Threat Hunting in the Cloud E-Book

Table of Contents

Cover

Title Page

Foreword

Introduction

What Does This Book Cover?

Additional Resources

How to Contact the Publisher

Part I: Threat Hunting Frameworks

CHAPTER 1: Introduction to Threat Hunting

The Rise of Cybercrime

What Is Threat Hunting?

The Key Cyberthreats and Threat Actors

The Necessity of Threat Hunting

Threat Modeling

Threat-Hunting Maturity Model

Human Elements of Threat Hunting

Summary

CHAPTER 2: Modern Approach to Multi-Cloud Threat Hunting

Multi-Cloud Threat Hunting

Building Blocks for the Security Operations Center

Cyberthreat Detection, Threat Modeling, and the Need for Proactive Threat Hunting Within SOC

Cyber Resiliency and Organizational Culture

Skillsets Required for Threat Hunting

Threat-Hunting Process and Procedures

Metrics for Assessing the Effectiveness of Threat Hunting

Threat-Hunting Program Effectiveness

Summary

CHAPTER 3: Exploration of MITRE Key Attack Vectors

Understanding MITRE ATT&CK

Threat Hunting Using Five Common Tactics

Other Methodologies and Key Threat-Hunting Tools to Combat Attack Vectors

Analysis Tools

Summary

Part II: Hunting in Microsoft Azure

CHAPTER 4: Microsoft Azure Cloud Threat Prevention Framework

Introduction to Microsoft Security

Understanding the Shared Responsibility Model

Microsoft Services for Cloud Security Posture Management and Logging/Monitoring

Using Microsoft Secure and Protect Features

Microsoft Detect Services

Detecting  “Privilege Escalation”  TTPs

Detecting Credential Access

Detecting Lateral Movement

Detecting Command and Control

Detecting Data Exfiltration

Microsoft Investigate, Response, and Recover Features

Using Machine Learning and Artificial Intelligence in Threat Response

Summary

CHAPTER 5: Microsoft Cybersecurity Reference Architecture and Capability Map

Introduction

Microsoft Security Architecture versus the NIST Cybersecurity Framework (CSF)

Microsoft Security Architecture

Using the Microsoft Reference Architecture

Understanding the Security Operations Solutions

Understanding the People Security Solutions

Summary

Part III: Hunting in AWS

CHAPTER 6: AWS Cloud Threat Prevention Framework

Introduction to AWS Well-Architected Framework

AWS Services for Monitoring, Logging, and Alerting

AWS Protect Features

AWS Detection Features

How Do You Detect Privilege Escalation?

How Do You Detect Credential Access?

How Do You Detect Lateral Movement?

How Do You Detect Command and Control?

How Do You Detect Data Exfiltration?

How Do You Handle Response and Recover?

Summary

References

CHAPTER 7: AWS Reference Architecture

AWS Security Framework Overview

AWS Reference Architecture

Summary

Part IV: The Future

CHAPTER 8: Threat Hunting in Other Cloud Providers

The Google Cloud Platform

The IBM Cloud

Oracle Cloud Infrastructure Security

The Alibaba Cloud

Summary

References

CHAPTER 9: The Future of Threat Hunting

Summary

References

Part V: Appendices

APPENDIX A: MITRE ATT&CK Tactics

APPENDIX B: Privilege Escalation

APPENDIX C: Credential Access

APPENDIX D: Lateral Movement

APPENDIX E: Command and Control

APPENDIX F: Data Exfiltration

APPENDIX G: MITRE Cloud Matrix

Initial Access

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Data Exfiltration

Impact

APPENDIX H: Glossary

Index

Copyright

Dedication

About the Authors

About the Technical Editors

Acknowledgments

End User License Agreement

List of Tables

Chapter 2

Table 2.1: Comparing SIEM, SOC, and Threat Hunting

Table 2.2: Example of Threat-Hunting Metrics

Chapter 6

Table 6.1: Options for Automated Responses

List of Illustrations

Chapter 1

Figure 1.1: Phishing lifecycle implemented by cybercriminals

Figure 1.2: Global ransomware damage costs

Figure 1.3: Ransomware tactics and lifecycle

Figure 1.4: Industry breakdown of nation state attacks

Figure 1.5: Nation state attack adversaries list

Figure 1.6: Breakdown of major nation state actors

Figure 1.7: Components of threat modeling

Figure 1.8: Microsoft Security Development Lifecycle

Figure 1.9: MITRE ATT&CK framework

Figure 1.10: Threat Hunting Maturity Model

Figure 1.11: Organizations show their willingness to implement human-led thr...

Chapter 2

Figure 2.1: Flexera's state of the cloud report

Figure 2.2: Simplified multi-cloud environment

Figure 2.3: Elements of a modern SOC

Figure 2.4: SOC tooling

Figure 2.5: SOC teams reference model

Figure 2.6: SOC reference architecture

Figure 2.7: SOC using a three-tier approach: Tier 1 addresses high-speed rem...

Figure 2.8: Cyber resilience is the ability to prepare for, respond to, and ...

Figure 2.9: Threat-hunting data collection steps

Figure 2.10: Threat hunting components

Chapter 3

Figure 3.1: Enterprise ATT&CK matrix with sub-techniques

Figure 3.2: The Initial Access tactic, found on the ATT&CK Framework

Figure 3.3: Tactics and techniques representing the MITRE ATT&CK...

Figure 3.4: PARINACOTA attack with multiple lateral movement methods

Figure 3.5: Zero Trust is a security methodology with several aspects.

Figure 3.6: Control number filters

Figure 3.7: Microsoft Azure Sentinel

Figure 3.8: Azure Sentinel Data Connectors

Figure 3.9: Azure Sentinel Workbooks

Figure 3.10: Azure Sentinel Incidents

Figure 3.11: Security Orchestration Playbook

Figure 3.12: Interactive Graph for Investigation

Figure 3.13: Azure Sentinel's hunting tools

Figure 3.14: Azure Sentinel Community

Figure 3.15: Amazon CloudWatch

Figure 3.16: The Amazon Athena service

Chapter 4

Figure 4.1: Microsoft's end-to-end integrated security features

Figure 4.2: Shared responsibility on the cloud

Figure 4.3: Azure Security Center vs. Azure Sentinel

Figure 4.4: Azure Security Center overview

Figure 4.5: The ASC overview dashboard

Figure 4.6: The Azure Defender dashboard

Figure 4.7: Azure Defender plans

Figure 4.8: Azure Sentinel Overview

Figure 4.9: Azure Sentinel search

Figure 4.10: Add Sentinel to a workspace

Figure 4.11: Data Connectors

Figure 4.12: Built-in Analytics rule

Figure 4.13: Threat kill chain protection with M365

Figure 4.14: Microsoft Security and Prevention Services with Azure

Figure 4.15: WAF policy window

Figure 4.16: Create WAF Policy

Figure 4.17: Create WAF Rule Set

Figure 4.18: Custom Rule Configuration page

Figure 4.19: Create an anti-phishing policy

Figure 4.20: Set the phishing threshold and other settings

Figure 4.21: Microsoft Defender for Endpoint services

Figure 4.22: Microsoft Defender for Endpoint console

Figure 4.23: Azure AD Conditional Access

Figure 4.24: Azure Conditional Access

Figure 4.25: Set Conditional Access in Azure AD

Figure 4.26: Grant permission on Authenticator App when prompted to share yo...

