EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securitythreat-intelligenceIOCGuardDuty

Cloud Threat Intelligence & Indicators of Compromise

Cloud threat intelligence extends beyond IP and domain blocklists to include IAM event patterns, anomalous API calls, and cloud-specific IOCs. This article covers threat intelligence sources, IOC categories, and how to operationalise intelligence in AWS and Azure environments.

Ashish Revar3 July 202618 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

AWS GuardDuty Finding Types Reference

Complete reference for all AWS GuardDuty finding types with severity and description.

CERT-In Security Advisories Portal

CERT-In official portal for vulnerability advisories and security alerts for Indian organisations.

MITRE ATT&CK Navigator for Cloud

Interactive ATT&CK Navigator for mapping detection coverage against cloud techniques.

AWS Security Lake Documentation

AWS Security Lake for centralised OCSF-formatted security data across accounts and sources.

More articlesTest your knowledge

What Is Threat Intelligence?

Threat intelligence is evidence-based knowledge — including context, mechanisms, indicators, implications, and actionable advice — about an existing or emerging threat. In cloud security, threat intelligence serves two functions:

  1. Strategic: Understanding which threat actors target your industry, what their objectives are, and what tools they use
  2. Operational/Tactical: Feeding specific indicators (IP addresses, domain names, API event patterns) into detection systems to identify active threats

Cloud-Specific Indicators of Compromise

Traditional IOCs (file hashes, IP addresses, domain names) remain relevant. Cloud adds a new category: behavioural IOCs — patterns of API calls that indicate malicious activity regardless of the IP or tool used.

IOC CategoryTraditional ExampleCloud Example
NetworkC2 IP addressesOutbound connections from Lambda to known C2 IPs
File-basedMalware SHA-256 hashMalicious container image digest
Account behaviourLogin from new countryConsole login from new region; API calls in 12 new regions
IAMN/ACreateUser → AttachUserPolicy sequence within seconds
Data accessLarge file copyS3 GetObject for 10,000+ objects in 1 hour from single principal
Configuration changeN/AStopLogging on CloudTrail; DeleteFlowLogs on VPC

Key Threat Intelligence Sources for Cloud

SourceTypeWhat It Provides
AWS GuardDutyAutomated detectionMachine learning + threat intel feed; CloudTrail + VPC Flow Log + DNS log analysis
Microsoft Defender for CloudAutomated detectionAzure-native threat detection with MITRE ATT&CK mapping
MITRE ATT&CK for CloudFrameworkComprehensive TTP catalogue for IaaS, SaaS, Office 365, Google Workspace
CSA CISA Cloud Threat ReportsStrategicQuarterly reports on cloud-specific threat trends
CERT-In AdvisoriesOperationalIndia-specific threat alerts and vulnerability advisories
Shodan / CensysOSINTScan public internet for exposed cloud assets belonging to your organisation
GreyNoiseOperationalIdentifies IPs that are scanning the internet at scale
AlienVault OTXCommunityShared IOC feeds across multiple attack types

GuardDuty: Cloud-Native Threat Detection

AWS GuardDuty is a managed threat detection service that continuously analyses CloudTrail, VPC Flow Logs, DNS logs, and S3 access logs. It requires no agent installation and adds no performance overhead.

Key finding types and their significance:

FindingWhat It Means
Recon:EC2/PortscanAn EC2 instance in your account is port-scanning other hosts
UnauthorizedAccess:EC2/SSHBruteForceSSH brute force attack detected against your EC2 instance
CryptoCurrency:EC2/BitcoinTool.B!DNSEC2 instance querying known cryptocurrency mining domains
Trojan:EC2/BlackholeTrafficEC2 instance communicating with a known C2 endpoint
CredentialAccess:Kubernetes/AnomalousBehaviorUnusual API server calls in EKS cluster
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWSInstance credentials used from outside AWS — SSRF indicator
Impact:S3/AnomalousBehavior.DeleteUnusual S3 object deletion (ransomware indicator)

Threat Intelligence Integration: Practical Workflow

External TI Feed (STIX/TAXII format)
       ↓
Import to AWS Security Hub Custom Findings
       ↓
Cross-reference against CloudTrail (Athena query or Security Lake)
       ↓
Match → GuardDuty Threat Intel Set (custom IP / domain list)
       ↓
GuardDuty generates finding on match
       ↓
Finding → EventBridge → Lambda → PagerDuty / SNS → SOC analyst

AWS Security Lake (launched 2023) aggregates security data from AWS services and third-party sources in Open Cybersecurity Schema Framework (OCSF) format, enabling Athena queries across CloudTrail, VPC Flow Logs, Security Hub findings, and external TI feeds in a single unified data store.

CERT-In Threat Intelligence for Indian Organisations

CERT-In (Indian Computer Emergency Response Team) issues:

  • Security Advisories: Vulnerability alerts with CVSS scores and mitigation guidance
  • Alerts: Active exploitation notices for Indian organisations
  • Guidelines: Sector-specific security guidance (banking, telecom, healthcare)

Under CERT-In Directions 2022, organisations must report incidents to CERT-In within 6 hours. This reporting requirement creates a feedback loop: your incident data contributes to national threat intelligence, which is shared (in anonymised form) back to the community.

Practical IOC Response: The 3-Step Rule

When an IOC is confirmed:

  1. Contain: Block the IP/domain at the WAF/NACL level; revoke the compromised credential immediately
  2. Collect: Export relevant CloudTrail/VPC Flow Log data to immutable storage before it rolls off the retention window
  3. Notify: Report to CERT-In (if mandatory), notify legal/DPO (DPDP Act 2023 breach reporting), and document in your incident log

Threat intelligence value decays rapidly. An IP address used by an attacker this week is likely abandoned or rotated next week. React within hours, not days.