This article discusses the importance of Indicators of Compromise (IOCs) in cloud security, emphasizing the unique challenges posed by cloud environments. It highlights various types of atomic IOCs, their relevance to threat detection, and the need for effective monitoring and response strategies. #CloudSecurity #IndicatorsOfCompromise #ThreatDetection
Keypoints :
- IOCs are critical for detecting and responding to security breaches.
- Cloud environments introduce unique IOCs that differ from traditional IT environments.
- Atomic IOCs include container/VM image metadata, cloud subscription IDs, and user metadata.
- Behavioral IOCs are necessary for complex detections in cloud security.
- Effective monitoring and automation are essential for leveraging IOCs in threat detection.
MITRE Techniques :
- T1610 – Container/VM Image Metadata: Threat actors use custom Docker images with pre-installed malware.
- T1098 – Cloud Subscription: Threat actors hijack or create AWS accounts for malicious activities.
- T1578 – Infrastructure-as-Code: Attackers manipulate IaC scripts to gain access or escalate privileges.
- T1136 – Create Account: Attackers create new user accounts with administrative privileges for persistence.
- T1021.004 – Remote Services: Threat actors upload SSH keys to maintain access to compromised instances.
Indicator of Compromise :
- [IP Address] 134.209.127[.]249
- [Cloud Subscription] 671050157472
- [Cloud Subscription] 265857590823
- [IAM User] ses_xcatze
- [IAM User] AdminsDDefault
- Check the article for all found IoCs.
Full Research: https://www.wiz.io/blog/mastering-cloud-specific-indicators-of-compromise-iocs