A Threat Hunter’s Guide to Decoding the Cloud

Table of contents
The adage “keep your head out of the clouds” has run its course. With much of the world’s data now residing in the omnipresent cloud, many attackers are shifting their focus to this trove of information. As attackers shift, defenders must as well. With a new paradigm comes new concepts and vocabulary for technical operations, which may seem daunting to those of us still chained to the endpoint (and still feeling like we have much to learn about that, too).
With this “great migration” to the cloud, defenders must now apply threat hunting concepts to this new landscape. Threat hunting is the process of proactively searching an organization for malicious activity that evades existing security solutions. By looking for an attacker’s known tactics, techniques, and procedures (TTPs) throughout the environment, and organization may be able to find traces left behind.
For more guidance on the foundations of threat hunting itself, check out our white paper and service offerings on threat hunting to help bolster your team’s proactive capabilities.
What is the Cloud?
The cloud has a wide range of definitions, but put simply, it is an infrastructure owned by a cloud provider that allows for the storage, management, and processing of data over the Internet that can be leveraged by a variety of third parties.
When we refer to the cloud, we are typically referring to infrastructure running on the big three (3) cloud providers: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). Each provider has advantages and disadvantages; however, you will find these providers offer many services that are equivalent in purpose.
To complicate things further, many organizations have begun to take a multi-cloud approach, leveraging multiple cloud providers for different purposes. According to Microsoft’s 2024 State of Multicloud Security Risk report, 86% of organizations have adopted multi-cloud practices. For instance, an organization may wish to deploy different workloads to both AWS and Azure to take advantage of different cost structures and discounts. So, they may use AWS EC2 instances for compute-heavy workloads, where they benefit from a reserved instance discount, and Azure Blob Storage for storing large datasets due to lower storage costs.
As more organizations invest in a variety of cloud-based storage and services, it becomes more important to be proactive about defending them.
Differences in the Threat Landscape
Endpoint vs. Cloud Services
One (1) of the biggest hurdles in understanding the cloud threat landscape is letting go of the endpoint. Cloud providers are made up of various services, each of which may be abused by an attacker either externally or via a compromised identity, to move throughout the cloud environment. This may include access to storage buckets or blobs, serverless compute functions, container clusters, etc., all within the environment of the remote cloud as opposed to an endpoint physically located on-premises.
The following summarizes the key differences that a threat hunter may face when conducting hunts in a cloud environment:
1. Scope and Visibility
On-Premises Endpoints
When threat hunting in an on-premises environment, hunters typically have physical access to the endpoint and its hardware. The hunter can access the endpoint machine itself and necessary telemetry such as local logs and network connections. This type of environment may give the hunter a more granular view of actions occurring on the endpoint.
Cloud Environments
In cloud environments, the threat hunter has no access to the physical hardware that is being leveraged or remote visibility into this underlying hardware. This is because in a cloud environment, depending on the configuration, many different customers are leveraging the same hardware to achieve economies of scale. Customers are dependent on the cloud provider for the security of underlying hardware under the Shared Responsibility Model. Therefore, the focus is shifted onto the telemetry that can be gained from the services the organization is running on the cloud.
2. Tools and Techniques
A threat hunter may leverage the following tools when threat hunting in the cloud versus on-premises (note that this list is not exhaustive.
On-Premises Endpoints
- Endpoint Detection & Response (EDR)
- Local forensics
- Endpoint network traffic analysis
- Security Information and Event Management (SIEM)
Cloud Environments
- Cloud Detection & Response (CDR)
- Cloud platform native security tools
- Cloud Security Posture Management (CSPM) tools
- Cloud network traffic analysis
- SIEM
3. Data Sources
On-Premises Endpoints
- Local logs such as system events, file activity, and user access
- Firewall logging
- Physical access to endpoint devices and local network traffic analysis (e.g., network taps or span ports)
- EDR logging
Cloud Environments
- Cloud service-specific logs such as AWS Identity & Access Management (IAM), Azure Storage Analytics, or GCP Access Approval
- Virtual Private Cloud (VPC) firewall logging
- CDR logging
4. Attack Surface
An attack surface refers to assets or platforms that an attacker could utilize to gain access to an organization. Threat hunters must take into consideration the difference in attack surfaces depending on the scope of the threat hunt. Understanding the attack surface helps us develop targeted threat hunts that have the maximum applicability to the environment.
On-Premises Endpoints
- The attack surface within on-premises endpoints is owned and maintained by the organization. Endpoints are physically reachable. Therefore, the attack surface is more concentrated and less abstract than a cloud environment.
- The attack surface is isolated to machines owned and maintained by the organization such as workstations and servers as well as the internal network or perimeter defenses.
Cloud Environments
- The attack surface within cloud environments is typically larger and more complicated due to the distributed nature of cloud resources and the idea of the Shared Responsibility Model.
- The attack surface may include insecure APIs, misconfigured cloud services, and privilege escalation through cloud native tools.