Figure 4.27: Grant permission prompt on your authenticator app

Figure 4.28: Microsoft Detect Services

Figure 4.29: Security Center service in Azure Portal

Figure 4.30: Security Alert and Filter in ASC

Figure 4.31: View Full details option in ASC

Figure 4.32: Detail Security Alert

Figure 4.33: Azure Sentinel Service

Figure 4.34: Azure Sentinel Hunting feature

Figure 4.35: Identity Protection policies examples

Figure 4.36: Policy Dashboard in Identity Protection

Figure 4.37: User risk policy

Figure 4.38: Sign in Risk Policy example

Figure 4.39: Checking Credential Access alert in ASC

Figure 4.40: Hunting Credential Access Tactics Query in Azure Sentinel

Figure 4.41: Just-in-time option in Azure Defender

Figure 4.42: Port configuration options

Figure 4.43: Edit JIT option

Figure 4.44: Request access window on ASC

Figure 4.45: Download the activity log

Figure 4.46: Selecting and detecting Lateral Movement alerts in ASC

Figure 4.47: Hunting Lateral Movement in Azure Sentinel

Figure 4.48: Checking Command and Control Alert in ASC

Figure 4.49: Hunting Command & Control Tactic in Azure Sentinel

Figure 4.50: Microsoft Cloud App Security (MCAS) dashboard

Figure 4.51: Add Network scan job example in Azure Information Protection

Figure 4.52: Scan job status in AIP

Figure 4.53: Azure Information Protection Repositories

Figure 4.54: Assign to content scan job option in AIP

Figure 4.55: Network Content Scan result window

Figure 4.56: Checking Data Exfiltration Alert in ASC

Figure 4.57: Hunting Data Exfiltration tactic in Azure Sentinel

Figure 4.58: Microsoft 365 Security Advanced Hunting option

Figure 4.59: Microsoft Investigate and Respond services

Figure 4.60: Review and approve pending actions in Action Center

Figure 4.61: Review and approve pending actions in Action Center

Figure 4.62: Microsoft Threat Experts

Figure 4.63: Microsoft Threat Expert Application Window

Figure 4.64: Microsoft Threat Expert Application Confirmation

Figure 4.65: Consult a Threat Expert option under support menu

Figure 4.66: Devices action page in Microsoft Defender for Endpoint

Figure 4.67: A left page action menu on Microsoft Defender for Endpoint

Figure 4.68: A left page action menu on Microsoft Defender for Endpoint

Figure 4.69: MTE screen

Figure 4.70: Consult a threat expert page

Figure 4.71: Generate new token in MCAS

Figure 4.72: Create new Flow in Microsoft Flow application

Figure 4.73: Create new Policy Alert in MCAS

Figure 4.74: Workflow automation tab in ASC

Figure 4.75: Alert Severity selection in Add workflow automation

Figure 4.76: Logic App Designer

Figure 4.77: Adding workflow automation in ASC

Figure 4.78: Example of a Fusion incident in Azure Sentinel

Figure 4.79: Enable/disable Fusion detections rule in Azure Sentinel

Figure 4.80: Example of Notebooks

Figure 4.81: Selection of Notebook ML Template in Azure Sentinel

Figure 4.82: Create the ML Workspace in Azure Sentinel

Figure 4.83: Validation pass window

Figure 4.84: Confirmation window

Figure 4.85: Selection of Notebooks in Azure Sentinel

Figure 4.86: Create a compute instance in Notebooks

Figure 4.87: Create Compute instance for Microsoft ML

Figure 4.88: Configuration settings window

Figure 4.89: Run Code window in Azure Notebook

Chapter 5

Figure 5.1: Microsoft 365 Security services aligned with NIST CSF

Figure 5.2: Microsoft 365 Security solutions

Figure 5.3: The Microsoft Cybersecurity Reference Architecture (MCRA)

Figure 5.4: Foundation of Microsoft Reference Architecture

Figure 5.5: Microsoft's Global threat activity portal

Figure 5.6: Service Trust Portal

Figure 5.7: Microsoft SDL portal

Figure 5.8: The Hybrid Infrastructure

Figure 5.9: Azure Marketplace portal

Figure 5.10: Azure Private Link

Figure 5.11: Azure Arc dashboard

Figure 5.12: Azure Lighthouse portal

Figure 5.13: Azure Lighthouse architecture

Figure 5.14: Azure Firewall

Figure 5.15: Azure Firewall architecture

Figure 5.16: WAF design

Figure 5.17: DDOS Plan dashboard

Figure 5.18: DDOS Protection Architecture

Figure 5.19: Azure Key Vault portal

Figure 5.20: Example of Azure Bastion for Firewall

Figure 5.21: Azure Bastion architecture

Figure 5.22: Azure Site Recovery

Figure 5.23: Azure Security Center (Azure Defender), view from the Azure por...

Figure 5.24: Azure Secure Score

Figure 5.25: Microsoft Endpoint Manager

Figure 5.26: Microsoft Endpoint Manager Center

Figure 5.27: Microsoft Defender for Endpoint

Figure 5.28: Intune architecture

Figure 5.29: Windows 10 Security

Figure 5.30: Threat and risk against identities and access

Figure 5.31: Identity and Access Management

Figure 5.32: Azure Conditional Access Policies example

Figure 5.33: Azure AD Identity Protection portal

Figure 5.34: Azure PIM

Figure 5.35: Microsoft Defender for Identity Architecture

Figure 5.36: Azure AD B2C portal

Figure 5.37: Identity Governance portal

Figure 5.38: SaaS challenges

Figure 5.39: MCAS Dashboard and Portal

Figure 5.40: MCAS architecture

Figure 5.41: Protecting information and data

Figure 5.42: Azure Purview dashboard

Figure 5.43: MIP service

Figure 5.44: Azure Information Protection portal

Figure 5.45: AIP File Scanner architecture

Figure 5.46: Core and Advanced eDiscovery portal

Figure 5.47: Compliance Manager dashboard

Figure 5.48: IoT and Operational Technology challenges

Figure 5.49: Defender for IoT

Figure 5.50: Azure Defender (Security Center for IoT Security)

