Ashish Rajan: hello and welcome to cloud security podcast. As you can imagine, this is the first of the episode series where we’re going into a bit more than just talking about the architecture side. So we’re going to talk about threat detection in cloud environment and how you can build your own playbook. I’ve got a repeat guests.
And I’m so happy thatI got him again, cause it’s really hard to catch on to him. So I’m so glad I got onto him. But before we get into that, if you’re here for the first time, and if you’re listening to this from either LinkedIn, YouTube, or I guess any of our social media is feel, follow and subscribe, we make videos like these.
Every weekend. And the audio version of this gets available on the website . And before I can bring my guests in, I just want to a quick, thank you for our sponsor for the season, which is Axonius. I’ll let Nate do the job because Nathan is much better than I am in doing this.
So let me just quickly bring on Nathan. Hey Ashish and
cloud security podcast listeners. Thanks for giving Axonius the opportunity to sponsor the show. Axonius does exactly three things like connecting to existing data [00:01:00] sources, Axonius gives customers a comprehensive asset inventory, both cloud, and on-prem it.
Then uncover security apps and finally it automatically validates and enforces policies. Thanks again, and check us out at Axonius.com
Thank you for that, Nathan. Now the moment has arrived.
Hey, thank you for coming in.
Ashwin Patil: Yeah, thanks for having me again. Really flattered that you brought me back again,
Ashish Rajan: I’m glad you came back, man. Obviously you don’t need an introduction, so for people who have not seen your first episode with cloud security podcast if you can tell a bit about who is Ashwin Patil and how’d you land up to where you are today.
Ashwin Patil: Yeah, sure. So, yeah, my name is Aswin Patil. I’ve been in the security space for around like 11, 12 years now.
I currently work as a senior program manager in Microsoft MSTIC team, that’s what we call. So it’s stands for Microsoft Threat Intelligence Centre so it’s a broader org that has multiple teams inside it. So right now, like I’m part of the MSTIC RNA team. So we do a lot of threat detection research [00:02:00] writing.
And publishing content for Azure Sentinel, which is Microsoft. So new cloud native, same. And then we also worked with various product teams inside Microsoft to basically work with them on different features that they have for security analysis, hunting and those things. And we also published some content and a whole lot of things.
That’s pretty much like a having Microsoft. So I’ve been in the Microsoft for around seven years now. Prior to that, I used to work for Cisco and prior to that used to work for MSSP and then
Ashish Rajan: Oh, so quite a varied career path as well. So, I mean, I guess we ask this question every episode and you gave me the answer last time as well, out of curiosity, what is cloud security for you?
And I wonder if it’s changed since the last time we spoke,
Ashwin Patil: I think, yeah. So in a simplistic time, I would just say like cloud security is basically security in your cloud assets, resources, services, whatever you have deployed in the cloud. Now the security can be like a pretty broad [00:03:00] term. It, depending upon your cloud exposure, you may have to think about secure design, secure architecture.
Security monitoring, auditing. That is where I live in most of the time. So yeah. It’s pretty much like securing your cloud footprint. I would say
Ashish Rajan: So. It hasn’t really changed much, but securing your cloud footprint would also make me think that it also goes with the threats in the system.
Because coming from a threat hunting is really a great question to ask you as well. Threat detection. What does that like when people say threat detection, is it different when you were saying, try detection pre-cloud and while now you’re in cloud or whatever the compute technology is a different, like, what are some of the things people should be aware of and in threat and threat detection?
Ashwin Patil: From my perspective When I started my career as a SOC analyst we used to monitor mostly for on premises stuff like data centers. There was, so there were a whole different attacks, service attack, vectors, and different sort of data [00:04:00] sources and different sort of security alerts that you use to monitor.
And then. Accordingly, you will have a certain incident response process. Now when the organization started shifting to the cloud the cloud gives you like a lot more I would say like diversity in terms of your assets. So you don’t have to even have a server, so you can just deploy your application.
And then you have to basically see like how you can secure that application without worrying about the backend infrastructure and all those things. Right. Coming back to the security monitoring again like cloud. Brings up new attack vectors new data sources and new type of resources to monitor.
Right? So if you compare with on-premises with the cloud, there’s a different attack vectors different tactics techniques that attacker use to ultimately the goal is to gain access to your environment. And then basically to some malicious activity.
