9 mins read

Threat Hunting in the Public Cloud: A Practical Guide


Threat hunting is a proactive cybersecurity process in which specialists called threat hunters search networks and datasets to identify threats that existing automated security solutions may have missed. It’s about thinking like the attacker, anticipating their movements and countering them before they can cause damage.

Threat hunting is an essential tool in our cybersecurity toolbox, especially at a time when threats are becoming increasingly sophisticated and stealthy. Threat hunting allows us to stay one step ahead of attackers and detect and mitigate threats before they can cause significant damage.

However, Mastery of threat hunting is no small thing. It requires a deep understanding of the different types of threats and a systematic approach to combating them. This brings us to the next section where we discuss the types of threats you can expect in the public cloud.

Malware and ransomware

Malware and ransomware are among the most common threats in the public cloud. Malware, short for malicious software, is any software that aims to cause damage to a computer, server, client or computer network. Ransomware, a type of malware, locks users out of their data until a ransom is paid. These threats are becoming increasingly sophisticated and new variants are constantly emerging.

To counter these threats, we need to understand their behavior and signs of compromise. This allows us to identify them in good time and take appropriate action.

Data exfiltration

Data exfiltration, also known as data theft, is the unauthorized transfer of data from a computer. In the context of the public cloud, data exfiltration can be particularly damaging because large amounts of sensitive data are often stored in the cloud. Threat actors can use various techniques to exfiltrate data, such as command and control servers, data staging, or even covert channels.

By understanding how data can be exfiltrated and continually monitoring for signs of such activity, threat hunters can detect and stop data exfiltration attempts before they occur.

Identity and credential threats

Identity and credential threats are the unauthorized use of identities or credentials to gain access to systems and data. In the public cloud, where access is often controlled Identity and access management (IAM) systems, these threats can be particularly serious.

Threat hunting in this context involves looking for unusual activity that could indicate unauthorized use of identities or credentials. This may include an unexpected location or time of access, unusual behavior patterns, or attempts to escalate privileges.

Misconfigurations and vulnerabilities

Misconfigurations and Vulnerabilities represent another significant threat in the public cloud. Misconfigurations can expose data or systems to unauthorized access, while vulnerabilities can be exploited to gain access or escalate privileges.

Threat hunting is about identifying these misconfigurations and vulnerabilities before they can be exploited. This requires a thorough understanding of system configurations and potential vulnerabilities, as well as continuous monitoring for changes that could introduce new risks.

Now that we’ve discussed the types of threats you can expect in the public cloud, let’s take a look at the general threat hunting process.

Define scope

The first step is to define the scope of your threat hunting. This includes defining the boundaries of your search, including the systems, networks, and data you want to examine. As a rule of thumb, the broader the scope, the more comprehensive your threat hunting will be.

However, defining perimeter is not just about width. It’s also about depth. You need to determine how far in time you look for threats and how deeply you delve into each potential incident. In my experience, a balance between breadth and depth is essential for effective threat hunting.

Last but not least, defining scope also includes setting your goals. What do you want to achieve with your threat hunting? Are you looking for specific threats or are you conducting a general search? By clearly defining your goals, you can ensure your threat hunting is targeted and productive.

Indicators of Tradeoffs (IoCs)

Once you have defined your scope, the next step is to identify potential indicators of compromise (IoCs). These are signs that a system or network may have been breached. In the context of the public cloud, IoCs can include unusual network traffic patterns, unexpected changes in system configurations, or suspicious user activity.

Identifying IoCs is a critical part of threat hunting. It requires a deep understanding of the typical behavior of your systems and networks as well as the ability to detect anomalies.

Data collection

Comic data

After identifying potential IoCs, the next step is data collection. This includes gathering any relevant data that could help you investigate the IoCs. In the public cloud, this could be log data, network traffic data, system configuration data, and user activity data.

Data collection is a careful process. It requires careful planning and execution to ensure that all relevant data is captured and nothing is missed. It also requires a deep understanding of the data sources in your cloud environment and how you extract data from them.

Data analysis and query

Once you have your data, the next step is data analysis and query. The collected data is examined to uncover evidence of compromise.

Data analysis requires a deep understanding of the data you are working with and the ability to interpret it correctly. It also requires the ability to ask the right questions – or queries – about your data. For example, you can query your data for signs of unusual network traffic or suspicious user activity.

Correlation and enrichment

Once you have analyzed your data, the next step is correlation and enrichment. This requires you to compare and combine your results to get a more complete picture of the potential trade-off.

Correlation is the process of linking related pieces of evidence together. For example, you might associate an unusual pattern of network traffic with a suspicious change in system configuration. This will help you better understand the nature and extent of the potential compromise.

Enrichment, on the other hand, is about adding context to your insights. They could enrich your data with information from external threats intelligence Sources or with historical data from your own systems. This can give you a deeper understanding of the potential threat and help you make more informed decisions about how to respond.

Investigation and validation

After correlating and enriching your data, the next step is investigation and validation. This involves diving deeper into the potential compromise to confirm its existence and understand its implications. Once validated, you can move on to the next step of containment and elimination.

The investigation can include a variety of techniques, from further data analysis to practical system and network investigation. Throughout this process, it is important to maintain a methodical approach to ensure no stone is left unturned.

Validation, on the other hand, is about confirming that the identified threat is real. This may include replicating suspected behavior or comparing your results to known threat indicators. If the threat is confirmed, it’s time to take action.

Containment and eradication

Once a threat is confirmed, the next step is containment and elimination. This requires taking steps to limit the impact of the threat and remove it from your systems and networks. In the public cloud, this can include isolating affected systems, blocking malicious network traffic, or disabling compromised user accounts.

Containment and eradication are a delicate process. It requires careful planning and execution to ensure the threat is effectively neutralized without causing unnecessary disruption to your operations.

Restoration and documentation

The final step in the threat hunting process is recovery and documentation. Recovery is about restoring your systems and networks to normal. This may include repairing damaged systems, recovering lost data, or implementing new security measures to prevent future compromises.

Documentation, on the other hand, is about recording all the details of the threat hunting process. This includes documenting your findings, actions taken and lessons learned. Documentation is invaluable for improvements future threat Hunting efforts and to demonstrate compliance with safety regulations.

Threat hunting is a complex and ongoing process. However, if we follow these steps and continually refine our methods, we can master the art of threat hunting and ensure the security of our public cloud environments. Remember: The key to successful threat hunting is to remain ever vigilant, proactive, and never stop learning and adapting.

By Gilad David Maayan