Figure 5.51: IoT Reference Architecture

Figure 5.52: Threat Modeling example

Figure 5.53: IoT Agentless Deployment design

Figure 5.54: IoT Agent-based integration flow

Figure 5.55: SOC solutions

Figure 5.56: People Security solutions

Figure 5.57: Attack Simulator

Figure 5.58: Insider Risk Management dashboard

Figure 5.59: Insider Risk Management workflow

Figure 5.60: Communication Compliance dashboard

Chapter 6

Figure 6.1: The AWS Well-Architected Framework

Figure 6.2: The AWS Shared Responsibility Model

Figure 6.3: The CloudTrail console dashboard page

Figure 6.4: The CloudWatch Logs console

Figure 6.5: The VPC flow logs console

Figure 6.6: View of the GuardDuty dashboard

Figure 6.7: View of the Security Hub dashboard

Figure 6.8: Amazon API Gateway and AWS WAF

Figure 6.9: Create Example API

Figure 6.10: Deploy API screen

Figure 6.11: Create Stage name screen

Figure 6.12: AWS WAF screen

Figure 6.13: Describe Web ACL screen

Figure 6.14: Add AWS Resource screen

Figure 6.15: Associated AWS Resources screen

Figure 6.16: Add Rules and Rule Groups screen

Figure 6.17: Rule Builder screen

Figure 6.18: Action screen

Figure 6.19: Confirmation of Web ACL Creation screen

Figure 6.20: GuardDuty Welcome screen

Figure 6.21: Generate Sample Findings screen

Figure 6.22: GuardDuty Findings screen

Figure 6.23: Privilege Escalation screen, upper portion

Figure 6.24: Privilege Escalation screen, lower portion

Figure 6.25: S3 bucket

Figure 6.26: Macie screen

Figure 6.27: Enable Macie screen

Figure 6.28: Configure S3 Bucket screen

Figure 6.29: Macie Jobs screen

Figure 6.30: Select S3 Buckets screen

Figure 6.31: Scope screen

Figure 6.32: Name and Description screen

Figure 6.33: Findings screen

Figure 6.34: SensitiveData:S3Object/Credentials Screen 1

Figure 6.35: SensitiveData:S3Object/Credentials Screen 2

Figure 6.36: GuardDuty Findings menu

Figure 6.37: GuardDuty Findings screen

Figure 6.38: UnauthorizedAccess:IAMUser overview screen

Figure 6.39: UnauthorizedAccess:IAMUser resources screen

Figure 6.40: UnauthorizedAccess:IAMUser action screen

Figure 6.41: GuardDuty Findings screen

Figure 6.42: Findings screen

Figure 6.43: Backdoor:EC2/C&CActivity.B!DNS screen

Figure 6.44: Backdoor:EC2/C&CActivity.B!DNS screen

Figure 6.45: Backdoor:EC2/C&CActivity.B!DNS screen

Figure 6.46: GuardDuty Findings screen

Figure 6.47: Findings screen

Figure 6.48: Exfiltration:IAMUser/AnomalousBehavior screen

Figure 6.49: Exfiltration:IAMUser/AnomalousBehavior screen

Figure 6.50: Exfiltration:IAMUser/AnomalousBehavior screen

Figure 6.51: Exfiltration:IAMUser/AnomalousBehavior screen

Figure 6.52: Differences in technical attributes across automated response a...

Figure 6.53: Cost comparison of automation options scanning methods (events ...

Figure 6.54: CloudTrail screen

Figure 6.55: Create a Trail screen

Figure 6.56: Trail Attributes screen

Figure 6.57: Create S3 Bucket screen

Figure 6.58: Enable Encryption screen

Figure 6.59: Enable Advanced Option screen

Figure 6.60: Events screen

Figure 6.61: Management Events screen

Figure 6.62: CloudTrail Details screen

Figure 6.63: Simple Notification Service screen

Figure 6.64: Create Topic screen

Figure 6.65: Create SNS Subscription screen

Figure 6.66: Create Subscription screen

Figure 6.67: EventBridge screen

Figure 6.68: Event Create Rule screen

Figure 6.69: GuardDuty Settings screen

Figure 6.70: Select Event Bus screen

Figure 6.71: Select Targets screen

Figure 6.72: Rules screen

Figure 6.73: GuardDuty screen

Figure 6.74: Summary screen

Figure 6.75: Findings screen

Figure 6.76: CloudTrailLoggingDisabled screen

Figure 6.77: Lambda screen

Figure 6.78: Create Function screen

Figure 6.79: Add Trigger screen

Chapter 7

Figure 7.1: Amazon NIST Cybersecurity Framework (CSF)

Figure 7.2: AWS Reference Architecture aligned to the MITRE ATT&CK Framework...