Ashish Rajan: Last time he came in, you kind of spoke about . I think a few terminologies, which I think were a good introduction, like DDP MITRE attack and [00:05:00] detection research and all that. I’m imagining this is evolved and this is probably a good for. People are looking at this and going, Oh, I’m not doing threat hunting. This is not for me. So art of curiosity is threat hunting for everyone.
Like to your point, you deploy applications securely. Clearly everyone wants to deploy application securely, right? But you need to be like a full-time team doing threat hunting, or can anyone start this?
Ashwin Patil: Yeah. Yeah. So in my opinion the answer is, it depends. And then most of the times the organization do not have enough resources to even properly do the security monitoring auditing and those things.
So I would say like, Doing the basic security monitoring alerting in place. That’s the first and prior requirement for you. You should definitely have certain resources dedicated to look for a certain let’s say like, if you take example of you have certain Hyperledger accounts, you do want to monitor if somebody gets access or like if you detect any unauthorized [00:06:00] access to those high privileged credentials.
Right. So that’s. Something very essential and necessary that you should have. And then. On top of that, if you, it is really recommended, you should proactively hunt in your environment and not rely on the built in protections and security alerts and those things. So depending upon your availability of resources, SOC team, you might want to think about how do you balance the security monitoring, threat hunting, and then what both in tandem?
Ashish Rajan: I imagine that with privilege account, irrespective, as you’re doing, threat hunting or not, everyone has things that they want to protect. Like you would not be giving out the privileged accounts, password, Willy nilly will have some kind of two factor to it or to be different.
It may be a separate account. So people already doing this, I guess when they know about this. So I think to your point, the way I hear from you. So this is more around the fact that people should be considering threats. Anyways, it just rather, if [00:07:00] it’s a team dedicated at looking threat across the company, or for just you looking at threats in your own little team or however big the team is, is that right?
Ashwin Patil: Yeah. Yeah. So security monitoring itself is like very broad subject. And then there are different strategies that you can apply. Depending upon the maturity of your ordinations and expertise and skills that you have hired already in your organization, you may think security monitoring differently.
Some people will be more mature. They will have like Multiple diverse team, red team, purple team, blue team, and then they will be doing like they’ll be running like much more matched set up. But for some organizations that may not be possible. So. They might want to start with like security monitoring first and then think about how do we proactively threat hunt.
Also it is essential to know like what sector your organization’s failing. So you might want to think about like what are the. Different threats that are applicable to your organization, [00:08:00] depending upon the sector that your origin, if it is banking, there may be certain threat actors that are target the banking companies.
Ashish Rajan: Oh, I love it. And maybe it’s a good time for me to kind of switch and do a rapid fire on that. I guess I was going to say maybe when rapid fire around for some nomenclature, which is around threat hunting, like w what is TTP first one?
Ashwin Patil: So TTP is a tactic tools and procedures. It’s a miltary term. And then it’s using multiple frameworks or MITRE use KP. So we have. In MITRE Frame, but we have a tactics and techniques, so I’m kind of shifting to the framework directly. So the tactics, basically the way that the objective that adversity wants to achieve, and then techniques is basically, there are various techniques through which you want to gain, like you want to achieve your objectives.
Right? So. If we, if you take an example of let’s say credential access is a tactic, so that’s a basically a [00:09:00] goal. So somebody wants to gain access to your credentials and then the technique can be let’s say your AWS access keys have been leaked in public last some some other different means, right?
So the technique can be different and then tactic will be. how you act you that goal.
Ashish Rajan: Right? So to your point and examples, even going further could be the fact that, Hey, I may have I don’t know, just some kind of privileged account as well. how were the quote, unquote threat what can works a potential threat to that?
Is that the kind of like TTP that you’re looking at the riser, right. So what’s the potential threat there and how do I go about, solving or really limiting that?
Ashwin Patil: The privilege monitoring again is a it can, or like multiple times, right? So you may already have certain privileged accounts that you are monitoring, but since you are deployed your cloud resources, there will be certain changes that are happening within your cloud infrastructure everyday.
Right? So depending upon the access that people have, they might one day just create like a [00:10:00] full admin policy. And then accidentally attach it to certain accounts accidentally. Right? So at that time you have a new privilege account or new identity in place, which is probably not monitored through your regular means.
Right. So you may want to ask someone to like what are the changes happening you are cloud infrastructures. If somebody is doing like anything misconfiguration and then exposing your. Organizations to certain attacks.
Ashish Rajan: that’s a good segway into my next question, which is cloud detection research I keep listening about, but we keep talking about detection, research and cloud detection, research.
