Cloud Threat Hunting

Simplify incident analysis across your configurations, posture, network traffic and identity activity. Check Point automates ongoing intrusion detection, monitoring and threat intelligence as part of a unified approach.


The Unique Challenges of Cloud Threat Hunting

The vast amount of data that needs to be collected and analyzed is a painstaking and time-consuming process, which can hamper its effectiveness. Currently, it takes an average of 280 days* for an organization to realize they’ve been infiltrated and contain a cyber breach. It’s no wonder, considering that the Mitre [email protected] framework identifies almost 200 unique tactics, techniques and procedures that organizations need to consider for identifying threats and assessing levels of risk. Threat hunting, is a ‘never ending story’; we find threats and fix them, then attackers change direction and the cycle repeats. Unfortunately, both the quantity of these loops and the speed at which they rotate increase exponentially in the cloud, and now, cybersecurity professionals must track multiple cloud vendors and multiple assets, many of which are ephemeral. Often times, organizations are not aware something is happening on their network until they receive an alert that an attack is in progress. However, it’s too late at this point. The key to success is being able to detect threats swiftly, (in some cases prevent them) in order to reduce the time they can dwell within your environment, and incur damage.

Identify: First Step to Cloud Threat Hunting

By taking a proactive and methodical approach to security, you can identify these attacks and remediate them promptly. In order to do this, you must begin making observations, collecting information, creating hypotheses, analyzing data and investigating to prove or disprove hypotheses. The right tools and processes must be in place to collect data, analyze and respond appropriately.

cloud threat hunting one

Collect Data

Without the right data, you cannot hunt. Threat hunting requires first collecting quality data from various sources, such as logs, servers, network devices, firewalls, databases, and endpoints. Unfortunately, many organizations lack visibility into the data within their cloud applications. Customers are asking for visibility into their VMs, containers and serverless architectures, as well as user activity and network traffic across all of their services. To achieve this level of insight and ensure good quality data, organizations must move from a narrow cloud provider view to one that is multi cloud.


Investigate and Analyze

Effective threat hunting requires more than just visibility though. During the investigation, threat hunters need to leverage the right tools in order to establish a baseline and proactively investigate anomalies. Any malicious activity that is deviant from normal network behavior could be an Indicator of Compromise (IoC). Strong IOCs include a malware signature alert on your network and ransomware executables on your file system, picked up by your intrusion detection system (IDS) or anti-virus. Whereas examples of weak IOCs are repeated failed user login attempts and login times which align with typical use. You can monitor your network for known IoCs by sourcing them from threat intelligence feeds.


cloud threat hunting two

Set IDS alerting only on strong IOCs to help avoid alert fatigue. However, weaker indicators are not worthless. When chained together, weaker IOCs can build a strong indication of compromise.

To catch a criminal, you need to think like a criminal. You must assume a breach will happen and look at the problem from the attacker’s point of view. Threat modeling involves identifying potential threats and modeling avenues of attack. The exercise of threat modeling enables you to prioritize and mitigate risks. Consider questions such as what do you want to protect, what are the consequences if you fail, and how much trouble are you willing to go through in order to prevent those consequences?

Finally, be sure to conduct tests by simulating a variety of threats in the cloud, such as mimicking cross-tenant attacks. Produce attack patterns and “misuse cases,” and map out the processes of attack and defense or countermeasures sequences.

cloud threat hunting three

Draw Conclusions and Respond
During the resolution phase, all information you have collected during your investigation should be communicated to other teams and tools that can respond, prioritize, analyze, or store the information for future use. This places you in a better position to predict trends, prioritize and remediate vulnerabilities and improve security measures.

CloudGuard Intelligence

Check Point CloudGuard Intelligence simplifies incident analysis by visualizing information across your configurations, posture, network traffic and identity activity. We enrich this information to help you understand what service performed what type of activity.

cloudguard how it works diagram

At the heart of this is our global ThreatCloud Intelligence database, which scan millions of URL and files every day. We also leverage geo databases to gather information about locations and process those events against third-party intelligence services. Threat analysis and correlations makes use of several machine learning capabilities resulting in meaningful data and alerts that can trigger investigation processes or follow up activity.

Pre-built reports allow you to drill down into specific types of activity, performing regular tasks such as account discovery, and auto remediation allow you to customize responses to any type of network alert, audit trail or security event. This greatly reduces the time from alert to resolution.

Best of all CloudGuard Intelligence seamlessly works with the other products under the CloudGuard platform, comprised of posture management, application and workload protection, and network security. Why not try it for free today!

Threat and Investigation Series

privilege escalation video

Privilege Escalation Via Lambda


lateral movement video

Lateral Movement Under the Radar


privilege escalation via ec2 video

Privilege Escalation Via EC2

breach of major financial institution video

Breach of a Major Financial Institution

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.