Many organizations now store more sensitive data and assets in the cloud than on-premises — and attackers have taken notice. Organizations need to know what threats attackers pose in the cloud. One way to stay on top of potential attacks is to use cloud threat intelligence.
Threat intelligence involves the collection, classification and exploitation of knowledge about adversaries. Teams collect security intelligence data from a variety of sources, including logs, security checks, and third-party threat intelligence feeds, and then analyze that data to mitigate risks.
As the cloud becomes more ubiquitous, it must become an integral part of the threat intelligence process. Security engineering and operations teams must dedicate time and resources to developing, gathering and deploying cloud-specific threat intelligence.
Organizations can gather cloud-specific threat intelligence from various external sources, including cloud service providers (CSPs), threat intelligence providers, and managed security service providers.
Strategic and operational cloud threat intelligence
Security teams must develop both strategic and operational threat intelligence. Strategic threat intelligence involves managers and non-technical stakeholders shaping risk management decisions.
Examples of strategic cloud threat intelligence include the following:
Current attack trends and campaigns targeting an existing CSP, such as the Chinese-sponsored attacks that targeted Microsoft in 2022 and 2023. Reputational changes with cloud services that may affect a customer organization. New vulnerabilities or attacks that target specific cloud workloads or service types in use, such as serverless, Kubernetes or containers.
Operational threat intelligence is more tactical in nature. It helps inform security operations center (SOC), threat hunting, DevOps and other technical teams.
Examples of operational threat intelligence include the following:
Specific patterns of attacks against cloud resources, including password spraying, misuse and abuse of API keys and privileged roles, and deployment and operation of cryptocurrency miners in containers. Use of cloud storage and other services to host and distribute malware. CSP logs and event data that may indicate illegal use of resources, unusual access attempts, attempted outbound connection for data exfiltration or command and control, etc.
Key Components of a Cloud Threat Intelligence Program
To effectively implement cloud threat intelligence, organizations need the right team and technologies.
A cloud-focused threat intelligence team should, depending on an organization’s size and capabilities, include the following primary participants:
Cloud architecture and engineering teams. DevOps. Security architecture and engineering. SOC teams. Dedicated threat intelligence or threat hunting teams and roles.
Secondary participants may include internal risk management teams and executive leadership. Third-party analysts can also provide threat intelligence and cloud security insights.
To facilitate building a base of consistent and actionable cloud threat intelligence, organizations should implement and monitor the following technologies:
Cloud log creation and collection services, such as AWS CloudTrail or Amazon CloudWatch, Azure Monitor and Google Cloud Logging. Network flow data collection in any major IaaS cloud. Security services that align with or provide threat intelligence within CSP environments, such as Microsoft Sentinel, Amazon GuardDuty, or Google Cloud Security Command Center. Any workload protection platforms used, such as leading endpoint detection and response tools or cloud-native application protection platforms. Cloud security posture management and cloud access security broker platforms that provide insight and context into both configuration state and interactive cloud behavior.
Security teams must define use cases and develop integration playbooks that make collected data actionable. This helps make informed risk decisions and enables more accurate and targeted threat hunting and response investigations. Building a dashboard of risk changes that is tracked and monitored over time can also help distill cloud threat intelligence into metrics and KPIs for managers.
Dave Shackleford is founder and principal consultant at Voodoo Security; SANS Analyst, Instructor and Course Writer; and GIAC technical director.
Disclaimer for Uncirculars, with a Touch of Personality:
While we love diving into the exciting world of crypto here at Uncirculars, remember that this post, and all our content, is purely for your information and exploration. Think of it as your crypto compass, pointing you in the right direction to do your own research and make informed decisions.
No legal, tax, investment, or financial advice should be inferred from these pixels. We’re not fortune tellers or stockbrokers, just passionate crypto enthusiasts sharing our knowledge.
And just like that rollercoaster ride in your favorite DeFi protocol, past performance isn’t a guarantee of future thrills. The value of crypto assets can be as unpredictable as a moon landing, so buckle up and do your due diligence before taking the plunge.
Ultimately, any crypto adventure you embark on is yours alone. We’re just happy to be your crypto companion, cheering you on from the sidelines (and maybe sharing some snacks along the way). So research, explore, and remember, with a little knowledge and a lot of curiosity, you can navigate the crypto cosmos like a pro!
UnCirculars – Cutting through the noise, delivering unbiased crypto news
