Threat hunting in the cloud
2019-05-16, 16:45–17:45, Conf 2

There are limited built-in capabilities for detecting attacks and post-exploitation of cloud services. This talk will cover methods of identifying threat actors via cloud and endpoint signals.


An endpoint security strategy can incorporate many layers of technology and security controls. Solution components such as Endpoint protection platform (EPP), Endpoint detection and response (EDR), Application whitelisting and more are utilized to provide protection and response to specific threats that affect endpoints. When dealing with endpoints that reside in cloud infrastructure new risks are introduced that cannot be adequately monitored with traditional endpoint solutions alone.

This presentation will go over general best practices for securing a cloud environment (AWS/Azure) including the use of EDR on instances as well as methods that can be employed to conduct threat hunting exercises against collected data. We will also discuss what additional investigative details and context can be gained through correlation of endpoint and cloud events.