5 Hunting in clouds
This chapter covers
- Delivering cloud-native applications
- Ensuring the security of cloud-native applications deployed using Kubernetes
- Hunting in containerized-based environments
- Collecting information from private/public clouds
- Conducting a threat-hunting expedition in a public cloud Kubernetes infrastructure
- Working with cloud-native data sets
As cloud-native applications become increasingly commonplace, it is increasingly likely that you’ll have to threat-hunt in the cloud. In this chapter, we practice threat hunting by conducting an expedition in a public cloud infrastructure hosting a cloud-native application. The chapter describes Kubernetes, identifies critical data sources in a Kubernetes infrastructure, and shows how to collect and use various cloud infrastructure events for threat hunting, highlighting the differences between virtual machines and containers. Finally, the chapter documents the threat-hunting play and walks through the steps of the threat-hunting process.
Understanding the underlying infrastructure and data sources is critical for a successful threat-hunting play and expedition. Although I describe the cloud infrastructure components involved in this threat-hunting expedition, I encourage you to access the external links in this chapter to learn more about public cloud infrastructure and Kubernetes-related concepts.