Anton on Security
Published in

Anton on Security

How to Think about Threat Detection in the Cloud

This is written jointly with Tim Peacock and will eventually appear on the GCP blog. For now, treat this as “posted for feedback” :-) Ideally, read this post first.

In this post, we will share our views on a foundational framework for thinking about threat detection in public cloud computing.

To start, let’s remind our audience what we mean by threat detection and detection and response. A balance security strategy recovers attention to all 3 elements of a security triad prevention / detection / response. Prevention does improve, but never becomes perfect. Hence we need to find the badness that comes through despite preventative controls. Finding and confirming malicious activities and presenting them to the security team and/or automatically responding to them constitutes detection and response. [A.C. — you, the esteemed reader of this blog, do not need this explanation, perhaps, but a typical cloud user might]

How is the cloud different compared to the traditional environment? A framework to understand this includes:

  • Threat landscapes change

First, threat landscapes change. This means new threats evolve, old threats disappear all the while the importance of many threats changes. If you perform a threat assessment on your environment, then migrate the entire environment to the public cloud, even if you use the naïve lift and shift approach, the threat assessment will look very different. MITRE ATT&CK Cloud helps understand how some threat activities apply to public cloud computing.

Second, the entire environment around you changes. This applies to the types of systems you would encounter, technologies, and operational practices. Essentially, the realm where you have to detect threats is different — as are the assets being threatened. While some people often choose to present this picture as some alien land where a blue team would have only challenges, the opposite is mostly true. Cloud does bring a lot of new opportunities for detection, the subject of this post. The main theme here is change, some for the worse and some for the better.

After all, cloud is

Sometimes the combination of Distributed, Immutable and Ephemeral cloud properties is shorthanded to “DIE” and called a DIE triad.

All these affect how we are doing threat detection for the cloud environment.

Third, telemetry sources and detection methods also change. An astute reader would assume that this is a derivative of the previous point we made, but it is not entirely true. Let’s look at some easy examples first. For some cloud services, and definitely for SaaS, a popular approach of using an agent such as EDR would not work. However, new and rich sources of telemetry may be available (Cloud Audit Logs are a great example here). Similarly, an expectation that you can sniff traffic on the perimeter, and that you even will have a perimeter may not be entirely correct. Pervasive encryption hampers layer 7 traffic analysis, while public APIs rewrite the rules on what a perimeter is. Finally, detection sources and methods are also inherently shared with the cloud provider, with some under CSP control while others are predominantly under cloud user control.

This leads to several domains where we can, and should, detect things in the cloud.

These six domains provide the coverage needed (network, identity, compute, container infrastructure, etc) and some specific detection mechanisms (API access logs, network traffic captures, etc).

Let’s review a few threat detection scenarios in the cloud.

Everybody highlights the role of identity in cloud security. Naturally, it matters in threat detection as well — and matters a lot. While we don’t want to repeat the cliché, that in a public cloud you are one IAM mistake away from a data breach, we know that cloud security missteps can be costly. To help protect organizations, GCP offers services that automatically and in real time analyze every IAM grant to detect outsiders being added, even indirectly through Google Groups!

Detecting threats inside compute instances such as virtual machines (VM) using agents seems to be about the past. After all, VMs are just servers, right? However, this is an area where cloud brings new opportunities. For example, VMTD allows security teams to do completely agentless YARA rule execution against their entire compute fleet (magic!).

Finally, products like BigQuery require new ways of thinking about detecting data exfiltration. For example, SCC detects queries and backups in BigQuery that would copy data to different GCP organizations.

Naturally, some things stay the same in the cloud. For example, broad threat categories (insiders, outsides, etc) are probably the same. Steps in the cyber kill chain, i.e. coarse grained stages of an attack, broad MITRE ATT&CK tactics,are largely unchanged as well.

What does that mean for the defenders?

  • When you move to the cloud, your threats and your IT change and change a lot.

So, what to do next?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store