A Practical Application of Threat Hunting in Cloud Applications and Infrastructure


By: Sekhar Sarukkai, McAfee Chief Scientist for Cloud Security

While investigating threats to endpoints and networks is a well-established practice – hunting for cloud-native threats is becoming an important new mandate for SOC teams.

In many cases, the cloud environment is externally managed by the cloud service provider, as in the case of Microsoft 365. There aren't agents, network security infrastructure, or other legacy ways of detecting events that the security team can analyze for threats. Cloud-native attacks typically aren't even malware-based, instead relying on compromised accounts and features of the cloud services themselves to land and expand an attack from cloud to cloud.

That doesn't mean the consequences aren't real. Data exfiltration is still the primary goal of cloud-native attacks, and over a quarter of files stored in the cloud are typically considered sensitive1. So how are security teams dealing with these attacks today? For many it is a manual effort to sort through a patchwork of incidents provided by their cloud access security broker (CASB). Most feed those events to a SIEM for further analysis, but the numbers can be in the millions, making cloud threat investigation a labor-intensive security practice. This is especially challenging when investigation is removed from the cloud context where the incidents occurred.

There hasn't been an efficient or effective way to gain visibility into cloud attacks and establish a repeatable risk mitigation process.

User and Entity Behavior Analytics, or UEBA, featured in our cloud-native security platform MVISION Cloud takes billions of cloud events and filters them down to thousands of anomalies and often just dozens of true threats. This removes the tedious work of event correlation from security analysts so they can focus on what's important to their investigation – anomalous events and actual attack behavior.

However, this is only part of the process. Every security operations center (SOC) investigates tactics and techniques that may be used in an attack, while correlating threats across multiple domains. The only way to understand the full scope of an attack is to speak a common language within and across each domain – and that language is MITRE ATT&CK®.

From MVISION Cloud, SOC teams now have a rich set of anomaly and threat events from the cloud mapped to the MITRE ATT&CK tactics and techniques they use today in their investigation process. You can feed these events directly into your SIEM or SOAR platform in multiple ways, including via API, providing a constant feed of incidents pre-filtered by UEBA.

SOC analysts can also view the MITRE ATT&CK framework directly in MVISION Cloud, for quick analysis of threats and their impact on specific users, data, and cloud services. You also have a unique opportunity to introspect cloud environments and assess their security posture on a continuous basis, enabling proactive detection of ongoing attacks. Within MVISION Cloud, analysts have multiple views:

  • Retrospective, showing all the cloud attacks that have fully executed.
  • Proactive, showing attacks in progress, or configurations that may be exploited, so they can be stopped before any damage is caused.
  • A full kill-chain view of an attack, combining incidents, anomalies, threats and vulnerabilities into a holistic string of infractions.

Security teams responsible for protecting their critical assets in cloud environments like Microsoft 365, Teams, AWS, Azure and others can identify gaps in protection and make policy and configuration changes directly from the MITRE ATT&CK view of an ongoing threat.

By visualizing attacks across the ATT&CK Matrix, effective policy decisions can be made at the right stage to stop the adversary before they are successful in achieving their goal.

With McAfee, threat investigation isn't just for one environment – it is for all of your environments, from cloud to endpoint and your analytics platforms. With McAfee MVISION Cloud, MVISION EDR, and MVISION Insights, your enterprise has an extended detection and response (XDR) platform for the heterogenous attacks you face today.

1 www.mcafee.com/enterprise/en-us/solutions/lp/mcafee-data-dispersion-cloud-adoption-risk-report.html

Sustaining Partners