SaaS and IaaS are new frontiers for a lot of security teams. We'll explore some thoughts at how you might approach some of these areas of your environment from a hunting or IR perspective. This was from a Sans webinar on 2019-09-25.

1. SEP 25, 2019 | BEN JOHNSON, CTO & CO-FOUNDER
SANS WEBCAST
THREAT HUNTING IN THE CLOUD:
TIME FOR A POWER-UP?

3. ABSTRACT
Threat hunting is an important weapon in the arsenal of proactive enterprise
security. With the shift to the cloud, however, the threat landscape is rapidly
evolving. Faced with automated attacks, multiple perimeters to defend, and
a growing mobile workforce, threat hunters need to reassess the mission.
What is the surface area they need to protect? When does threat hunting
stop and incident response start? And whats the difference between threat
hunting and detection? In this session, we will discuss these topics and
provide guidance for becoming more effective at detection and response in
SaaS and IaaS environments.

4. Ç
BACKGROUND CHECK // BEN JOHNSON
Co-Founder and CTO, Obsidian Security
Co-founder and former CTO of Carbon Black, built the
first EDR product; Previously, NSA CNO and AI Lab
2000 20172010
Employment
Board Seats
1st Technical Advisor (Amicus Curiae) to US FISA Court

5. TODAY’S GOALS
• Spark contemplation
• Encourage more cloud-focused talks
(2019 papers on maturing threat programs only speak about endpoint and network!?)

6. AGENDA
• Cloud challenges
• Threatscape
• Threat Hunting & Incident Response
• Overview
• Cloud
• Tips & Take-aways
• Q & A

7. DISCLAIMERS
• For “Cloud,” I mean “other people’s computers,” which includes
both SaaS and IaaS.
• We are not here to discuss the benefits of cloud.
• You need more than an hour to learn this.

8. CLOUD SECURITY CHALLENGES

9. DEFENDER CHALLENGES
Skills Gap +
Deploy-and-Decay +
= LACK OF CYBER SELF-ESTEEM
Huge Data (more than big)
Attacker Successes +

10. THEN VS. NOW: EXPANDING UNIVERSE
EMAIL
WORD PROCESSOR
COMMUNICATION
CONTENT MANAGEMENT
INFORMATION TECHNOLOGY
SALES & MARKETING
FINANCE
HUMAN RESOURCES
SECURITY
Companies are picking a “cloud stack” of business services…the difference
being these new technologies are designed for connection.

11. CLOUDS TALK TO CLOUDS

12. WHO PROTECTS CLOUD? (HINT: YOU)

13. SAAS? STILL YOUR PROBLEM
The SaaS Provider handles all aspects except for
identity and access management, client devices
controls, and data accountability.
The Customer, therefore, must understand users,
devices & data related to that service.

14. THREATSCAPE

15. 2019 HEADLINES

16. BREACHES ARE ACCELERATING
2015
2016
2017
2014
2015
2016
2017
2014
2013
2012
2011
2010
2009
2008

17. LEAGUE OF ADVERSARIES
Cybercriminals
• Broad-based and
targeted
• Financially
motivated
• Getting more
sophisticated
Hactivists
• Targeted and
destructive
• Unpredictable
motivations
• Generally less
sophisticated
Nation-States
• Targeted and
multi-stage
• Motivated by data
collection
• Highly
sophisticated with
endless resources
Insiders
• Targeted and
destructive
• Unpredictable
motivations
• Sophistication varies

18. INFORMATION SECURITY AND THE CLOUD
“IT is going from 0 to 100 in the
cloud and leaving us in the dust”
- Fmr. CISO, Financial Tech Company
“We’re blind to all these new
SaaS accounts”
- Director, Cyber Intelligence,
Top Athletics Brand
“We have 300 AWS accounts
and no governance”
- Public Tech Company
“Hackers don’t break in, they login.” - Several CISOs
“50% of our IR Engagements
are Office 365.”
- Principal IR, Rapid7

19. THREAT HUNTING & INCIDENT RESPONSE

20. IS THE ENVIRONMENT HEALTHY?
The absence of disease does not mean health.

21. THREAT DETECTION
• Detection is HARD. It is never-ending.
• This leads us to supplement technology…

22. The inevitability of
Threat Hunting:
there’s always a gap
between automated
threat detection and the
universe of threats.
Universe of threats
Automated threat
detection processes
HUNTING: FILLING THE AUTOMATION GAP

23. HUNTING: IDEAL V.S. REALITY
Ideal Reality

24. CAN HUNTING BE FORMULAIC?
What’s the formula for threat hunting?
X FTE * Y tooling + Z buy-in = Threat Hunting?

25. HUNTING: START WITH VISIBILITY
Scanning
Continuous Recording
Continuous Recording + Intelligence
Continuous Recording + Intelligence + Prevalence
Continuous Recording + Intelligence + Prevalence + Relationships

26. Ç
HOW DO WE THREAT HUNT?
Search: X
xxxx
xxxx
xxxx
xxxx
xxxx
xxxx
NOT...
NOT Y
NOT Z
∴ X
yyyy
yyyy
yyyy
zzzz
zzzz
zzzz
zzzz
x yzy
yz
x
x
zz
z
y
y

27. Ç
HOW DO WE THREAT HUNT?
Raw
&
Unfiltered

28. EFFICIENT HUNTING (& TRIAGE): FAIL FAST
Move quickly with feedback
loops and validated learning.
Disprove hypotheses as fast as
possible!
Start
hunting
Successful
discovery
Fail intelligently

