Threat Hunting in the Cloud Solutions Forum 2023

The cloud is considered the new frontier of technology, but it is no longer novel. The COVID-19 pandemic led companies to the cloud at a breakneck pace. Different organizations during this same period evolved from single-cloud organizations to multi-cloud organizations. The various cloud providers offer a wide variety of services that fit organizations' needs on a case-by-case basis. The multi-cloud environment introduces a new problem for Threat Hunters that have grown their skill sets within on-premise and single-cloud environments: noisy data. For every cloud environment, an organization operates, there is more threat intelligence to collect, more logs to ingest, and more threat surfaces to cover.

It is more important than ever that organizations take advantage of automation and machine learning to advance and accelerate their existing threat-hunting programs. Operating without a Security Information and Event Management (SIEM) is no longer feasible. The SIEMs that the cloud providers offer are expensive, and all organizations do not have the skill sets to build and maintain their custom solutions to address the needs covered by a SIEM.

Security practitioners widely acknowledge that threat hunting programs are an essential requirement. The problem is that the security alerts and data noise are increasing exponentially in multi-cloud environments, which prevents the establishment of a multi-cloud threat hunting program.

Getting a handle on the amounts of the data generated from threat intelligence feeds, inventory data, and log sources are critical to an effective multi-cloud threat hunting program. Join us for the Threat Hunting in the Cloud Forum 2023 and hear talks on:

- Understanding your cloud environments and services in use

- Essential cloud log sources

- Normalizing and enriching data based on threat intelligence

- Automating threat hunting tasks with cloud-based solutions

- Building systematic Threat Models

Join in on the action! Connect with fellow attendees and our event chairs in the SANS Solutions Forum Interactive Slack Workspace. Sign in once and you'll be all set for the rest of our 2023 Solutions Forums. We'll see you there!

Thank You to Our Sponsors

Anomali_Logos_Anomali Full Color Primary - NEW.pngCado-Logo-Color.pngCisco_Umbrella_Transparent.pngCyborg Security LogoPanther_Logo_MD.pngsysdig_logo-black_with_tagline.pngVMRay Logo - Dark Blue

Agenda | August 25, 2023 | 10:30AM - 1:30PM EDT

Timeline (EDT)

Session Details

10:30 AM

Welcome & Opening Remarks

Terrence Williams, Certified Instructor, SANS Institute

10:45 AM

Unmasking Linux Malware in the Cloud: A Journey from Theory to Practice

Join us as we address the challenges and opportunities of threat hunting in Linux-based cloud environments. 96.3% of the top one million web servers globally use Linux, which makes Linux malware sandboxing an essential tool for identifying and understanding threats specific to the cloud environment. This helps preemptively hunt potential threats and minimize risks associated with cloud services.

This webinar will delve into Linux-specific threats such as IoT botnets, crypto-mining, and ransomware, highlighting how cloud environments alter our perspective of the threat landscape. You'll also gain insights from a typical cloud threat-hunting scenario, where in-depth threat analysis is a crucial capability in the threat hunter's arsenal. The session will conclude with an in-depth look at a Linux malware analysis, providing a clear view for threat hunters in the cloud.

Fatih Akar, Security Product Manager, VMRay

Ertugrul Kara, Sr. Product Marketing Manager, VMRay

11:20 AM

The Threat Hunter's Playbook: Mastering Cyber Defense Strategies

Greetings, Cyber Defenders and Security Champions! Are you prepared to defend your cyber turf against the threats lurking in every corner? In this session, our threat researchers will explore the world of weaponized cloud automation and other cunning tactics used by attackers. Learn how automation empowers attackers in lightning-fast cyber-attacks and discover the importance of reconnaissance alerts as your first line of defense. Unveil the secrets of cloud complexity and intercept hacker strategies with an aggressive defense. Equip yourself with Threat Hunter skills, navigate the cloud-native landscape, and bolster your organization's cyber defense.

Ready to level up your cyber defense game? Don't miss this opportunity to stay one step ahead of the ever-evolving threat landscape. Remember, the Threat Hunter's Playbook awaits you!

Michael Clark, Director of Threat Research, Sysdig

Crystal Morin, Cybersecurity Strategist, Sysdig

11:55 AM


12:05 PM

Demystifying Cloud Forensics: Investigating Virtual Machines, Containers, and Serverless Resources

Cloud computing has become increasingly popular in recent years, and with it, the need for cloud forensics. But what is cloud forensics? There is a widely perceived perception that it's just log analysis - the cloud sure does have a lot of logs! While logs are important, they aren't everything when it comes to performing forensics in the cloud. Further, there are key differences to consider when responding in cloud, container, and serverless environments versus on premises. In this session, Chris Doman, CTO & Co-Founder of Cado Security will dig into the ins and outs of cloud forensics and how security teams can leverage the scale and speed of the cloud to expedite incident response without compromising on critical context.

Chris Doman, CTO & Co-Founder, Cado Security

12:40 PM

Panel: Navigating Cloud Complexity: Modern Threat Hunting in AWS, Azure, and Google Cloud

The ever-evolving landscapes of AWS, Azure, and Google Cloud continually redefine the challenges faced by threat hunters. With rapid service introductions and deprecations, along with varied logging levels under the Shared Responsibility Model, the journey of a threat hunter is intricate and demanding. This panel delves into these complexities, exploring critical decisions on data ingestion across multi-cloud environments, especially for businesses that aren't cloud-native. With adversaries constantly lurking, how do you strike a balance between automating mundane tasks and focusing on sophisticated threats? Uncover the vital log sources across different providers and the building blocks to craft an effective multi-cloud threat hunting program.


Terrence Williams, Certified Instructor, SANS Institute


Michael Clark, Director of Threat Research, Sysdig

Kenneth Westin, Field CISO, Panther

Chris Doman, CTO & Co-Founder, Cado Security

1:25 PM


Terrence Williams, Certified Instructor, SANS Institute