Well, what is cloud detection research and how does that link to threat hunting?
Ashwin Patil: Threat Hunting Can be I would say like subset of your detection research, there are. Different avenues that will fuel or trigger your detection research. So proactively threat hunting your infrastructures can basically the reasult of your threat hunting exercise can basically give you an idea about like, what is your detection foot print looks like, and then what’s your [00:11:00] detection coverage looks like.
And then do you based on your threat hunting exercise. You may have like a new detection requirements. So if we take an example of threat hunting exercise, so let’s say the threat hunting other starts with like certain hypothesis. So let’s say like you have an hypothesis that somebody has gained access to your sensitive data.
And then that data was stored in a certain cloud storage bucket. Right? So that’s a hypothesis now in order to hunt for that hypothesis, you will start thinking about, okay, in order to hunt for these activities, what are the data sources that I have? Right. So from those data sources, what all activities I can see, so who are accessing my storage buckets.
So if that storage bucket is not. Let’s say publicly accessible. What are the different resources that are linked to that storage bucket, which may give and bought two that occur to get access to that storage bucket? Right. So [00:12:00] that’s kind of like one exercise depending upon that hunting exercise, you will have certain outcome at the end that, okay.
We have a capability to monitor. Either to the existing detections to detect certain activity, or we may, we do not have that detections in place. We may want to monitor we may want to onboard like new data sources, like the cloud storage bucket access logs, signing logs and those sorts of things.
So that is like one. I mean, you know there are multiple other avenues, like , red teaming purple teaming exercises can also give the report of the purple teaming activity can provide certain inputs to the blue team to write new detections and develop those directions.
Ashish Rajan: love the fact that you mentioned public team.
Cause I definitely want to get into that as well. I’ve got a question here from Vineet what things do you consider when you do a threat hunting in the planning phase?
Ashwin Patil: That’s a good question. Thanks. We need so the planning is very good. Like the planning [00:13:00] can happen like multiple other ways, depending upon how you want to conduct a, there was one of the talk that I recently watched in SaaS cloud security.
It basically talks about how do you mind map about thinking about your threat hunting exercise, right. So. When I talk about the hypothesis, so you can start a use like mind map as a one of the tool, and then think about let’s say, what are the so depending upon the hypothesis, you may want to first be what on the data sources that you may want to look into and then from data sources, you might want to think about.
What are the TTPs that are available for detect certain threat hunting techniques. And then with those techniques, like how do you want to monitor those data sources, schema and all those things? There may be like other things can come into picture, like depending upon how you are monitoring your environment, like the SIEM and all those.
So, what tools do you already have? What tools you may want to think about if you have certain capability [00:14:00] to let’s say proactively hunt for that hypothesis. That’s good. If you don’t see any results, you may want to think about certain adversary simulation tools, which will emulate certain that activity.
And then you can start going back to your data sources and look for those. Sort of activity. I would have something to recommend, like one of my colleague Shane Ray, he has a written a blog like last year. About identifying threat hunting opportunities in your data.
So that’s also like one of the, that blog is somehow related to the Azure data sources, but it’s a very generic in fashion. It gives like a lot of pointers about like, okay, how do you, like, what are the opportunities? And then what are the ways that you can start thinking about threat hunting in your data?
So I definitely to check out those
Ashish Rajan: Awesome. And I’ll link them across as well. So if, once you pass them over, I’ll probably just put them on the show notes as well. Hopefully we answered your question Vineet, let us [00:15:00] know if you haven’t. And I think that was a good segway into now we spoke about threat detection and how it relates to threat hunting the planning phase as well.
And we kind of touched on the fact whether this is kind of applicable for any organization of any size. Maybe it is at a small level. It’s not a full full-time threathunting gig. Maybe initially just doing some tread assumptions, Threat research and stuff, but building a practice around this.
I imagine if you’re like a startup right today, you’re obviously doing it from a very small nuance, you know, the accounts that you want to hold onto and you kind of grow and become like this big enterprise or where you feel like That threat hunting is required. At what point do you think the kind of the needle flicks over to, Hey, I think I should have a threat hunting team.
Now it’s the number of employees or is it more like you become the Bank? Like, is there a point of that?
Ashwin Patil: I think Multiple problems. There may be multiple answers to that question, but yeah, depending upon the size and then what sort of monitoring that [00:16:00] you’re doing that definitely Triggered like the need for having a dedicated threat hunting team.