Figure 7.3: Identify components of AWS Reference Architecture

Figure 7.4: Security Hub architecture

Figure 7.5: AWS Config components

Figure 7.6: AWS Organizations components

Figure 7.7: AWS Control Tower components

Figure 7.8: AWS Trusted Advisor components

Figure 7.9: AWS Well-Architected Tool components

Figure 7.10: AWS Systems Manager components

Figure 7.11: Protect components of AWS Reference Architecture

Figure 7.12: AWS Single Sign-On components

Figure 7.13: AWS Web Application Firewall components

Figure 7.14: AWS Cloud HSM components

Figure 7.15: AWS PrivateLink components

Figure 7.16: AWS Direct Connect components

Figure 7.17: AWS Transit Gateway components

Figure 7.18: AWS Resource Access Manager components

Figure 7.19: Detect components of the AWS Reference Architecture

Figure 7.20: AWS GuardDuty components and architecture

Figure 7.21: AWS Amazon Detective components

Figure 7.22: Amazon Macie components

Figure 7.23: AWS CloudTrail components

Figure 7.24: Amazon CloudWatch components and architecture

Figure 7.25: AWS Lambda components

Figure 7.26: AWS Step Functions components and architecture

Figure 7.27: Recover components of the AWS Reference Architecture

Figure 7.28: AWS CloudFormation components

Chapter 8

Figure 8.1: Chronicle overview

Figure 8.2: IBM Cloud Security

Figure 8.3: Oracle threat intelligence lifecycle

Chapter 9

Figure 9.1: Traditional approach vs. ML approach

Appendix G

Figure G-1: MITRE ATT&CK Framework Cloud Matrix

Guide

Cover

Title Page

Copyrigt

Dedication

About the Authors

About the Technical Editors

Acknowledgments

Foreword

Introduction

Table of Contents

Begin Reading

APPENDIX A MITRE ATT&CK Tactics

APPENDIX B Privilege Escalation

APPENDIX C Credential Access

APPENDIX D Lateral Movement

APPENDIX E Command and Control

APPENDIX F Data Exfiltration

APPENDIX G MITRE Cloud Matrix

APPENDIX H Glossary

Index

End User License Agreement

Pages

iii

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xxxviii

xxxix

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

99

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

371

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

413

414

415

416

417

418

419

421

422

423

424

425

426

427

428

429

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

iv

v

vii

viii

ix

xi

xii

xiii

xiv

xv

505

Threat Hunting in the Cloud

Defending AWS®, Azure® and Other Cloud Platforms Against Cyberattacks

Foreword

The book you're about to read fills a much-needed gap in cloud cybersecurity. A little over two years ago, a couple of cybersecurity experts stopped to grab a coffee after a long day at a technical conference in Las Vegas. As the conversation progressed, the friends realized one of the topics they most wanted to learn more about wasn't being addressed by any of the conference sessions: cross-cloud threat hunting.

How did they know it was a topic that needed to be covered? Because each of them had experienced the need first hand. Chris Peiris built an early cyber fusion center for Microsoft and joined Avanade to build out their fusion center with side-by-side Azure and AWS capability. Based in Australia, Chris now works with the AU DoD and has seen how multi-cloud security has gone from a business requirement to a regulatory one with new legislation in Australia that demands a multi-cloud approach to prevent vendor lock-in. As the Global Director, Strategy & Business Development for Security at Microsoft, Binil Pillai works with corporate executives and understands that true organizational security means being able to hunt for vulnerabilities and exposures across multiple different cloud providers. His experience with threat-hunting product development also contributed to build the concept of this book. As an award-winning CISO and Microsoft's Chief Cybersecurity Advisor for APAC, Abbas Kudratri knows first-hand the security challenges governments and large enterprises face as they transform from on-premise to cloud-based.

Based on their different experiences, the authors bring their own cross-cloud viewpoints to the book. They worked collaboratively to improve content and coverage: augmenting one another's knowledge to create a truly comprehensive text. And to keep it effective and focused, Chris, Binil, and Abbas have divided the book into multiple parts. The first part focuses on the big picture and how to make board members “cyber smart” about cross-cloud threat hunting. The authors carefully picked real-world examples and case studies that will really matter to executives and enumerate the key business drivers. They also provide guidance on whether or not an organization should staff and manage their own in-house threat-hunting team, or partner with an external provider for the best return on investment.

The latter part of the book provides a deep how-to technical guide for cross-cloud threat hunting. One of the challenges security experts face is a lack of normalization from one cloud to the next. Although most large cloud vendors have native tooling (such as Azure Defender and AWS GuardDuty), it can be quite confusing going from one to the other since interfaces are different, features are different, and each security models are different. In fact, even between services on the same provider, there can be differences. And when your company spans both clouds, you need a way to threat hunt across the entire environment. Since hunting in a vacuum isn't effective, the authors use the industry-leading MITRE ATT&CK Framework as a reference architecture against which hunting activities and progress can be mapped. The final chapter provides their insight about the future of threat hunting, leveraging current technology trends and the potential evolution of threat-hunting practices by cloud service providers.

After many months of work, a lot of late nights, and, yes, some additional caffeine, this book is ready for you. Whether you're a CISO who needs to explain cross-cloud threat hunting to the executive board, or a fusion center director looking to increase your teams' threat-hunting skills, there's something here to help bring your organization to a better security state. Multi-cloud deployments are here to stay, and you need this book to help you stay safe cross-cloud.

Introduction

The rise of cybercrime has created an insatiable appetite for threat hunting. Many organizations take a reactive approach to cybersecurity. Often, the first indication that something is happening on their network is when they receive an alert about an attack in progress. However, by this point, it may already be too late to stop the attack. In today's challenging and rapidly changing environment, cyberthreat actors are becoming increasingly sophisticated, and many of them can remain undetected until they achieve their objectives. By taking a proactive approach to security, security teams can identify infections while they are still in the “stealth” phase, allowing them to be remediated before they do significant damage to the organization. To do this, the security team needs to learn to threat hunt.

Threat hunting is a critical focus area to increase the cybersecurity posture of any organization. Threat hunting can be performed in a proactive context (referred to as ethical hacking) or in a defensive context to combat bad actors from penetrating the organization's defenses. Several industry best practices provide a threat-hunting framework that can act as a set of guidelines for organizations. The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) Framework is highly regarded in the cybersecurity industry as one of the most comprehensive catalogs of attacker techniques and tactics. Threat hunters use this framework to look for specific techniques that attackers often use to penetrate defenses.

Testing that incorporates a comprehensive view of an environment's ability to monitor and detect malicious activity with the existing tools that defenders have deployed across an organization is critical to safeguard against cyberattacks. There are some practical questions we are presented with on a daily basis while implementing cloud cybersecurity solutions to expedite digital transformation projects globally. These questions are specifically:

What are the critical business and technical drivers of a threat-hunting framework in today's rapidly changing cloud environments?

Is there an industry-leading framework to ensure whether we address all known attack vectors?

What are the human elements that organizations need to focus on for building internal capability or source threat-hunting capability from external cloud providers?

What metrics are available to assess threat-hunting effectiveness irrespective of the organization's size—from enterprise or small- to medium-sized businesses?

Is there a catalog or a reference architecture artifact that can assist both business and technical users in addressing each attack vector?

How does threat hunting work with vendor-specific single cloud security offerings?

How does threat hunting work on multi-cloud implementations?

What do industry-leading cloud providers, such as Amazon Web Services (AWS) and Microsoft Azure, provide as building blocks to combat offensive and defensive threat-hunting capabilities?

What is the future of threat hunting?

These questions were confronted by Dr. Chris Peiris in a real-world scenario when he was presented with an opportunity to build a “side-by-side” cybersecurity fusion center implementation on the Microsoft Azure and AWS technology platforms. He noticed there is a growing customer requirement to enable a “multi-cloud” strategy with enterprise customers. Chris, in collaboration with Binil and Abbas, started to address this growing, ever-increasing customer demand.