- There is greater concern on the exposure of assets (storage buckets, databases, APIs, etc.) and the configuration of access controls.
5. Attacker Goals
A notable difference between attackers of cloud environments and on-premises environments is their goal. With on-premises environments, defenders' main concern is preventing data exfiltration and encryption. The cloud environment presents defenders with a new concept: the need to protect resource utilization. One of the beauties of the cloud is near immediate access to an endless amount of compute resources. Unfortunately, attackers have little respect for resource utilization expenses and see their compromised environments as an unlimited treasure trove of compute power for attacks such as cryptomining.
Until recently, attacks against cloud environments were generally unsophisticated. However, as attackers have learned more about the cloud, many have begun to see the potential for more sophisticated attacks such as ransomware and/or data theft. The 2023 State of the Cloud Report from Wiz makes note of this shift, stating “Threat actors are becoming more proficient in attacking cloud environments,” specifically calling out threat group LAPSUS$ for their mature cloud lateral movement techniques.
Acknowledging these differences allows the hunter to more effectively conceptualize the possible TTPs an adversary could utilize within their environment.
Setting Up for Success – How Can We Hunt in the Cloud More Effectively?
Skill Expansion
Cybersecurity notoriously requires constant learning, but we can’t possibly learn everything about every cloud provider. Each provider has their own terminology, pricing systems, services, etc. While the cloud and its intricacies can seem intimidating, there are steps each threat hunter can take to tackle the cloud in a manageable manner.
A method that has helped me expand my threat hunting into the cloud during our consulting engagements has been to pick one (1) cloud provider as a learning focus. In my case, this was AWS. While cloud providers each have a different vocabulary, the concepts are mostly the same between these providers. For example, temporary storage in AWS is referred to as the Amazon EC2 instance store, whereas Azure refers to their equivalent service as Azure temporary storage. Learning one (1) architecture helps greatly in carrying over knowledge to another if you are working in a multi-cloud environment or with consulting clients across different platforms.
Additionally, AWS, Azure, and GCP each host mountains of documentation on the intricacies of their service offerings. In my experience, it has been easier to find official documentation on cloud operations than many of Microsoft’s internal endpoint processes and operations.
Lastly, many of these cloud providers offer their own certifications. However, I would advise against beginning with a security-oriented certification—we want to start with the basics to understand the underlying technology of where we are attempting to hunt. In my experience, AWS boasts very fair costs for their certifications, including certifications at the foundational, associate, professional, and specialty levels. These certifications helped me immensely in understanding the underlying technology.
Understanding Architecture
Understanding your environment’s cloud attack surface allows the threat hunter to prioritize efforts into specific areas such as potential misconfigurations, insecure APIs, insufficient access controls, cloud storage, compute instances, etc., using their knowledge of how those things are set up within their environment.
Additionally, it is crucial to understand the Shared Responsibility Model and how it applies to your cloud infrastructure. Without this knowledge, a threat hunter is unaware of what assets/resources are their responsibility to protect and thus where their hunting should be targeted.
Next, threat hunters should understand the logging configuration of the cloud environment. Cloud platforms each provide their own logging types, which are different from the logs one would see from an on-premises environment. This ensures the hunter is not overlooking an available log source or is not looking for logging that ultimately has not been implemented.
Lastly, another important aspect of architecture the threat hunter should understand is how the cloud environment interacts with third-party integrations. Since these integrations can introduce vulnerabilities to the environment, the threat hunter should understand how these integrations are intended to interface with the environment, such as expected external connections or logins.
Adequate Data Sources
We don’t know what we don’t know! Having adequate data sources for threat hunting for malicious cloud activity is crucial. Not only that, but the hunter should understand what each log is intended for. This helps the hunter find the telemetry and ensure it is available. For example, since we know that AWS CloudTrail logs track API calls made to AWS, the threat hunter would want to ensure this log source is available to hunt for unauthorized API activity. In contrast, VPC Flow Logs track network activity to and from your VPC. To conduct threat hunting surrounding cloud network communications, the threat hunter would want to ensure this logging is configured correctly.
Quality Intelligence
Not all intelligence sources were created equal, especially when it comes to the cloud. When I first began researching the cloud several years ago, it was quite difficult to find a technical intelligence report regarding cloud topics. Many were missing important details that would push a threat hunter forward, particularly real-world examples. Without technical breakdowns of real-world incidents, threat hunters are left guessing to evaluate the relevancy, feasibility, and resulting telemetry of a hunt they may have in mind.
With time and an increased focus on the cloud, the community has seen the need for these use cases to be published. The most helpful resource I've found for topical, actionable, and technical intelligence reports regarding the cloud is Wiz’s Cloud Threat Landscape Intelligence Database. This is an open-source database of cloud incidents and reports from organizations around the world, not just from Wiz. While some reports are better than others, Wiz does an amazing job of curating this database.
Helpful Community Resources
Linked below are several community driven resources that I have found most helpful as a threat hunter and incident responder.
Cloud Threat Landscape Intelligence Database by Wiz