Also you may want to holistically view your security monitoring in place. Like what sort of things that you’re already detecting, what’s your detection coverage looks like. And then do you have a need to either improve that detection coverage and then bringing threat hunting exercises so that you can.
Fill up those gaps are, you may want to think about differently as well. So yeah, it depends how you want to think about.
Ashish Rajan: Okay. Cool.
That’s a great answer because I think I, and this is exactly what I was trying to get to because it can happen at any level. It doesn’t have to be a full-time threathunting team as well.
You can do it. We could be doing this on your own. So considering we’ve actually kind of unfolded some of the primal information around threat hunting. I want to kinda get into a bit more about the purple teaming we spoke about earlier. Where we’ve identified something and let’s just walk through, [00:17:00] one of the talks that you did was around KQL and purple teaming and stuff
so I would love for us to kind of do like, almost like a walkthrough on building, like we mentioned data sources as well. If we just say a AWS as an example, like how would you kind of go through from the data sources and validation purple teaming. If you don’t mind walking us through that.
Ashwin Patil: Yeah. So the, the talk that I gave at the purple team summit was I don’t like purple teaming in AWS. So. He focuses on again, like using the adversary simulation tools. So in that particular talk, I use cloud goat. It is one of the, probably one of the best tool available to simulate like multiple TTPs for AWS environments.
So release Bay Rhino security labs is open source tool. So that tool basically provides the capability to right from setting up the vulnerable infrastructures and then coducting the attack in an automated fashion, like [00:18:00] simulating some APIs come arms, and then as it is adopt those commands, you will have certain logs in your cloud account.
And then if you are basically bringing that log to your SIEM or the log of technology that you have, you can start searching for that activity. Right? So I took like three scenarios. Cloud gOATwould has like multiple other scenarios that you can start simulating. So , I took three scenarios. One of the, the first one was the capital breach. I think that has been like a good example that everyone has used to basically educate and write certain like detections the other two scenarios where.
On the identity piece, like how you can escalate your IAM accounts and then do certain activity. The way that I did was like, there are only three steps. You just spin up a cloud goat and then you have access to a certain area ofAWS account where you can deploy those resources.
Once you are done with your exercises, [00:19:00] that infrastructures can be taken down. So it’s really you will spin up that infrastructures only for a very short period of time, and then you will conduct your exercises and then you generate your dataset. And then once you have the relevant data sources, you can just go back to your SIEM and then start searching for those technologies.
Now this. Depends. Like the one thing that we touched earlier was like, is it for everyone? I would say like, if you do not want to go through all of these exercises, the easiest route will be just finding those ready-made datasets. Right? So you don’t basically conduct that exercises.
You just get access to that data set. So the other project that I taught in that alk was. Similar again, this is one of my colleague Robert Rodriguez. I think he’s pretty well known in the community. He goes by the handle cyber Wardock. So he has multiple Projects available there.
So one of the project was simulant. So in [00:20:00] that project he has basically outlined a similar way, but he has also generated that dataset already. So if you have smaller organizations and then you do not want to go to all those exercises, you can just gain access to that dataset. Bring that into your log provider and then.
I start exploding that data set, like how the certain things looks like, and then how do you want to detect take those things, right? And then there are other projects out there as well that you may want to consider depending upon what type of data sets that you want to search on and what tactics or techniques that you want to hunt for.
Ashish Rajan: Great answer. I was also going to say if we kind of go a layer deeper. So for example, if we use, I am going to use AWS example, just say AWS CloudTrail as a data source. So I’m assuming you collect the data piece for an X amount of time, trying to see what kind of threats may exist. So it almost feels like you need to have some kind of a threat scenario already in your mind before we kind [00:21:00] of dive into the dataset.
Is that right? Like, so I just simply gone to your point . Cloud goat. Cloud goat gives you the I guess the TTP already. So it has a few threats already built in, but that may not be applicable for your organization. So you might have to of think about, Hey, I’m logging into this root account.
That’s a threat for me to set, essentially, because people should be using a local user is using a root account. Is that something that should be included in thinking as well?
Ashwin Patil: the threat hunting is based on the hypothesis, right? So you will have a full plate scenario in order go start hunting in your organization.
Right? So you may also want to think about, like, let’s say once attacker has compromised your identity. What are the different goals that attacker wants to do in your environment? So let’s say the cloud goat is also great in that fashion. So it does not give you like a atomic techniques, like one, like this is how you compromise our identity.
