Proactive cloud threat hunting through adversary emulation

Abstract

Organizations have increasingly adopted cloud computing infrastructure as the foundation for delivering digital services, a trend known as 'digital transformation.' While cloud computing offers flexibility, cost reduction, and improved productivity, there are also significant security concerns due to reduced visibility and an increased attack surface. The emergence of cloud-conscious threat actors exacerbates these concerns. This research focused on operationalizing cloud threat hunting as a proactive measure to reduce attacker dwell time in organizational environments. The aim was to review threat-hunting approaches for the cloud environment, concentrating on threats targeting IAM misconfigurations. This included analyzing adversary emulation methods that can support threat-hunting in the cloud, developing and testing a threat-hunting model for operationalization, and validating the performance of the threat model. The study's objectives were achieved through a design science approach, employing an experimental methodology divided into offensive and counter-offensive phases. For the offensive phase, adversary emulation provided a comprehensive summary of common threat scenarios. For the counter-offensive phase, three hypotheses were formulated based on MITRE ATT&CK techniques: Hypothesis 1 focused on T1078.004, Hypothesis 2 on T1098.003, and Hypothesis 3 on T1136.003. The study demonstrated the effectiveness of the developed threat-hunting model in identifying cloud-specific threats. All three hypotheses, which focused on key IAM misconfiguration attack vectors, were validated as true, highlighting the importance of proactive threat hunting for these attack vectors.

Keywords: Cloud Threat Hunting, IAM Misconfigurations, Adversary Emulation, MITRE ATT&CK Techniques