Cyber Security

What are the most common Indicators of Compromise for nation-state APTs in cloud environments?

MO Asked by Morgan Taylor · 22-06-2024
0 upvotes 11,109 views 0 comments
The question

We are migrating our core infrastructure to a multi-cloud setup and I'm worried about APT groups like APT28 or Mustang Panda. Since they often target cloud-native services, what specific Indicators of Compromise (IoC) should we look for in AWS CloudTrail or Azure Activity logs? Are there particular API calls or credential patterns that typically signal a long-term persistent threat?

3 answers

0
RI
Answered on 23-06-2024

Look for "impossible travel" alerts. If a user logs in from New York and then London an hour later, it's a clear sign of compromised credentials.

MO 25-06-2024

Riley is right. This is one of the easiest high-confidence alerts you can set up in Azure AD or Okta to catch initial account takeovers by APT actors.

0
HE
Answered on 24-06-2024

In cloud environments, APTs shift from malware to identity-based persistence. Look for the "Golden Ticket" equivalent in the cloud: unauthorized creation of new IAM roles or unexpected modifications to Trust Relationships. In AWS, monitor for ConsoleLogin events without MFA from unusual geographic regions. Another huge red flag is a sudden spike in Describe or List API calls from a single identity, which suggests they are mapping your environment. Also, watch for the creation of snapshot copies or S3 bucket policy changes, as these are common precursors to large-scale data exfiltration.

0
JU
Answered on 26-06-2024

Do you have a process in place to regularly rotate your long-lived access keys, or are you moving toward short-lived credentials via IAM Roles?

MO 28-06-2024

Justin, we are moving toward IAM Roles for EC2, but we still have some legacy keys floating around. Heather, that tip about monitoring 'List' API calls is gold. We actually caught a misconfigured script doing exactly that, which was a great test of our monitoring. We've now set up a Lambda function to auto-quarantine any IAM user that triggers more than a specific threshold of 'Describe' calls in a ten-minute window, effectively cutting off automated reconnaissance.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session