It gives you a full-fledged scenario. Right. [00:22:00] So one of the scenario was like, you basically use IAM provision discussion techniques. So. In order to, like, let’s say you have like a lower privilege identity access, and then. By some means you escalate your Identity from a normal access to a privileged access.
And then once you gain access to your privilege identity, you may want to just go and let’s say, access, URL, source control server, and then basically spin down or delete that server. Right? So that’s the full fledged scenario, right? So attacker has certain techniques. And then a certain objectivity at the end
so depending upon that exercises, you will be thinking about how do you do the threat hunting at the whole exercise.
Ashish Rajan: So a good one. Sounds like I’m pretty well equipped for this. And it’s kind of where I love to add.
Vineet’s question is like, could you suggest best resource to get hands-on experience in Azure Sentinel, like with playbooks to Azure provide trial, which before we get into that, [00:23:00] what is Azure Sentinel? And how is it related to threat hunting? I mean, I know you’re from Microsoft, so probably kind of goes without saying, but why should peopl consider Azure Sentinel and what is it?
Ashwin Patil: Yeah, I think okay. I will try to do my best job to explain what Azure Sentinel is. So it’s basically a cloud native SIEM. So one of the. I would say limitations of prior SIM technologies was you have to deploy certain infrastructures and then you thereotically will have certain limits.
Like how will you extend your log analysis log storage and all those things, but with the cloud you again like theoritically will have like unlimited capacity, right? So in terms of storage, in terms of processing and all those things, it’s really elastic. So you can basically deploy a very minimal environment and then depending upon your scale and all those things, you can.
Extend. Great. So that is one of the cloud-native [00:24:00] SIEM. That Azure has came up with Sentinel. Apart from that we have like certain other very great features in there. I’m just thinking the one on the think and primary thing that we have done. I was basically publishing a lot of predictions out of the box for customers and community, right?
So we publish a lot of detections and then we try to keep updated with the latest threats and all those things on our public community can also come in and contribute and then basically extend that experience to a whole new level. Right. And then there is also like a machine learning and that piece that Azure Sentinel has that also you can leverage.
So Azure Sentinel also has certain machine learning predictions that you can leverage? Depending upon our list analytics that you have, right? There are also like multiple other features, like the playbook so you can have like automated scenario. We just call us soar.
So depending upon, let’s say you received an alert depending upon the alert, you may [00:25:00] want to conduct certain actions and then you may want to do act, basically takes a traditional actions. Like let’s say you. And you dictate a password spray attack. And then based on the alerts, you may want to either block certain IPS or let’s say somebody has access a certain accounts.
You may want to reset that account. So you can have that whole workflow getting to the place as Palm off the playbook. So you will have like a automated end to end Monitoring and plus incident response through your books. So basically taking that burden off from the people and then putting technology in place to do that stuff.
Ashish Rajan: Interesting. The playbook concept, because the whole thing that we started this episode was around we’ll do threat detection.
And depending on the size, it could be an individual team doing it. Or it could be an individual trying to find out, okay, what are my threat scenarios in this organization? And how do I start building. People do [00:26:00] they actually have a playbook? Like, you know, we mentioned playbooks in Sentinel as well.
And I I would like you to get into the playbook and from an Azure Sentinel concept. But when we talk about threat detection as a concept and what we were talking about earlier in the cloud context, where everything is API enabled and anyone, and everyone should be able to kind of go create.
Automatic detection for thread, as you’re doing a threat research, is there a need for a playbook like we do with incident response? Is there like an incident response playbook? So similarly there should be like a detection playbook in for people. Should they consider having one of those?
Ashwin Patil: Sure. So typically like if you.
I worked with security operation centers or like any security monitoring teams that you have. Like when I started there was certainly a playbook for each of the security alarms. Right. So even though you have like you, you train European sector teams there is certain documentation and then certain.
Steps that, you know that people should take inaction when they receive certain alerts. Right? So that was [00:27:00] a, like a static version of the playbook. So let’s say you receive an alert. These are the certain three or four steps that you want to do to further investigate and then conclude that if it’s a benign activity or you want to basically follow up with certain teams or.
You may want to put some blocks and then trigger your remediation exercise. Right? So that was the, let’s say static version of the playbook. At that time was like, there were technologies to automate and then integrate. A lot of technologies to bring in automation, but now I think it’s a much more easier there is lot of integration already in place that you can directly leverage across tools and technologies.
