synergy framework” that enables the CSPs to work together to address customer requirements.

As a practical example, an email phishing attack can be detected by the Microsoft Defender for Office 365 tool via the organization's Azure or Windows assets. The same threat hunting can be achieved via Amazon's GuardDuty cloud-offering tool. It is practical to build a multi-cloud threat-hunting framework that can leverage the best of both worlds from multiple cloud providers to address the organization's specific cybersecurity risks.

This multi-cloud synergy framework enables a rich toolset for an organization to increase its security posture and leverage CSP's global threat intelligence assets. The organization can significantly improve its security postures by partnering with CSPs using this multi-cloud capability.

This book aims to present a threat-hunting framework that enables organizations to implement multi-cloud security toolsets to increase their security posture. We focus on the AWS and Microsoft security toolsets and address the most common threat vectors using the MITRE ATT&CK Framework as a reference architecture. We also address the future of threat hunting in relation to AI, machine learning, quantum computing, and IoT proliferation. This book is a practical guide for any organization aiming to build, optimize, and advance its threat-hunting requirements. It provides a comprehensive toolset to accelerate business growth with secured digital transformation and regulatory compliance activities.

What Does This Book Cover?

Many organizations are quickly discovering that threat hunting is the next step in the evolution of the modern Security Operations Center (SOC), but remain unsure of how to start hunting or how far along they are in developing their own hunting capabilities. We believe this book addresses a gap in the market. There are several books on threat-hunting frameworks and how to use them in on-premise environments (as opposed to cloud/CSP implementations). The threat-hunting capability on cloud assets is mainly unexplored. This book also addresses the people (the human element) and the business measurements to consider in order to successfully adopt a threat-hunting framework. There is practical guidance to implement a threat-hunting framework irrespective of the organization's size and maturity.

There are specific vendors' blog posts/articles and “how-to guides” to address individual threat vectors. However, there is no definitive guide on how threat hunting works on Microsoft or AWS to address all major attack vectors. That's where this book comes in.

Can an organization build a comprehensive threat-hunting framework addressing all the common attack vectors using cloud assets? This book attempts to address these key questions on the AWS and Microsoft cloud platforms.

The contents in the book are prepared to serve business decision makers like board members, CXOs, and CISOs, as well as a technical audience. Business users will find the technology-agnostic cloud threat-hunting methodology framework valuable to manage their cybersecurity risks. Technical users will benefit from the how-to guide on Microsoft Azure and AWS to address these risks. There are no other books in the market that address Microsoft Azure and AWS side by side. You will also get an opportunity to learn to use the best of both worlds in Microsoft Azure and AWS (i.e., you can create a solution where endpoint detection and response is addressed by Microsoft, with Microsoft Defender for Endpoint, and information management is done by AWS Macie).

We have structured the book in five parts:

• Part I: An introduction to threat-hunting concepts and industry frameworks that address threat hunting. This section is targeted toward business decision makers such as the board members, the CXOs, and the CISOs.
• Part II: How does Microsoft Azure address key threats? This section is targeted toward a technical audience.
• Part II: How does AWS address key threats? This is targeted toward a technical audience, similar to the previous section.
• Part IV: Other cloud threat-hunting platforms and the future of threat hunting. This is targeted toward business decision makers, technical professionals, and anyone who wants to learn the potential future threat-hunting trends.
• Part V: Appendices. These mainly contain MITRE ATT&CK Framework reference material that correlates to key attack vectors that the book explores.

Here is a further breakdown of chapter contents.