29. SO WHY HUNT?
1.To produce detection rules that can be
automated
2.To find evil that is not yet detected through
automated means
3.To understand risks and other problems that are
often only uncovered through human inspection

30. CLOUD HUNTING & IR

31. GETTING STARTED
• Do you do this on-premises?
• Do you have access to apps/environments?
• What are you hunting for?
• “Cloud hunting” is not mainstream

32. INTERNAL BUY-IN
• Find time! (and if necessary, approval)
• Get access to data
• UI Access?
• API/data access?
• Show results (to allow for further investment)

33. G SUITE
• Starting with the UI
• Need Reports access
• admin.google.com
• Go to Audit section

34. G SUITE // ADMIN
• Keep a close eye on Admin activity

35. G SUITE // LOGINS & USERS

36. G SUITE // ACCOUNT ACCESS (TOKENS, RECOVERY)
• OAuth Access
• Changing recovery
information?

37. OFFICE 365 // AUDITLOG
• Starting with the UI
• https://
protection.office.com/
unifiedauditlog
• A bit better than G Suite

38. OFFICE 365 // MAILBOX CHANGES

39. OFFICE 365 // FILTERING & EXPORT
• Better filtering and exporting than G Suite
• Aside from logins, look for mail forwarding rules,
delegations, permissions changes

40. SALESFORCE // LEAVES A LOT TO BE DESIRED
• If you want event log data, you have to pay extra $$
• API is not very “fun” to interact with

41. SALESFORCE // CLIENT BROWSERS

42. SALESFORCE // LOGINS, SETUP, & NETWORK ACCESS

43. AWS // ADVANCED MODE?
• AWS is a BEAST
• https://us-
west-1.console.aws.a
mazon.com/cloudtrail/
• AWS CLI tool allows for
easier access to data

44. AWS // CLOUDTRAIL & IAM
• Cloudtrail logs
give you ability to
hunt in large
volumes of data
• CreateBucket,
RunInstances,
ModifySnapshotAttribute

45. AWS // ACCESS CREEP?
DORMANT ACCOUNTS
MISMATCHED PERMISSIONS
238 days
181 days
87 days
79 days
22 days
17 days
9 days
8 days
20758 lines

46. OK, SO …

47. OFFICE 365
• Enable the Audit Log
• Get access (either to UI or data)
• Get familiar with data
• Pull logs into ELK or similar
• Know why you are doing this…

48. AWS
• Enable Cloudtrail (first trail free)
• Get access (either to UI or data)
• Get familiar with data
• Pull logs into ELK or similar
• Know why you are doing this…
(Do you see a trend here?)

51. TIPS & TAKE-AWAYS

52. REDUCE ENTROPY, REDUCE RISK (AND REDUCE NOISE)

53. HUNTING/
DETECTION
Hunting
TRIAGE INVESTIGATION CLEANUP
Discovery
Incident Response
THE DETECTION-RESPONSE SPECTRUM

54. HUNTING RUNBOOK
•Get data & logs!
•Filter out the common stuff
•Enrichment -> raw logs are often not the most useful
•IP locations, account resolutions, timestamp conversions
•Be ready to dive into what events “mean” (read API docs)
•Be ready to convert into IR if something is found
•Produce a deliverable — a new rule, a more automated
process, a weakness, etc.

55. HUNTING TIPS
•Pick a service or problem area you can dive into
•Carve out time! Cannot hunt on the run
•Partner with the application owner and get read access
•Have data already flowing (increase logging/auditing)
•Take a red-team mindset — find the weaknesses to start
•Eradicate and recover, creating new detection rules and
sharing the knowledge with the application owner

56. MORE TIPS
•Address the lack of visibility and disconnect between security and
cloud teams / application owners
•Don’t spread yourself thin, get good at something
•Write code, write code, write code
•Educate the IT/engineering staff and bear them fruit
•Never manually hunt the same thing twice: automate your work
•Hunting can quickly turn into IR, so be prepared for that
•Get the data into a better platform (enrichment, filtering)

57. HUNTING IDEAS
•Look for weaknesses because threats may be near
•Audit who has Administrator / privileged-access
•If you are focusing on external actors hunt for mailbox rules,
delegations, lots of outbound messages, new user additions,
permission grants, public S3 buckets, password resets for other
services after an unusual login
•If focusing on internal actors, hunt for records and file access,
privileged account usage, sharing files too broadly, OAuth apps

58. HUNTING IDEAS (CONT’D)
1. Are there password logins when they all should be SAML/SSO?
2. Are new admins (privileged users) being created?
3. Are user credentials being reset by application owner and
security is unaware?
4. Are users expanding your surface area through API keys, OAuth
tokens, etc?
5. Are service accounts being added?
6. Are mail, calendar delegation rules being implemented?
7. And of course suspicious logins … (but what is “suspicious”?)

59. THANK YOU
Q & A
Poll:
Please let us know if you would attend a follow-on deeper-dive
into any of the topics or specific apps/services.

60. LINKS
1.https://support.microsoft.com/en-us/help/4026501/office-auditing-in-office-365-for-admins
2.https://github.com/OfficeDev/O365-InvestigationTooling
3.https://github.com/kiamatthews/office365-management-api-elk
4.https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf
5.https://logz.io/blog/aws-cloudtrail-elk-stack/

61. Ç
GLENN CHISHOLM
BEN JOHNSON
MATT WOLFF
ben@obsidiansecurity.com
@chicagoben
@obsidiansec
slideshare.net/chicagoben
Thank You.