Right? So let’s say you received a alert. You may want to, basically, as a result of that alert, you may want to create an automated ticket. Right. So depending upon like so for that. Playbook, you may want to have like a first action to get to look for on alert right? [00:28:00] The second action will be just integrate to your case management platform.
Let’s say if it’s service now or any third party ticketing platform that you are using. So you just, basically within that label, you just connect to a service now through an API. Authentic to service now, and then create an action to create a ticket. Right? And then the third action will be either automatically send an email or do certain actions depending upon that playbook scenario.
Ashish Rajan: Right? So all of those things are like much easier right now. Like even in Azue Sentinel out that you can do a lot of things by hand. So Those things are certainly available in
sentienl. Right. So to come back to Vineet’s question and thank you for being patient as well. So what’s the best resource to get hands on experience in Azure Sentinel, like with playbooks and stuff.
So would you recommend use the inbuilt Azure ones or would you recommend a build your own ones? [00:29:00] Where do you stand on that considering you’re probably adding on to the playbook yourself.
Ashwin Patil: Microsoft like we have very recently started a call as Ninja trainings for each of the security products.
Right. So you will see like for each of the security products, not only for azure sentinel now, but like defender R M gas and other products. We have a car, something called as Ninja training. So that’s basically available for free. So you can just search for Azure Sentinal Ninja training or , there’s probably a link that you can
to link in the show notes.
So that’s a good starting place. So that gives you a pretty good ex training. Azure Sentinel Training Him in came from a Microsoft spokesperson. So that’s a good starting place in that training. There’s a specific chapter, very focused on the playbooks. You’d get started like, how do you write your own playbook and then what things that you want to consider, and then if you want to extend.
The knowledge that you gained from [00:30:00] the training, there are blogs that we regularly do. You can just do like ms/azuresentinel blog so people Publish and blog about different sort of playbooks very often. So you could check our GitHub or you could just check your Azure started to look it up.
So those are the couple of places. Then I got started with the last question about the trial version. So definitely Azure. Azure itself each cloud provider gives you a a trial or demo account with certain credits. So Azure gives like around $200. So you could definitely start with a new account, new demo account that will give you $200.
So within that thing that you can. Basically go and set up your eyes or Sentinel infrastructures and then bring in certain logs. I just sending also have certain free data set limits of the first five GB that you ingest are free. So there is no charge for that. So up to five GB, you will not [00:31:00] have you’ll not get charged.
And then on top of that, depending upon your credits you can see like The amount of data that you’ll bring so accordingly credits will decrease and all those things. So yeah, those those are things that probably will help, I think.
Ashish Rajan: Would you say there’s a 5g, we limit that say you can probably keep overriding the log if you want to as well.
Right. If your overall consumption is not that high. Can you keep overriding? The I’m just thinking about from a startup perspective of obviously would be a cash. They have limited cash based on the venture capitalists funding them. So they can pretty keep rotating that five GB or keep because Microsoft has startup programs as well.
Not that you and I are the right people to ask about Microsofts’s startup funding, but yeah. I have heard that there are startup fundings as well. There are I guess sort of funding that you can get from like microsoft for free credits as well. If you’re reaching out to them is probably a great one.
I’ve mentioned the Ninja link as well. But can you keep rotating that for five GB? Or is that something that
Ashwin Patil: is like the first time you set up? I [00:32:00] just sent them the first five GB that you ingest data will be free. So you. I mean the meter, like the meter does not reset after ah,
Ashish Rajan: right, right.
Ashwin Patil: Continue after 5gb. Right. So but yeah, I mean, if you’re just starting out and you just want to explore, like what Azure Sentinel, it looks like, and then just bringing in like very small data set that may be like great starting place, but yeah, I mean, so as you say depending upon your let’s say if you have startup there maybe a specific programs that will probably offer them free credits all those things.
Ashish Rajan: Thanks for going through the example as well. I guess one of the ideas behind this episode is also being able to give enough information to people that they’re able to go and create their own threats. Is there outside of the whole attack meter that exists for, I guess,cloud service provider, is there any other I guess resource that you refer to.
When creating playbooks or looking at what other threats should be, be considered. There’s always this threat of [00:33:00] AI I’ve got zero day, but how often do you really see a zero day? But most likely. Most of the scenarios that one may have to think about for their industry is usually can be found in, I guess, one or two data sets around the world.
And I have heard you talk about this in a lot of other people. Talk about attack meter outside of attack meter. Maybe you can talk about attack meter first, and then we can talk about if there’s any other resource that you recommend people can go to for knowing what threat.
