Book Review: Threat Hunting in the Cloud

Wiley’s new book, Threat Hunting in the Cloud: Defending AWS, Azure and Other Cloud Platforms Against Cyberattacks, by Chris Peiris, Binil Pillai and Abbas Kudrati, offers a richly detailed and well organized rundown on mitigating risks that arise in the cloud. This book is for any organization that puts its digital assets on the Amazon Web Services (AWS) or Azure public cloud platforms. In other words, every corporation or public sector entity in the world could benefit from this book.

I say this because virtually all businesses and government agencies are either on the cloud or connected to someone who is. And, as we continue to learn, the cloud presents a massive, attractive attack surface for malicious actors. As the book explains, attackers are using the cloud to stage phishing and ransomware attacks. The cloud presents attackers with opportunities to penetrate networks and breach sensitive data. Attackers now engage in attempts at privilege escalation in the cloud, credential theft, lateral movement and attacks on command & control systems. Organizations must also view the cloud as an attack vector for nation state actors intent on disrupting their operations.

The authors do a good job of explaining why it is not enough to be reactive in the face of cloud-borne threats. Waiting around for the attack is not an effective cybersecurity strategy. They offer a cloud threat hunting maturity model so readers can gauge their organization’s readiness to deal with threats in the cloud. In their view, it pays to be proactive—the more organized, the better.

Like some Wiley books, the 504-page Threat Hunting in the Cloud can be read in parts. The book consists of three main sections. Part I provides an overview of the subject. Parts II and III go into detail on threat hunting in Azure and AWS, respectively. Readers get comprehensive “how tos” for threat hunting in AWS and Azure based on the MITRE ATT&CK framework and MITRE Threat Hunting Framework Tactics, Techniques and Procedures (TTPs).

Threat Hunting in the Cloud goes into an incredible amount of detail. The table of contents alone is 10 pages long. That’s one of the impressive aspects of this book. The authors not only describe why threat hunting in the cloud is critical, they also go into a great deal of depth on how to get the job done.

Also, importantly, the book does not skimp on the organizational aspects of such an effort. An effective cloud threat hunting program has a lot to do with people and team structure. It doesn’t just happen. The right people, with the right skills, need to be in place. They need to understand how the overall security operation works, and where they belong in it, and so forth. The book explores the practicalities of integrating cloud threat hunting with Security Operation Centers (SOCs) and Cyber Fusion Centers

The solutions proposed in the book are vendor neutral, though the authors do base many of their sections on specific AWS and Amazon tools. These include Microsoft Services for Cloud Security Posture Management and AWS CloudTrail, among others. Given that many larger organizations use both AWS and Azure, along with other platforms, the book provides solutions for forming an AWS-Azure threat hunting fusion capability. As the authors note, threat hunting must accommodate the common mufti-cloud strategies being embraced by many organizations.

Threat Hunting in the Cloud then discusses how to respond to threats once they have been identified. It delves into disaster recovery and threat response workflows. Along the way, it suggests metrics that enable an organization to track the success of its threat hunting efforts.

The book ends with a discussion of the future of threat hunting in the cloud. It looks at the growing role—and future potential—of technologies like Artificial Intelligence (AI), Machine Learning (ML) and Quantum Computing in protecting against threats in the cloud.

Threat Hunting in the Cloud is a worthwhile resource for any organization that wants to assess how it is doing in cloud security. For an organization that has not yet started on cloud threat hunting, the book is a must-read for everyone involved in the effort.