They noticed that the primary motivations for customer organizations to have a tailored cybersecurity risk framework are to avoid “vendor locking” to a specific technology platform and to meet regulatory compliance requirements. This approach ensures vendor neutrality and rapid disaster recovery for the organization from a risk-mitigation perspective. This will help organizations strategize their security posture and build a threat-hunting ecosystem that ensures long-term sustainability. Therefore, counter to the popular sentiment of Cloud Service Providers (CSPs) competing for market share, there is a growing “synergy framework” that enables the CSPs to work together to address customer requirements.

As a practical example, an email phishing attack can be detected by the Microsoft Defender for Office 365 tool via the organization's Azure or Windows assets. The same threat hunting can be achieved via Amazon's GuardDuty cloud-offering tool. It is practical to build a multi-cloud threat-hunting framework that can leverage the best of both worlds from multiple cloud providers to address the organization's specific cybersecurity risks.

This multi-cloud synergy framework enables a rich toolset for an organization to increase its security posture and leverage CSP's global threat intelligence assets. The organization can significantly improve its security postures by partnering with CSPs using this multi-cloud capability.

This book aims to present a threat-hunting framework that enables organizations to implement multi-cloud security toolsets to increase their security posture. We focus on the AWS and Microsoft security toolsets and address the most common threat vectors using the MITRE ATT&CK Framework as a reference architecture. We also address the future of threat hunting in relation to AI, machine learning, quantum computing, and IoT proliferation. This book is a practical guide for any organization aiming to build, optimize, and advance its threat-hunting requirements. It provides a comprehensive toolset to accelerate business growth with secured digital transformation and regulatory compliance activities.

What Does This Book Cover?

Many organizations are quickly discovering that threat hunting is the next step in the evolution of the modern Security Operations Center (SOC), but remain unsure of how to start hunting or how far along they are in developing their own hunting capabilities. We believe this book addresses a gap in the market. There are several books on threat-hunting frameworks and how to use them in on-premise environments (as opposed to cloud/CSP implementations). The threat-hunting capability on cloud assets is mainly unexplored. This book also addresses the people (the human element) and the business measurements to consider in order to successfully adopt a threat-hunting framework. There is practical guidance to implement a threat-hunting framework irrespective of the organization's size and maturity.

There are specific vendors' blog posts/articles and “how-to guides” to address individual threat vectors. However, there is no definitive guide on how threat hunting works on Microsoft or AWS to address all major attack vectors. That's where this book comes in.

Can an organization build a comprehensive threat-hunting framework addressing all the common attack vectors using cloud assets? This book attempts to address these key questions on the AWS and Microsoft cloud platforms.

The contents in the book are prepared to serve business decision makers like board members, CXOs, and CISOs, as well as a technical audience. Business users will find the technology-agnostic cloud threat-hunting methodology framework valuable to manage their cybersecurity risks. Technical users will benefit from the how-to guide on Microsoft Azure and AWS to address these risks. There are no other books in the market that address Microsoft Azure and AWS side by side. You will also get an opportunity to learn to use the best of both worlds in Microsoft Azure and AWS (i.e., you can create a solution where endpoint detection and response is addressed by Microsoft, with Microsoft Defender for Endpoint, and information management is done by AWS Macie).

We have structured the book in five parts:

Part I

:

An introduction to threat-hunting concepts and industry frameworks that address threat hunting. This section is targeted toward business decision makers such as the board members, the CXOs, and the CISOs.

Part II

:

How does Microsoft Azure address key threats? This section is targeted toward a technical audience.

Part II

:

How does AWS address key threats? This is targeted toward a technical audience, similar to the previous section.

Part IV

:

Other cloud threat-hunting platforms and the future of threat hunting. This is targeted toward business decision makers, technical professionals, and anyone who wants to learn the potential future threat-hunting trends.

Part V

:

Appendices. These mainly contain MITRE ATT&CK Framework reference material that correlates to key attack vectors that the book explores.

Here is a further breakdown of chapter contents.

Part I

: Threat Hunting Frameworks

Chapter 1

: Introduction to Threat Hunting

 This chapter sets the context of rising cybercrime, and the key threat attack vectors such as phishing, ransomware, and nation state attacks. The chapter further explores the necessity of threat hunting, how threat hunting affects organizations of all sizes, the threat-hunting maturity model, and the human elements of threat hunting. Finally, this chapter recommends a few priorities that can help any organization build a foundation to make the board of directors cyber-smart.

Chapter 2

: Modern Approach to Multi-Cloud Threat Hunting

 This chapter discusses multi-cloud and multi-tenant environments and how Security Operation Centers (SOCs) are designed to monitor their activities. We explore threat modeling and threat-hunting goals and objectives. The chapter provides fresh insights for organizations keen to learn about the skillsets required for threat hunting and the metrics available to measure the effectiveness of threat hunting.

Chapter 3

: Exploration of MITRE Key Attack Vectors

 This chapter explains how you can leverage ATT&CK tactics and techniques to enhance, analyze, and test your threat-hunting efforts. The objective is to illustrate how to prevent bad actors from penetrating defenses by focusing on a few key attack vectors in this chapter. We leverage privilege escalation, credential access, lateral movement, command and control, and exfiltration as these are essential methods and analyze in-depth with real-world examples (using case studies). We also discuss the Zero Trust Architecture Framework as a key enabler for threat prevention.

Part II

: Hunting in Microsoft Azure

Chapter 4

: Microsoft Azure Cloud Threat Prevention Framework

 This chapter explores Microsoft's threat-hunting capabilities in detail. The chapter introduces Microsoft security concepts and discusses its relevance to the shared responsibility model. This is followed by a detailed how-to guide on preventing privilege escalation, credential access, lateral movement, command and control, and exfiltration Tactics Techniques, and Procedures (TTPs). It also explains how to automate some of your hunting tasks using Microsoft security services on Microsoft 365 and Azure capabilities.

Chapter 5

: Microsoft Cybersecurity Reference Architecture and Capability Map

 This chapter focuses on the Microsoft Cybersecurity Reference Architecture. The chapter explores the “wider Microsoft reference” architecture for all TTPs discussed in the MITRE ATT&CK Framework. We also discuss the NIST Framework's alignment to the Microsoft reference architecture.

Part III

: Hunting in AWS

Chapter 6

: AWS Cloud Threat Prevention Framework

This chapter covers AWS threat-hunting capabilities in detail. We address the five key threat TTPs (i.e., prevention of privilege escalation, credential access, lateral movement, command and control, and exfiltration) and include a how-to guide similar to

Chapter 4

. The objective is to expose the reader to the similarities as to how these threat vectors are addressed on multiple cloud platforms.