Ashwin Patil: Yeah. So MITRE attack framework.
If you are analysts, I think are like you don’t have like a good idea about like where you should start your detection research, or even if you have idea about like where you should start your detection reserach I think knowing about what frameworks already in place. It will be a good I guess starting point.
Right? So MITRE who’s like non-profit organization. They have came up with like attack framework, which is pretty much like a very comprehensive resource. And then it’s globally accessible. It’s also aligned to a real world attacks and all those [00:34:00] things. So you can that’s a good starting point.
So you can start with the MITRE attack framework for the cloud. So for each cloud, they have like different attack metrics. So depending upon the attack metrics you may want to think about. Okay. So for these clouds, these are the different attacks that you have, and then these are certain techniques, right?
And then they also basically connect those. Attack echniques to attack tools, attack threat actors and all those things. So there’s a very good connected framework already exists. So you may want to start with those things. Also like the cloud metrics is still like work in progress, so it’s not complete.
Right. So you will definitely find a lot more. Research that the various red teams or like origins publishes. So depending upon that exercise, `as you may want to think outside of the cloud attack metrics these are certain new attack vectors that you have. And then depending upon that attack [00:35:00] vectors you may want to set up new monitoring in place.
Ashish Rajan: Maybe let me add another layer to this as well. That was a good answer. Adding another layer, like what do you normally use as threat hunting techniques in your playbook? I don’t know if you can share them, but would you want to share some techniques that you use on like maybe on cloud datasets that you can probably share as an example for people?
Ashwin Patil: Sure. So I would say like for the most of the cloud data sources, I think Jason is probably a very good format that one should be aware, like most of the Azure data sets or like even the cloud data says even for AWS and Azure, some of the Azure activity logs, and even for, I guess, like GCP Stackdriver and those things, they come into the Jason format.
Right. So when you go about threat hunting for those cloud data sets, knowing and manipulating that Jason formats becomes like essential skill, I would say, right? So the, the [00:36:00] way that you can do is like, there will be a query language available and through which you can basically create those clouded assets.
One of the talks that I gave was around the KQL, which is like a Kusto query language. That’s kind of available across different, again, Microsoft security products, like not even for Azure Sentinel for Azure Defender there M three 65 and all those products, they have a kind of same query engine.
So you can basically leverage the power of that. . In order to go and a threat hunt in your environment. So coming back to the, the techniques again, depending upon your hypothesis, you may already know like what data sources that you want to target. And depending upon your hypothesis, you also have certain idea about.
Let’s say you are investigating logging related attacks right? So you will definitely look for, let’s say, sign in logs are logs. And then in CloudTrail logs, you want to [00:37:00] specifically look for the logging events, right? You don’t not want to look all events right? So that is like kind of one first atomic indicator that you will basically starting from the primary data set.
You will basically drill down to. A certain type for events right. And then once you never get it, those are the event types that you want to look for. You may want to apply certain, let’s say data analysis techniques are UN like basic stats techniques that you can use. So in the KCL you have, or like in agile central, you, we have certain things, certain types of scholars tables, right?
So you will have data sets. Stored in different tables, right? So you will basically join these tables and then try to find out if there is any information that you can enrich of your existing data set are within that same data set that you may want to see. Let’s say like, if you are intersecting certain behavior of certain accounts, right?
So you may want to compare the current day [00:38:00] log with the previous day log and then try to see like, How was the behavior different for that account the previous week? And then how do you compare that previous with the current week? So that is kind of one of the technique that will basically, again drill down your results from, let’s say millions to probably thousands, right?
So because you start, your threat hunting very broadly. So like your forced threatened in queries will give results into like let’s say millions or billions, right? So you may want to basically apply certain data analysis techniques to compress that data. And then trying to find out some actionable information that analysts can act upon or investigating further.
Ashish Rajan: I love the answer about the atomic value as well. So you’ve gone kind of going down to that exact scenario. I love the terminology. Awesome. I probably have one more question before we kind of wrap this up. Is it different is threat hunting different between say Azure and AWS. Obviously we spoke about [00:39:00] Azure sentinel quite a bit, but how is threat hunting different between say Azure and AWS and themes of like data sets or techniques or experience like as a Threat though?
What would you say? How would you compare the two?
Ashwin Patil: Yes. So. Again, like underline cloud technologies pretty much the same. Right? So you have resources services, right? So you, you will have , probably a different names for same type of service. Right? , if we say from a basic, each cloud has like compute storage and different, let’s say.
