The rise of cybercrime has created an insatiable appetite for threat hunting. Many organizations take a reactive approach to cybersecurity. Often, the first indication that something is happening on their network is when they receive an alert about an attack in progress. However, by this point, it may already be too late to stop the attack. In today's challenging and rapidly changing environment, cyberthreat actors are becoming increasingly sophisticated, and many of them can remain undetected until they achieve their objectives. By taking a proactive approach to security, security teams can identify infections while they are still in the “stealth” phase, allowing them to be remediated before they do significant damage to the organization. To do this, the security team needs to learn to threat hunt.
Threat hunting is a critical focus area to increase the cybersecurity posture of any organization. Threat hunting can be performed in a proactive context (referred to as ethical hacking) or in a defensive context to combat bad actors from penetrating the organization's defenses. Several industry best practices provide a threat-hunting framework that can act as a set of guidelines for organizations. The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) Framework is highly regarded in the cybersecurity industry as one of the most comprehensive catalogs of attacker techniques and tactics. Threat hunters use this framework to look for specific techniques that attackers often use to penetrate defenses.
Testing that incorporates a comprehensive view of an environment's ability to monitor and detect malicious activity with the existing tools that defenders have deployed across an organization is critical to safeguard against cyberattacks. There are some practical questions we are presented with on a daily basis while implementing cloud cybersecurity solutions to expedite digital transformation projects globally. These questions are specifically:
These questions were confronted by Dr. Chris Peiris in a real-world scenario when he was presented with an opportunity to build a “side-by-side” cybersecurity fusion center implementation on the Microsoft Azure and AWS technology platforms. He noticed there is a growing customer requirement to enable a “multi-cloud” strategy with enterprise customers. Chris, in collaboration with Binil and Abbas, started to address this growing, ever-increasing customer demand.
They noticed that the primary motivations for customer organizations to have a tailored cybersecurity risk framework are to avoid “vendor locking” to a specific technology platform and to meet regulatory compliance requirements. This approach ensures vendor neutrality and rapid disaster recovery for the organization from a risk-mitigation perspective. This will help organizations strategize their security posture and build a threat-hunting ecosystem that ensures long-term sustainability. Therefore, counter to the popular sentiment of Cloud Service Providers (CSPs) competing for market share, there is a growing “synergy framework” that enables the CSPs to work together to address customer requirements.
As a practical example, an email phishing attack can be detected by the Microsoft Defender for Office 365 tool via the organization's Azure or Windows assets. The same threat hunting can be achieved via Amazon's GuardDuty cloud-offering tool. It is practical to build a multi-cloud threat-hunting framework that can leverage the best of both worlds from multiple cloud providers to address the organization's specific cybersecurity risks.
This multi-cloud synergy framework enables a rich toolset for an organization to increase its security posture and leverage CSP's global threat intelligence assets. The organization can significantly improve its security postures by partnering with CSPs using this multi-cloud capability.
This book aims to present a threat-hunting framework that enables organizations to implement multi-cloud security toolsets to increase their security posture. We focus on the AWS and Microsoft security toolsets and address the most common threat vectors using the MITRE ATT&CK Framework as a reference architecture. We also address the future of threat hunting in relation to AI, machine learning, quantum computing, and IoT proliferation. This book is a practical guide for any organization aiming to build, optimize, and advance its threat-hunting requirements. It provides a comprehensive toolset to accelerate business growth with secured digital transformation and regulatory compliance activities.
Many organizations are quickly discovering that threat hunting is the next step in the evolution of the modern Security Operations Center (SOC), but remain unsure of how to start hunting or how far along they are in developing their own hunting capabilities. We believe this book addresses a gap in the market. There are several books on threat-hunting frameworks and how to use them in on-premise environments (as opposed to cloud/CSP implementations). The threat-hunting capability on cloud assets is mainly unexplored. This book also addresses the people (the human element) and the business measurements to consider in order to successfully adopt a threat-hunting framework. There is practical guidance to implement a threat-hunting framework irrespective of the organization's size and maturity.
There are specific vendors' blog posts/articles and “how-to guides” to address individual threat vectors. However, there is no definitive guide on how threat hunting works on Microsoft or AWS to address all major attack vectors. That's where this book comes in.
Can an organization build a comprehensive threat-hunting framework addressing all the common attack vectors using cloud assets? This book attempts to address these key questions on the AWS and Microsoft cloud platforms.
The contents in the book are prepared to serve business decision makers like board members, CXOs, and CISOs, as well as a technical audience. Business users will find the technology-agnostic cloud threat-hunting methodology framework valuable to manage their cybersecurity risks. Technical users will benefit from the how-to guide on Microsoft Azure and AWS to address these risks. There are no other books in the market that address Microsoft Azure and AWS side by side. You will also get an opportunity to learn to use the best of both worlds in Microsoft Azure and AWS (i.e., you can create a solution where endpoint detection and response is addressed by Microsoft, with Microsoft Defender for Endpoint, and information management is done by AWS Macie).
We have structured the book in five parts:
Here is a further breakdown of chapter contents.
In addition to this book, here are some other resources that can help you learn more:
https://attack.mitre.org/
https://docs.microsoft.com/security/
https://aws.amazon.com/security/
https://cloud.google.com/security/
If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts, an error may occur.
In order to submit your possible errata, please email it to our Customer Service Team at [email protected]
with the subject line “Possible Book Errata Submission”.