Chapter 7

: AWS Reference Architecture

 This chapter covers AWS Reference Architecture on threat hunting. We followed the same format as

Chapter 5

to illustrate the similarities of multiple cloud platforms. The chapter explores wider threat-hunting capabilities available in AWS on top of the five TTPs discussed in

Chapter 6

.

Part IV

: The Future

Chapter 8

: Threat Hunting in Other Cloud Providers

 This chapter focuses on the threat-hunting capability stack that aligns to the MITRE ATT&CK Framework available from other major cloud platform service providers, such as Google Cloud Platforms (GCP), IBM, Oracle, and Alibaba (Ali Cloud). The chapter provides an overview of how these leading cloud platform providers of IaaS, PaaS, and SaaS have built or adopted threat-hunting capabilities to protect their customer's data.

Chapter 9

: The Future of Threat Hunting

 This chapter explores the future of threat hunting and the technological advances challenging the current threat-hunting landscape. In this chapter, we discuss the importance of bringing all relevant capabilities together and integrating them. This includes artificial intelligence, machine learning, quantum proof cryptography, the Internet of things (IoT), operational technology, cybersecurity blockchain, threat hunting as a service, and regulatory compliance challenges.

Part V

: Appendices

Appendix A

: MITRE ATT&CK Tactics

 This appendix details the complete list of TTPs available in the MITRE ATT&CK Framework.

Appendix B

: Privilege Escalation

 This appendix addresses an in-depth analysis of tactics and subtactics of the privilege escalation TTP.

Appendix C

: Credential Access

 This appendix addresses an in-depth analysis of tactics and subtactics of the credential access TTP.

Appendix D

: Lateral Movement

 This appendix addresses an in-depth analysis of tactics and subtactics of the lateral movement TTP.

Appendix E

: Command and Control

 This appendix addresses an in-depth analysis of tactics and subtactics of the command and control TTP.

Appendix F

: Data Exfiltration

 This appendix addresses an in-depth analysis of tactics and subtactics of the data exfiltration TTP.

Appendix G

: MITRE Cloud Matrix

 This appendix addresses an in-depth analysis of the cloud matrix by the MITRE ATT&ACK Framework.

Appendix H

: Glossary

 This appendix contains definitions of various industry terms used in the book.

Additional Resources

In addition to this book, here are some other resources that can help you learn more:

The MITRE ATT&CK Framework:

https://attack.mitre.org/

Microsoft Security:

https://docs.microsoft.com/security/

AWS Security:

https://aws.amazon.com/security/

Google Cloud Platform Security:

https://cloud.google.com/security/

How to Contact the Publisher

If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts, an error may occur.

In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission”.

Part IThreat Hunting Frameworks

In This Part

Chapter 1: Introduction to Threat Hunting

Chapter 2: Modern Approach to Multi-Cloud Threat Hunting

Chapter 3: Exploration of MITRE Key Attack Vectors

CHAPTER 1Introduction to Threat Hunting

What's in This Chapter

The rise of cybercrime

What is threat hunting?

Key cyberthreats and threat actors

Why is threat hunting relevant to all organizations?

Does an organization's size matter?

Threat modeling

Threat hunting maturity model

Human elements of threat hunting

How do you make the board of directors cyber-smart?

Threat hunting team structure

The threat hunter's role

The Rise of Cybercrime

“If you protect your paper clips and diamonds with equal vigor…you'll soon have more paper clips and fewer diamonds.”

—Attributed to Dean Rusk, U.S. Secretary of State 1961–1969

This quote was first mentioned decades ago in the context of the cold war. However, it still resonates today, especially with the rise of cybercrime we are currently experiencing. Modern cybercrime is a sophisticated business with complex supply-chain activities and multiple threat actors working together in synergy. The threat actors are practicing division of labor, where one team is deployed to penetrate defenses and another team is subsequently employed to exploit the data breach. This level of sophistication is possible due to the staggering rewards cybercriminals and organized crime syndicates are achieving.

In 2009, the cost of cybercrime to the global economy was USD 1 trillion according to McAfee, the Silicon Valley based cybersecurity vendor, in a presentation to the World Economic Forum (WEF) in Davos, Switzerland. McAfee has since announced that cybercrime is estimated to top USD 6 trillion by 2021, according to Cybersecurity Ventures. This has been a significant increase in the last few years. The Cybersecurity Ventures report continues to elaborate that “if cybercrime is a country, it will be the third largest economy after the U.S. and China in the context of Gross Domestic Product (GDP) comparisons.”

Cybercriminals can be found globally and have different skillsets and motivations. Some types of cybercrime persist independent of economic, political, or social changes, while certain types are fueled by ideology and monetary gain. The cyber defenders and the industry face an extremely diverse set of criminal actors and their ever-evolving tactics and techniques. These threat actors are opportunistic in nature. These cybercriminals capitalize on disruptive events such as the COVID-19 pandemic. As COVID-19 spread globally, cybercriminals pivoted their lures to imitate trusted sources like the World Health Organization (WHO) and other national health organizations, in an effort to get users to click on malicious links and attachments.

The recent Solorigate nation state attack is another example of multi-layer sophisticated attacks. These attacks were driven by ideology, not pure monetary gain. We discuss this nation state attack in detail later in the chapter. These examples illustrate that cybersecurity is a key focus area for any organization in our modern cloud-centric world. The proliferation of private cloud, hybrid cloud, and public cloud has introduced another layer of sophistication/increased attack vectors for cyberattacks. Therefore, more focus should be on preventative methods to ensure “modern IT diamonds are secured” in relation to Dean Rusk's comments many decades earlier.

Email phishing in the enterprise context continues to grow and has become a dominant vector. Given the increase in available information regarding these schemes and technical advancements in detection, the criminals behind these attacks are now spending significant time, money, and effort to develop scams that are sufficiently sophisticated to victimize even savvy professionals. Attack techniques in phishing and business email compromises are evolving. Previously, cybercriminals focused their efforts on malware attacks, but they have shifted their focus to ransomware, as well as phishing attacks with the goal of harvesting user credentials. Human-operated ransomware gangs are performing massive, wide-ranging sweeps of the Internet, searching for vulnerable entry points. These vulnerable entry points will be controlled by sophisticated “command and control” systems to disrupt organizations via distributed denial of service (DDoS) attacks at the attacker's discretion. Defending against cybercriminals is a complex, ever-evolving, and never-ending challenge.

NOTE According to Cybersecurity Ventures, global cybercrime costs will grow by 15% per year over the next five years, reaching USD 10.5 trillion annually by 2025.