Secret store sort of services, right? So the first and foremost, like if you want to track changes into your resources, right? That threat hunting may sound similar in both the cloud vendors. So let’s say you will have those logs coming into play coming into let’s say, in case of AWS, all of those logs are getting Dumped into the cloud trail in Azure, in the case of Azure depending upon you are [00:40:00] resources, it will go either to the Azure activity.
Logs are are other tables. Like, depending upon that, let’s say if it’s Azure AD it will also go to the sign in logs and other things. Right. So. That’s the first layer then the second difference probably again is basically depending upon like how the cloud has implemented certain technologies, let’s say like, Identity.
If we take an example of identity in the world of AWS, you have certain, let’s say a policy, like just some policy, technically defined certain privileges that you can associate with the identities. Right. And then you you will have those identity in place with certain privileges.A located right?
So that’s basically the type of identity that AWS. Have right. Coming back to Azure, Azure has a different way, like role-based access control and all those things. So now you will have like different implementations of [00:41:00] different, or like let’s say same identity technology. Right? So now if you want to hunt for the identity based attacks in Azure you have to think about different ways, right?
Because the same I will say like, same attack. Vectors may not be present in both the cloud. Right? So in AWS, you may have seen like the rhino security labs, they have released like 20 different ways through which you can basically escalate your AWS IAM identities right. So all of those 20 ways are very different.
Very pertinent related to the AWS. Right. So that in that scenario, your threat hunting becomes very different for AWS versus in Azure, like in Azure, you will have like different ways that you can escalate your Azure accounts and all those things. So yeah, so it really depends upon what like what Type of resource that you are monitoring and then how the cloud vendor has basically implemented that.
Ashish Rajan: It’s interesting and well said as well, [00:42:00] because I think kind of goes back to what you were saying about the atomic value and how you can ake it whichever direction you want, but it may also depend on the threats that you have to face as an industry, but because you technically were, could have both Azure and AWS and maybe even GCP as well.
It may just come down to, Hey, what is the threat and how does it apply to all three cloud providers or multiple cloud providers? That’s a great answer, man. Well, dude, I always appreciate you doing this. And I just wanted to say thank you once again, this is kind of like the end of the show as well. Where can people find you? If they have more questions about threat detection and building threat detection practices or getting some data sets and Ninja training, as well as you were talking about.
So where can people find you?
Ashwin Patil: Yeah. So I’m pretty active on the social media, at least on the Twitter and LinkedIn. So you can find me on Twitter for getting my first name, last name. Ashwin Patil. My DMS are open, so if you are not following me, so you can still DM me or LinkedIn is also another way that you can reach out to me.
Drop me a message. I’ll definitely [00:43:00] get back to you whenever. I see it. And then I have something to add to your questions. So yeah, those are a couple of places. I guess that’s probably mostly table apart from the email, I guess that’s, nobody’s easy.
Ashish Rajan: I don’t think anyone uses email these days.
But anyway I, I feel like I definitely Twitter and LinkedIn are definitely becoming a lot more. Popular medium than email. Cause I was like, I’m going to stop myself before I go into that rabbit hole of what the future of email is. But I always appreciate you coming on the show as well. I’m sure everyone else has as well.
So thank you for coming on the show. I really appreciate that. And I’m looking forward to bringing you back again, maybe some more threat hunting we can talk about from purple teaming and the KQL as well. The I guess for everyone else who’s joining in, I also wanted to thank you to them as well, because this is the first time we’ve done.
Only streaming on the cloud security podcasting. And I think we crossed over the 50 Mark, which is pretty good. We had 50 live people. So that’s pretty awesome. And thank you everyone for the questions as well. And if you like episode like this, feel free to subscribe and definitely follow [00:44:00] Ashwin on Twitter and connect with him on LinkedIn.
Cause I think he’s been dropping a lot of gems as well, so I definitely believe there’s a lot more to unpack and explore here. So I hope people reach out to you, man, but thank you so much for coming on the show.
Ashwin Patil: Hey. Yeah. Yeah. Thank you. Thank you for having me. I really like the format, like much more interactive and streaming, so yeah, it’s great to be here.
Ashish Rajan: Awesome. All right. Well, I would look forward to bringing you back again to more streaming, but for the moment we will take leave from everyone over here in the audience. I’ll see everyone else next week, but I will talk to you soon. Ashwin thanks so much for coming in.