Many organizations now store sensitive data and assets in the cloud rather than on-premises, and attackers are taking notice. Organizations need to understand the threat posed by attackers in the cloud. One way to stay on top of potential attacks is to use cloud threat intelligence.
Threat intelligence involves collecting, classifying, and exploiting knowledge about adversaries. The team collects security intelligence data from a variety of sources, including logs, security controls, and third-party threat intelligence feeds, and analyzes that data to reduce risk.
As cloud adoption increases, it must become an integral part of the threat intelligence process. Security engineering and operations teams must spend time and resources developing, collecting, and implementing cloud-specific threat intelligence.
Organizations can collect cloud-specific threat intelligence from several external sources, including cloud service providers (CSPs), threat intelligence providers, and managed security service providers.
Strategic and operational cloud threat intelligence
Security teams must develop both strategic and operational threat intelligence. Strategic threat intelligence involves executives and non-technical stakeholders making risk management decisions.
Examples of strategic cloud threat intelligence include:
- Current attack trends and campaigns targeting existing CSPs, including China-backed attacks targeting Microsoft in 2022 and 2023.
- Changes in reputation regarding cloud services that may impact customer organizations.
- New vulnerabilities or attacks that target specific cloud workloads or service types in use, such as serverless, Kubernetes, or containers.
Operational threat intelligence is more tactical in nature. This helps provide information to security operations centers (SOCs), threat hunting, DevOps, and other technical teams.
Examples of operational threat intelligence include:
- Specific attack patterns against cloud resources. This includes password spraying, abusing and abusing API keys and privileged roles, and deploying and operating cryptocurrency miners inside containers.
- Use of cloud storage and other services to host and distribute malware.
- CSP log and event data that may indicate resource misuse, anomalous access attempts, data leaks, or outbound connection attempts for command and control.
Key components of a cloud threat intelligence program
To effectively implement cloud threat intelligence, organizations need the right team and technology.
A cloud-focused threat intelligence team should include the following key participants, depending on the size and capabilities of your organization:
- Cloud Architecture and Engineering Team.
- DevOps.
- Security architecture and engineering.
- SOC team.
- Dedicated threat intelligence or threat hunting teams and roles.
Secondary participants may include internal risk management teams and senior management. Third-party analysts can also provide threat intelligence and cloud security insights.
To help build a base of consistent and usable cloud threat intelligence, organizations should implement and monitor the following technologies:
- A cloud log creation and collection service, such as AWS CloudTrail or Amazon CloudWatch, Azure Monitor, or Google Cloud Logging.
- Collecting network flow data in major IaaS clouds.
- Security services that integrate with or provide threat intelligence within the CSP environment, such as Microsoft Sentinel, Amazon GuardDuty, and Google Cloud Security Command Center.
- Workload protection platforms in use, including leading endpoint detection and response tools and cloud-native application protection platforms.
- A cloud security posture management and cloud access security broker platform that provides insight and context into both configuration state and interactive cloud behavior.
Security teams must define use cases and develop integration playbooks that make the collected data actionable. This allows you to make informed risk decisions and enables more accurate and targeted threat hunting and response investigations. Building a dashboard of risk changes that are detected and monitored over time also helps distill cloud threat intelligence into metrics for executives and their KPIs.
Dave Shackleford is the founder and principal consultant at Voodoo Security. He is a SANS analyst, instructor, and course author. GIAC Technical Director.