It is estimated that 50% of the world's data will be stored in the cloud infrastructure by 2025. This equates to approximately 100 zettabytes of data across public clouds, government-owned clouds, private clouds, and cloud storage providers. This exponential data growth provides incalculable opportunities for cybercriminals because data is the fundamental building block of the digitized economy. Chief Information Security Officers (CISOs) and security teams are burdened by conventional solutions that can't adapt to the cloud to effectively prevent cyberattacks. And pressures continue to mount as employees produce, access, and share more data remotely through cloud apps during disruptive events such as COVID-19.

NOTE The IBM Cost of Data Breach Report 2020 reports the following:

The average cost of a data breach is USD 3.86 million.

The U.S. has the most expensive data breaches.

Healthcare is the most vulnerable industry; the average cost is USD 7.13 million.

The average time to identify and contain a breach is 280 days.

It's staggering to comprehend that an adversary could be “lurking” inside your enterprise for 280 days/9+ months before being discovered and contained. Organizations are required to combat these growing threats and increase their security posture. They have to be proactive in their defense strategies. They also have to react very quickly when the enterprise is under attack. Threat hunting is a key tool available for defenders to protect their digital assets against their adversaries.

What Is Threat Hunting?

There are many different approaches to increasing an organization's cybersecurity defenses against adversaries. One fundamental solution is known as threat hunting. Threat hunting provides a proactive opportunity for an organization to uncover attacker presence in an environment. While no formal academic definition exists for threat hunting, leading global cybersecurity authority SANS defines threat hunting as the “proactive, analyst-driven process to search for attacker tactics, techniques, and procedures (TTP) within an environment.” Attacker TTP must be researched and understood to know what to search for in collected data. Information about attacker TTP most often derives from signatures, indicators, and behaviors observed from threat intelligence sources. This added context should include targeted facilities, what systems were affected, protocols manipulated, and any other information pertinent to better understanding an attacker's TTP.

“Knowledge is power. For security professionals to create successful defense strategies, they need more diverse and timelier insights into the threats they are defending.”

—Microsoft Cybersecurity Intelligence Report, 2020

The threat hunt requires accurate threat intelligence to achieve success. The formal model for threat hunting ensures the focus of the hunt remains on the attacker's outlined purpose of the hunt. This also maximizes the usage of threat intelligence. The presented formal threat hunt model is also agnostic of the analytic techniques employed throughout the hunt, allowing the model flexibility to work with any hunting tools or techniques (i.e., artificial intelligence and machine learning tools, etc.). Threat hunting requires a formal process to protect the integrity and rigor of the analysis; it's similar to incident response in that it requires a formal process to handle an investigation rigorously.

The methodology employed by the adversaries is similar despite the sophistication and diversity of the attacks. It is irrelevant whether attackers use large-scale attacks for financial gain or targeted attacks to support geopolitical interests. A phishing email can be a generic campaign targeting millions of users or a targeted single user (i.e., referred to spear phishing, which we will discuss later in the next section) that represents a socially engineered campaign over many months.

Spoofed domains, referred to as homoglyphs, can be used to trick victims; for example, Microsoft.com and Micr0soft.com, where the first “o” is replaced by a zero digit and can be easily overlooked by human readers. This malicious domain, Micr0soft.com, then can be leveraged to distribute malware, steal credentials, or support a fraudulent website. Subsequently, the same malware can be used to create a botnet (an industry term for a “web robot”) to facilitate a DDoS attack against an organization, distribute ransomware, or steal sensitive information in relation to a nation's critical infrastructure.

The defenders leverage threat hunting to combat adversary behavior to protect against cyberattacks. The defenders use multiple tools and methods to achieve this goal. The defenders investigate commonalities across various environments and ecosystems to understand and disrupt these attack vectors such as phishing, spear phishing, homoglyphs, etc. The defenders dismantle the criminals' infrastructure, sharing information gathered through the course of their investigations. These additional insights are shared globally through defender intelligence networks to increase the security posture of the global software ecosystem. Let's investigate the key cyberthreats and threat actors and explore the key attack vectors the adversaries leverage to penetrate an organization's defenses.

The Key Cyberthreats and Threat Actors

There are numerous threat hunting battlegrounds that cybercriminals utilize to penetrate the organization's defenses. We will discuss in detail a comprehensive set of techniques, tactics, and procedures (TTPs) via the MITRE ATT&CK frameworks in Chapter 3. Following are the most important key battlegrounds. We will discuss them further elaborating with TTPs in Chapter 3.

Phishing

It is estimated that more than 90% of all cyberattacks were initiated via phishing attacks. Phishing is defined by using email as the attack vector to inject malicious code or diverting the user to a “phony site” to harvest user credentials. This is a very popular attack vector leveraged by cybercriminals due to its low barrier to entry and high successful click-through rates by unsuspecting victims. Phishing is usually accredited to mass email campaigns. However, sophisticated cybercriminals target specific individuals and organizations exclusively. This is commonly referred to as spear phishing.

Spear phishing is an increasingly common form of phishing that uses information about a target to make attacks more specific and “personal.” These attacks may, for instance, refer to their targets by their specific name or job position, instead of using generic titles like in broader phishing campaigns do.

“Some 91% of cyberattacks begin with a spear phishing email. According to a Trend Micro report, 94% of targeted emails use malicious file attachments as the payload or infection source. The remaining 6% use alternative methods such as installing malware through malicious links.”

—Antony Savvas at Computerworld UK

According to Trend Micro, the most commonly used file types for spear phishing attacks, accounting for 70% of them, are .RTF (38%), .XLS (15%), and .ZIP (13%). Executable (.EXE) files were not as popular among cybercriminals since emails with .EXE file attachments are usually detected and blocked by firewalls and security intrusion detection systems. Trend Micro also suggests that 75% of email addresses for spear phishing targets are easily found through web searches or using common email address formats.

Figure 1.1 illustrates the credential phishing process. Cybercriminals begin by setting up a criminal infrastructure designed to steal an individual's credentials. Note that there are phishing kits available on the “dark web” to facilitate this process. Cybercriminals send malicious emails to the unsuspecting individual, who then clicks on a link within the email. The individual might then be taken to a fake web form that impersonates a real page (such as a bank login page) to enter their credentials, or the site might contain malware that's automatically downloaded to their device, capturing credentials stored on the device or in the browser memory. The victim's credentials are then collected by the cybercriminals, who use the credentials to gain access to legitimate websites or even to the victim's corporate network. This access can be temporary or turn the victim's machine into a zombie in persistent form, and they can receive commands from the Command and Control (C2) servers for the future gains.

Ransomware

There has been massive growth of ransomware in recent years. The bad actors are notorious for injecting ransomware into phishing emails to infect computers and mobile devices. This results in locking up files, and they often threaten complete destruction of data unless the organization pays the ransom.

