Cloud threat intelligence extends beyond IP and domain blocklists to include IAM event patterns, anomalous API calls, and cloud-specific IOCs. This article covers threat intelligence sources, IOC categories, and how to operationalise intelligence in AWS and Azure environments.
Sign in to mark this article as read and track your progress.
Threat intelligence is evidence-based knowledge — including context, mechanisms, indicators, implications, and actionable advice — about an existing or emerging threat. In cloud security, threat intelligence serves two functions:
Traditional IOCs (file hashes, IP addresses, domain names) remain relevant. Cloud adds a new category: behavioural IOCs — patterns of API calls that indicate malicious activity regardless of the IP or tool used.
| IOC Category | Traditional Example | Cloud Example |
|---|---|---|
| Network | C2 IP addresses | Outbound connections from Lambda to known C2 IPs |
| File-based | Malware SHA-256 hash | Malicious container image digest |
| Account behaviour | Login from new country | Console login from new region; API calls in 12 new regions |
| IAM | N/A | CreateUser → AttachUserPolicy sequence within seconds |
| Data access | Large file copy | S3 GetObject for 10,000+ objects in 1 hour from single principal |
| Configuration change | N/A | StopLogging on CloudTrail; DeleteFlowLogs on VPC |
| Source | Type | What It Provides |
|---|---|---|
| AWS GuardDuty | Automated detection | Machine learning + threat intel feed; CloudTrail + VPC Flow Log + DNS log analysis |
| Microsoft Defender for Cloud | Automated detection | Azure-native threat detection with MITRE ATT&CK mapping |
| MITRE ATT&CK for Cloud | Framework | Comprehensive TTP catalogue for IaaS, SaaS, Office 365, Google Workspace |
| CSA CISA Cloud Threat Reports | Strategic | Quarterly reports on cloud-specific threat trends |
| CERT-In Advisories | Operational | India-specific threat alerts and vulnerability advisories |
| Shodan / Censys | OSINT | Scan public internet for exposed cloud assets belonging to your organisation |
| GreyNoise | Operational | Identifies IPs that are scanning the internet at scale |
| AlienVault OTX | Community | Shared IOC feeds across multiple attack types |
AWS GuardDuty is a managed threat detection service that continuously analyses CloudTrail, VPC Flow Logs, DNS logs, and S3 access logs. It requires no agent installation and adds no performance overhead.
Key finding types and their significance:
| Finding | What It Means |
|---|---|
Recon:EC2/Portscan | An EC2 instance in your account is port-scanning other hosts |
UnauthorizedAccess:EC2/SSHBruteForce | SSH brute force attack detected against your EC2 instance |
CryptoCurrency:EC2/BitcoinTool.B!DNS | EC2 instance querying known cryptocurrency mining domains |
Trojan:EC2/BlackholeTraffic | EC2 instance communicating with a known C2 endpoint |
CredentialAccess:Kubernetes/AnomalousBehavior | Unusual API server calls in EKS cluster |
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS | Instance credentials used from outside AWS — SSRF indicator |
Impact:S3/AnomalousBehavior.Delete | Unusual S3 object deletion (ransomware indicator) |
External TI Feed (STIX/TAXII format)
↓
Import to AWS Security Hub Custom Findings
↓
Cross-reference against CloudTrail (Athena query or Security Lake)
↓
Match → GuardDuty Threat Intel Set (custom IP / domain list)
↓
GuardDuty generates finding on match
↓
Finding → EventBridge → Lambda → PagerDuty / SNS → SOC analyst
AWS Security Lake (launched 2023) aggregates security data from AWS services and third-party sources in Open Cybersecurity Schema Framework (OCSF) format, enabling Athena queries across CloudTrail, VPC Flow Logs, Security Hub findings, and external TI feeds in a single unified data store.
CERT-In (Indian Computer Emergency Response Team) issues:
Under CERT-In Directions 2022, organisations must report incidents to CERT-In within 6 hours. This reporting requirement creates a feedback loop: your incident data contributes to national threat intelligence, which is shared (in anonymised form) back to the community.
When an IOC is confirmed:
Threat intelligence value decays rapidly. An IP address used by an attacker this week is likely abandoned or rotated next week. React within hours, not days.