• Part I: Threat Hunting Frameworks
  • Chapter 1: Introduction to Threat Hunting This chapter sets the context of rising cybercrime, and the key threat attack vectors such as phishing, ransomware, and nation state attacks. The chapter further explores the necessity of threat hunting, how threat hunting affects organizations of all sizes, the threat-hunting maturity model, and the human elements of threat hunting. Finally, this chapter recommends a few priorities that can help any organization build a foundation to make the board of directors cyber-smart.
  • Chapter 2: Modern Approach to Multi-Cloud Threat Hunting This chapter discusses multi-cloud and multi-tenant environments and how Security Operation Centers (SOCs) are designed to monitor their activities. We explore threat modeling and threat-hunting goals and objectives. The chapter provides fresh insights for organizations keen to learn about the skillsets required for threat hunting and the metrics available to measure the effectiveness of threat hunting.
  • Chapter 3: Exploration of MITRE Key Attack Vectors This chapter explains how you can leverage ATT&CK tactics and techniques to enhance, analyze, and test your threat-hunting efforts. The objective is to illustrate how to prevent bad actors from penetrating defenses by focusing on a few key attack vectors in this chapter. We leverage privilege escalation, credential access, lateral movement, command and control, and exfiltration as these are essential methods and analyze in-depth with real-world examples (using case studies). We also discuss the Zero Trust Architecture Framework as a key enabler for threat prevention.
• Part II: Hunting in Microsoft Azure
  • Chapter 4: Microsoft Azure Cloud Threat Prevention Framework This chapter explores Microsoft's threat-hunting capabilities in detail. The chapter introduces Microsoft security concepts and discusses its relevance to the shared responsibility model. This is followed by a detailed how-to guide on preventing privilege escalation, credential access, lateral movement, command and control, and exfiltration Tactics Techniques, and Procedures (TTPs). It also explains how to automate some of your hunting tasks using Microsoft security services on Microsoft 365 and Azure capabilities.
  • Chapter 5: Microsoft Cybersecurity Reference Architecture and Capability Map This chapter focuses on the Microsoft Cybersecurity Reference Architecture. The chapter explores the “wider Microsoft reference” architecture for all TTPs discussed in the MITRE ATT&CK Framework. We also discuss the NIST Framework's alignment to the Microsoft reference architecture.
• Part III: Hunting in AWS
  • Chapter 6: AWS Cloud Threat Prevention Framework This chapter covers AWS threat-hunting capabilities in detail. We address the five key threat TTPs (i.e., prevention of privilege escalation, credential access, lateral movement, command and control, and exfiltration) and include a how-to guide similar to Chapter 4. The objective is to expose the reader to the similarities as to how these threat vectors are addressed on multiple cloud platforms.
  • Chapter 7: AWS Reference Architecture This chapter covers AWS Reference Architecture on threat hunting. We followed the same format as Chapter 5 to illustrate the similarities of multiple cloud platforms. The chapter explores wider threat-hunting capabilities available in AWS on top of the five TTPs discussed in Chapter 6.
• Part IV: The Future
  • Chapter 8: Threat Hunting in Other Cloud Providers This chapter focuses on the threat-hunting capability stack that aligns to the MITRE ATT&CK Framework available from other major cloud platform service providers, such as Google Cloud Platforms (GCP), IBM, Oracle, and Alibaba (Ali Cloud). The chapter provides an overview of how these leading cloud platform providers of IaaS, PaaS, and SaaS have built or adopted threat-hunting capabilities to protect their customer's data.
  • Chapter 9: The Future of Threat Hunting This chapter explores the future of threat hunting and the technological advances challenging the current threat-hunting landscape. In this chapter, we discuss the importance of bringing all relevant capabilities together and integrating them. This includes artificial intelligence, machine learning, quantum proof cryptography, the Internet of things (IoT), operational technology, cybersecurity blockchain, threat hunting as a service, and regulatory compliance challenges.
• Part V: Appendices
• Appendix A: MITRE ATT&CK Tactics This appendix details the complete list of TTPs available in the MITRE ATT&CK Framework.
• Appendix B: Privilege Escalation This appendix addresses an in-depth analysis of tactics and subtactics of the privilege escalation TTP.
• Appendix C: Credential Access This appendix addresses an in-depth analysis of tactics and subtactics of the credential access TTP.
• Appendix D: Lateral Movement This appendix addresses an in-depth analysis of tactics and subtactics of the lateral movement TTP.
• Appendix E: Command and Control This appendix addresses an in-depth analysis of tactics and subtactics of the command and control TTP.
• Appendix F: Data Exfiltration This appendix addresses an in-depth analysis of tactics and subtactics of the data exfiltration TTP.
• Appendix G: MITRE Cloud Matrix This appendix addresses an in-depth analysis of the cloud matrix by the MITRE ATT&ACK Framework.
• Appendix H: Glossary This appendix contains definitions of various industry terms used in the book.

Additional Resources

In addition to this book, here are some other resources that can help you learn more:

• The MITRE ATT&CK Framework:
  https://attack.mitre.org/
• Microsoft Security:
  https://docs.microsoft.com/security/
• AWS Security:
  https://aws.amazon.com/security/
• Google Cloud Platform Security:
  https://cloud.google.com/security/

How to Contact the Publisher

If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts, an error may occur.

In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission”.