We are migrating our core infrastructure to a multi-cloud setup and I'm worried about APT groups like APT28 or Mustang Panda. Since they often target cloud-native services, what specific Indicators of Compromise (IoC) should we look for in AWS CloudTrail or Azure Activity logs? Are there particular API calls or credential patterns that typically signal a long-term persistent threat?
3 answers
Look for "impossible travel" alerts. If a user logs in from New York and then London an hour later, it's a clear sign of compromised credentials.
In cloud environments, APTs shift from malware to identity-based persistence. Look for the "Golden Ticket" equivalent in the cloud: unauthorized creation of new IAM roles or unexpected modifications to Trust Relationships. In AWS, monitor for ConsoleLogin events without MFA from unusual geographic regions. Another huge red flag is a sudden spike in Describe or List API calls from a single identity, which suggests they are mapping your environment. Also, watch for the creation of snapshot copies or S3 bucket policy changes, as these are common precursors to large-scale data exfiltration.
Do you have a process in place to regularly rotate your long-lived access keys, or are you moving toward short-lived credentials via IAM Roles?
Justin, we are moving toward IAM Roles for EC2, but we still have some legacy keys floating around. Heather, that tip about monitoring 'List' API calls is gold. We actually caught a misconfigured script doing exactly that, which was a great test of our monitoring. We've now set up a Lambda function to auto-quarantine any IAM user that triggers more than a specific threshold of 'Describe' calls in a ten-minute window, effectively cutting off automated reconnaissance.
Riley is right. This is one of the easiest high-confidence alerts you can set up in Azure AD or Okta to catch initial account takeovers by APT actors.