NOTE According to Cybersecurity Ventures, ransomware attacks are expected to hit businesses every 11 seconds and cost the world USD 20 billion by 2021.

Figure 1.1: Phishing lifecycle implemented by cybercriminals

Note the ransomware damages are not limited to ransom payouts. The percentage of businesses and individuals who are paying via digital currencies (i.e., Bitcoin) to reclaim access to their data and systems are not accurately tracked. Therefore, the actual monetary impact of ransomware attacks could be seriously understated. Other ransomware costs include damage and destruction (or loss) of data, downtime, lost productivity, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hostage data and systems, reputational harm, and employee training in direct response to the ransomware attacks.

Figure 1.2 illustrates the steady rise of ransomware from 2015 to 2021.

Figure 1.2: Global ransomware damage costs

Ransomware attacks have been increasing in complexity and sophistication over the years. Cybercriminals perform massive wide-ranging sweeps of the Internet to search for vulnerable entry points. Alternatively, they enter networks via “commodity Trojan malware” and leverage command and control mechanisms to attack at their discretion. Recently, commodity platforms are being offered in underground markets and the dark web with customizable ransomware tools (called Ransomware-as-a-Service), where one can build ransomware and target particular victims/organizations by subscribing to the service and customizing the payload based on the target vulnerabilities. As an example, cybercriminals used Dridex (a strain of banking malware that leverages macros in Microsoft Office) to gain initial access to networks, and then ransomed a subset of them with the DoppelPaymer ransomware during the 2019 Christmas holiday season.

WannaCry was one of the more sophisticated ransomware operations; it was targeted at many organizations, including but not limited to government agencies, utilities, and hospitals across the globe. During this incident, 16 hospitals in the UK were impacted and patients' lives were threatened due to the disruption and lack of access to their medical records.

As another example, cybercriminals exploited vulnerabilities in VPN and remote access devices to gain credentials, and then saved their access to use for ransoming hospitals and medical providers during the COVID-19 pandemic. Cybercriminals actively employ different tactics and change their tack based on the configurations they encounter in the network. They decide which data to exfiltrate, which persistence mechanisms to use for future access to the network, and ultimately, which ransomware payload to deliver.

“In some instances, cybercriminals went from the initial entry to ransoming the entire network in less than 45 minutes.”

—Microsoft Cybersecurity Intelligence Report

Figure 1.3 shows an example of how various ransomware payloads are delivered according to the Microsoft Cybersecurity Intelligence Report. These attack vectors and tactics are explored in detail in Chapter 3.

Nation State

A nation state threat is defined as cyberthreat activity that originates in a particular country with the specific intent of furthering national interests. Nation state actors are well-funded, well-trained, and have more patience to play the “long game.” These factors make the identification of anomalous activity very difficult. Similar to cybercriminals, they watch their targets and change techniques/tactics to increase their effectiveness.

Figure 1.3: Ransomware tactics and lifecycle

The defenders investigate top-level trends in country-of-activity origin, targeted geographic regions, and the top nation state activity groups. According to the latest research, nation state activity is significantly more likely to target organizations outside of the critical infrastructure sectors. The most frequently targeted sector has been non-governmental organizations (NGOs). These are advocacy groups, human rights organizations, non-profit organizations, and think tanks focused on public policy, international affairs, or security. The nation state actors have these common operational aims regardless of the strategic objectives behind the activity:

Espionage

Disruption or destruction of data

Disruption or destruction of physical assets

The most common attack techniques used by nation state actors are reconnaissance, credential harvesting, malware, and virtual private network (VPN) exploits. Advanced nation state adversaries invest heavily in the development of unique malware in addition to using openly available malicious code.

Surprisingly, nation state attackers have targeted “non-government” entities contrary to popular belief of focusing on government critical infrastructure. Figure 1.4 shows a breakdown of key industries that nation state attackers have focused on, according to the Microsoft Threat Intelligence Report.

Figure 1.4: Industry breakdown of nation state attacks

NOTE According to the Microsoft Cybersecurity Intelligence Report, the country of origin of nation state attacks are Russia (52%), Iran (25%), China (12%), and North Korea and other (11%).

Top targets are the U.S. (69%), United Kingdom (19%), Canada (5%), South Korea (4%), and Saudi Arabia (3%).

Combating nation state actors is a very complex process that involves both technology challenges and legal jurisdiction challenges. The Microsoft threat intelligence team published the threat actor report in Figure 1.5, which classifies each known threat actor (color-coded by nation state). Note the symbols of the periodic table are used to identify and classify the threat actors.

There are known threat actors (i.e., identified by Advanced Persistent Threat, or APT suffix) and other unique threat actors specifically engineered to bring down the defenses of the target nation.

The report continues to name the most common nation state threat actors, as shown in Figure 1.6.

Nation state attacks are “covert” in nature and are not exposed to public scrutiny. However, there have been some recent high-profile nation state attacks that captured the public's attention. The SolarWinds nation state attack (commonly referred to as Solarigate) was exposed in the late 2020 as one of these high-profile cyberattacks. Solorigate represents a modern cyberattack conducted by highly motivated actors who demonstrated they won't spare resources to reach their goal. The collective intelligence about this attack shows that, while hardening individual security domains is important, defending against today's advanced attacks necessitates a holistic multi-layer defense strategy. A summary of the key attack vectors is as follows:

Figure 1.5: Nation state attack adversaries list

Figure 1.6: Breakdown of major nation state actors

Compromise a legitimate binary (DLL file) belonging to the SolarWinds Orion Platform through a supply-chain attack.

Deploy a backdoor malware on devices using the compromised binary to allow attackers to remotely control affected devices.

Use the backdoor access on compromised devices to steal credentials, escalate privileges, and move laterally across on-premises environments to gain the ability to create Simple Access Mark-up Language (SAML) tokens. An intruder, using administrative permissions, gained access to an organization's trusted SAML token-signing certificate. This enabled them to forge SAML tokens that impersonate any of the organization's existing users and accounts, including highly privileged accounts.

Initiate anomalous logins using the SAML tokens created by a compromised token-signing certificate, which can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor), because they have been configured to trust the certificate. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organization.

Access cloud resources to search for accounts of interest and exfiltrate data/emails.

The Necessity of Threat Hunting

In a digital climate that is changing at an incredibly rapid pace, it is unrealistic to believe that your organization will never be compromised. It is impossible to eliminate every threat to your organization, so you must be able to perform early detection and remediation. At the same time, think twice if you think your company is too small to be targeted by threat actors. Organizations are now going on the offensive and thinking about proactive ways to hunt for threats.