SaaS and IaaS are new frontiers for a lot of security teams. We'll explore some thoughts at how you might approach some of these areas of your environment from a hunting or IR perspective. This was from a Sans webinar on 2019-09-25.
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Threat Hunting, Detection, and Incident Response in the Cloud
1. SEP 25, 2019 | BEN JOHNSON, CTO & CO-FOUNDER
SANS WEBCAST
THREAT HUNTING IN THE CLOUD:
TIME FOR A POWER-UP?
2.
3. ABSTRACT
Threat hunting is an important weapon in the arsenal of proactive enterprise
security. With the shift to the cloud, however, the threat landscape is rapidly
evolving. Faced with automated attacks, multiple perimeters to defend, and
a growing mobile workforce, threat hunters need to reassess the mission.
What is the surface area they need to protect? When does threat hunting
stop and incident response start? And whats the difference between threat
hunting and detection? In this session, we will discuss these topics and
provide guidance for becoming more effective at detection and response in
SaaS and IaaS environments.
4. Ç
BACKGROUND CHECK // BEN JOHNSON
Co-Founder and CTO, Obsidian Security
Co-founder and former CTO of Carbon Black, built the
first EDR product; Previously, NSA CNO and AI Lab
2000 20172010
Employment
Board Seats
1st Technical Advisor (Amicus Curiae) to US FISA Court
5. TODAY’S GOALS
• Spark contemplation
• Encourage more cloud-focused talks
(2019 papers on maturing threat programs only speak about endpoint and network!?)
7. DISCLAIMERS
• For “Cloud,” I mean “other people’s computers,” which includes
both SaaS and IaaS.
• We are not here to discuss the benefits of cloud.
• You need more than an hour to learn this.
9. DEFENDER CHALLENGES
Skills Gap +
Deploy-and-Decay +
= LACK OF CYBER SELF-ESTEEM
Huge Data (more than big)
Attacker Successes +
10. THEN VS. NOW: EXPANDING UNIVERSE
EMAIL
WORD PROCESSOR
COMMUNICATION
CONTENT MANAGEMENT
INFORMATION TECHNOLOGY
SALES & MARKETING
FINANCE
HUMAN RESOURCES
SECURITY
Companies are picking a “cloud stack” of business services…the difference
being these new technologies are designed for connection.
13. SAAS? STILL YOUR PROBLEM
The SaaS Provider handles all aspects except for
identity and access management, client devices
controls, and data accountability.
The Customer, therefore, must understand users,
devices & data related to that service.
17. LEAGUE OF ADVERSARIES
Cybercriminals
• Broad-based and
targeted
• Financially
motivated
• Getting more
sophisticated
Hactivists
• Targeted and
destructive
• Unpredictable
motivations
• Generally less
sophisticated
Nation-States
• Targeted and
multi-stage
• Motivated by data
collection
• Highly
sophisticated with
endless resources
Insiders
• Targeted and
destructive
• Unpredictable
motivations
• Sophistication varies
18. INFORMATION SECURITY AND THE CLOUD
“IT is going from 0 to 100 in the
cloud and leaving us in the dust”
- Fmr. CISO, Financial Tech Company
“We’re blind to all these new
SaaS accounts”
- Director, Cyber Intelligence,
Top Athletics Brand
“We have 300 AWS accounts
and no governance”
- Public Tech Company
“Hackers don’t break in, they login.” - Several CISOs
“50% of our IR Engagements
are Office 365.”
- Principal IR, Rapid7
22. The inevitability of
Threat Hunting:
there’s always a gap
between automated
threat detection and the
universe of threats.
Universe of threats
Automated threat
detection processes
HUNTING: FILLING THE AUTOMATION GAP
28. EFFICIENT HUNTING (& TRIAGE): FAIL FAST
Move quickly with feedback
loops and validated learning.
Disprove hypotheses as fast as
possible!
Start
hunting
Successful
discovery
Fail intelligently
29. SO WHY HUNT?
1.To produce detection rules that can be
automated
2.To find evil that is not yet detected through
automated means
3.To understand risks and other problems that are
often only uncovered through human inspection
31. GETTING STARTED
• Do you do this on-premises?
• Do you have access to apps/environments?
• What are you hunting for?
• “Cloud hunting” is not mainstream
32. INTERNAL BUY-IN
• Find time! (and if necessary, approval)
• Get access to data
• UI Access?
• API/data access?
• Show results (to allow for further investment)
33. G SUITE
• Starting with the UI
• Need Reports access
• admin.google.com
• Go to Audit section
34. G SUITE // ADMIN
• Keep a close eye on Admin activity
39. OFFICE 365 // FILTERING & EXPORT
• Better filtering and exporting than G Suite
• Aside from logins, look for mail forwarding rules,
delegations, permissions changes
40. SALESFORCE // LEAVES A LOT TO BE DESIRED
• If you want event log data, you have to pay extra $$
• API is not very “fun” to interact with
47. OFFICE 365
• Enable the Audit Log
• Get access (either to UI or data)
• Get familiar with data
• Pull logs into ELK or similar
• Know why you are doing this…
48. AWS
• Enable Cloudtrail (first trail free)
• Get access (either to UI or data)
• Get familiar with data
• Pull logs into ELK or similar
• Know why you are doing this…
(Do you see a trend here?)
54. HUNTING RUNBOOK
•Get data & logs!
•Filter out the common stuff
•Enrichment -> raw logs are often not the most useful
•IP locations, account resolutions, timestamp conversions
•Be ready to dive into what events “mean” (read API docs)
•Be ready to convert into IR if something is found
•Produce a deliverable — a new rule, a more automated
process, a weakness, etc.
55. HUNTING TIPS
•Pick a service or problem area you can dive into
•Carve out time! Cannot hunt on the run
•Partner with the application owner and get read access
•Have data already flowing (increase logging/auditing)
•Take a red-team mindset — find the weaknesses to start
•Eradicate and recover, creating new detection rules and
sharing the knowledge with the application owner
56. MORE TIPS
•Address the lack of visibility and disconnect between security and
cloud teams / application owners
•Don’t spread yourself thin, get good at something
•Write code, write code, write code
•Educate the IT/engineering staff and bear them fruit
•Never manually hunt the same thing twice: automate your work
•Hunting can quickly turn into IR, so be prepared for that
•Get the data into a better platform (enrichment, filtering)
57. HUNTING IDEAS
•Look for weaknesses because threats may be near
•Audit who has Administrator / privileged-access
•If you are focusing on external actors hunt for mailbox rules,
delegations, lots of outbound messages, new user additions,
permission grants, public S3 buckets, password resets for other
services after an unusual login
•If focusing on internal actors, hunt for records and file access,
privileged account usage, sharing files too broadly, OAuth apps
58. HUNTING IDEAS (CONT’D)
1. Are there password logins when they all should be SAML/SSO?
2. Are new admins (privileged users) being created?
3. Are user credentials being reset by application owner and
security is unaware?
4. Are users expanding your surface area through API keys, OAuth
tokens, etc?
5. Are service accounts being added?
6. Are mail, calendar delegation rules being implemented?
7. And of course suspicious logins … (but what is “suspicious”?)
59. THANK YOU
Q & A
Poll:
Please let us know if you would attend a follow-on deeper-dive
into any of the topics or specific apps/services.