Threat Hunting and Incident Response in Azure Environments
This blog was originally published on Garland Technology's website.
Contributed by Vijit Nair from Corelight.
When cyber-attacks cross the network, grabbing quality and relevant data from network traffic is essential for security operations. This is especially pertinent in cloud environments where security teams have limited or no traffic visibility, leaving them blind to malicious attacks. Without pervasive visibility into and deep insights from network traffic, threat hunting and incident response teams cannot be effective. Garland Technology recently spoke to Vijit Nair, Senior Director of Product at Corelight, to discuss the importance of threat hunting and how, with the right tools and direction, it’s more accessible than you might think.
1. How would you define the incident response process?
Incident response is the process by which organizations respond to an intrusion. Security teams must have clear plans and well defined playbooks that help them move rapidly to respond to an incident and limit the damage. For this, they must be armed with high fidelity data that allows them to triage alerts, dismiss false positives, escalate actual incidents and deep dive into an investigation.
2. Before we dive into specific cloud environments, let’s look at the bigger picture of security. Can you explain the difference between threat hunting and incident response?
Threat hunting is a hypothesis-driven activity, searching for threats that have gone undetected and are currently hiding in the network. Threat hunting typically starts with a hypothesis of potential issues in your network and then you dive into the data to look for something interesting. Incident response comes into play when an intrusion detection system detects an issue and generates an alert and is a reactive approach, whereas threat hunting is proactive. Threat hunting may trigger an incident response if something malicious is detected. Here is a Corelight's Threat Hunting Guide organized around the MITRE ATT&CK framework.
3. The shift in cloud platforms like AWS, Google, and Azure has come with many security difficulties. When dealing with these cloud environments, what makes threat hunting so difficult?
In a cloud environment, the shared responsibility model limits visibility, while distributed cloud services and hybrid environments expand the attack surface. Automation and scale amplifies misconfiguration turning it into the single biggest threat to cloud security. Privileged Identity and Access Management (IAM) account for 70-80% of all data breaches. Enterprises migrating workloads into the cloud are responsible for security of the applications, but don’t have the kind of visibility needed to secure them.
Threat hunting in the cloud environment requires comprehensive visibility, which is challenging in an IaaS (Infrastructure as a Service) environment. Security Op teams need to ensure that logging is configured (and stays configured) on every service, ingest log types from every service into their SIEM, navigate poorly designed schemas, and correlate across logs from different cloud environments.
4.How can security teams mitigate the difficulties of cloud risks?
Security teams must use network monitoring to complement application level visibility. With a bird’s-eye view of the cloud environment, organizations can shine the light on high value assets, privilege boundaries between multi-cloud environments, and other choke points. Network monitoring provides a judgement-free view of the environment and is cloud provider, application and services agnostic. Open source tools such as Zeek have long been established as the de facto standard for continuous network security monitoring with a schema that is purpose built for SOC teams. The extensibility of Zeek and its community-developed content allows you to easily enrich data with context and correlations.
5. Currently, each cloud platform has a different way of going about security. What about Azure environments makes security and threat hunting challenging?
A lack of application level visibility and comprehensive logging is why organizations look to network monitoring for a normalized view of their environment. Packets don’t lie and IT and security professionals need this level of visibility and access for their connected applications to detect security anomalies and analyze network performance. This visibility has been notably absent in Azure, leaving IT teams to examine small packet captures for individual hosts using outdated tools such as tcpdump and Microsoft Network Monitor, instead of a native solution.
6. How does packet-level visibility such as the Garland Prism vTAP expand the Corelight solution in cloud environments?
One major challenge that exists with the cloud is delivering packet-level data to tools. With data crossing public internet circuits, there is likely to be some degree of packet loss. Corelight requires visibility into all the traffic data traveling throughout the environment. That’s why we work with Garland, in this instance with Garland Prisms, to help drive accurate advanced packet data that Corelight sensors need to detect and respond to malicious data.
7. How can threat hunting teams use this visibility to secure their cloud environment?
A great place to start is the recently released MITRE ATT&CK Cloud Matrix for enterprises. This matrix covers the cloud-based TTPs that adversaries employ. Additionally, Corelight has put together a tool that identifies TTPs in the ATT&CK matrix where Corelight data can be used to discover and thwart attackers.
- T1020 – Automated Exfil: Data exfil from Cloud Storage is one of the most common sources of data breach experienced in Cloud. The ‘producer-consumer ratio’ package helps defenders identify the typical direction and volume of data transfer between two hosts and to determine when it changes.
- T1110 – Brute Force: IAM account compromise allows attackers to move through the cloud environment undetected, while wreaking havoc. Corelight’s data can help monitor password guessing or brute-forcing attacks over SSH. Even with encrypted traffic, Corelight relies on user behavior rather than content to glean irrecoverable insights from the traffic.
8. With the consistent evolution of cloud environments and threat hunting, we obviously haven’t seen the end - what do you see as an emerging trend for cloud security?
Cloud adoption will continue unabated as enterprises accelerate their migration. Cloud services will become a lot more ubiquitous and distributed with adoption of microservices and serverless architectures. We expect cloud security challenges to grow at the same pace. Organizations will be forced to shift from a compliance / prevention centric mindset to establishing mature SOC teams capable of threat hunting & incident response to take on the emerging threats in cloud security.