When it comes to managing AWS cloud security, a growing concern for security operations (SecOps teams) is the increasing sophistication of digital threats.
While conventional cyber threats deploy widely known tools and techniques in crude, all-or-nothing attempts to breach enterprise security controls, sophisticated attacks known as Advanced Persistent Threats (APTs) employ more advanced technologies and methods to gain and maintain access to secure systems for long periods of time.
In 2024, it took organizations an average of 258 days to identify and contain a security breach - that’s nearly 9 months. By evading detection for these long periods, attackers can use strategies like lateral movement and privilege escalation to gain deeper access over time, often pursuing high-value targets like sensitive personal information or protected intellectual property (IP) for a data exfiltration attack.
And the stakes have never been higher: according to IBM, the average cost of a data breach in 2024 was a staggering $4.88 million USD - a 10% increase from 2023, with nearly half (46%) of data breaches involving sensitive customer data.
The good news is that organizations can enhance their ability to detect APTs by continuously monitoring networks and infrastructure while implementing a proactive approach to advanced persistent threat hunting. In this blog, we’re taking a closer look at the dangers posed to organizations from advanced persistent threats, the importance of proactive threat hunting in AWS to identify and curtail long-term threats, and how to discover advanced persistent threats in AWS.
What is an Advanced Persistent Threat?
An APT is a sophisticated, long-term cyber attack deployed by a digital threat actor against a target organization, usually with the objective of stealing high-value data over a long period of time.
An APT is normally executed in five operational stages:
- Reconnaissance - An APT attack begins with a digital threat actor selecting a target, usually based on a belief that the target holds valuable data. The reconnaissance process involves gathering information about the target’s infrastructure, employees, security protocols, etc., and creating a plan to infiltrate the target organization’s IT infrastructure.
- Network Infiltration - A sophisticated digital threat actor uses advanced tools and methods (e.g. zero-day exploits, custom malware, rogue Wi-Fi, DNS tunneling, spear-phishing, etc.) to gain initial access to the target network or cloud environment.
- Establishing a Foothold - The attacker installs one or more backdoors inside the network, allowing them to bypass security measures and easily regain access if/when detected by the target organization. Attackers may also encrypt traffic or rewrite code to hide their activities from security defenses and remain undetected.
- Lateral Movement and Privilege Escalation - Next, the attacker will attempt to move laterally inside the network, discover more sensitive data and resources, and obtain administrative privileges that grant access to secure areas of the network where sensitive or high-value data may be stored.
- Data Exfiltration - Once the threat actor has gained access to high-value data, the final stage in a successful APT attack is to exfiltrate that data to their own servers. Threat actors are often able to exfiltrate data from target networks without being detected, and can even preserve their unauthorized network access to enable future attacks.
APTs have many different motives. Some threat actors are a part of a nation-state threat network, or cybercriminals that act on behalf of nations to expose intellectual property or national security information. Others are out for financial gain or just outright disruption — from economic and supply chain disruption to social disruption to make a political point. Threat actors executing sophisticated APTs are typically well-funded and extensively knowledgeable on how to exploit a network, often going undetected for months or even years.
Key differences between APTs and conventional cyber threats against enterprise targets.
What is Advanced Persistent Threat Hunting in AWS?
APT hunting is the ongoing process of proactively analyzing all types of security data from various sources at scale to detect and identify advanced persistent threats inside an AWS cloud environment. For enterprise SecOps teams, hunting for advanced persistent threats involves methods like:
- Anomaly Detection - Analyzing user behavior logs to detect suspicious or anomalous behavior that might indicate a compromised account.
- Threat Intelligence Gathering - Gathering information about known APT attack groups and their tactics, techniques, and procedures (TTPs) from frameworks like MITRE ATT&CK and external threat feeds to support targeting threat hunting and mitigate false positives.
- Endpoint Monitoring - Deploying Endpoint Detection and Response (EDR) tools to monitor endpoint activities for signs of compromise and discover advanced persistent threats.
- Hunting for Persistence Mechanisms - Searching the AWS cloud environment for rogue API keys, lambda functions, or malicious scripts that attackers install to establish a foothold and maintain ongoing access as part of an AWS APT.
- File Integrity Analysis - Detecting unauthorized changes to files that could indicate an attempt to escalate privileges or degrade cloud security controls.
- Network Traffic Monitoring - Analyzing network traffic to detect data exfiltration events or suspicious connections that could indicate malicious activity.
- Privileged Account Monitoring - Tracking the activity of privileged user accounts to identify suspicious actions, access patterns, or privilege escalations that could indicate an APT or a malicious insider threat.
- Managed Detection and Response - Purchasing Managed Detection and Response (MDR) services from external MSPs that deliver security monitoring and proactive threat hunting capabilities.
The most important goal of APT hunting is to detect and remove APTs before they can exfiltrate valuable data, obtain administrative credentials, or even establish a strong foothold inside the network or cloud environment.
Six Cloud Services to Help You Discover APTs in AWS
There are several AWS services you can leverage as part of your effort to continuously monitor your cloud environment and discover advanced persistent threats. Below, we highlight five AWS services that can help you monitor malicious activity and implement proactive threat hunting in AWS:
1. AWS GuardDuty
AWS GuardDuty continuously monitors for malicious activity to protect your cloud workloads and accounts. You can monitor container workloads, accounts, instances, databases, storage, and users for potential threats. The solution uses anomaly detection, machine learning (ML), behavioral modeling, and threat intelligence for threat detection. From there, you set up automated response and remediation steps to stop threat actors in their tracks.
2. AWS Security Hub
AWS Security Hub is meant to serve as a centralized hub for security alerting and Cloud Security Posture Management (CSPM). With Security Hub, you can detect deviations from security best practices, and set up alerts to aggregate security findings into a standard format. Similar to GuardDuty, Security Hub also offers automated response and remediation actions to improve mean time to response (MTTR).
3. AWS CloudTrail
AWS CloudTrail records all user activity and API calls across all AWS services inside your AWS cloud environment. SecOps teams can run queries and analytics on this data to identify suspicious or anomalous activity, such as privilege escalations, security policy changes, and other possible malicious behavior. CloudTrail also enables historical auditing of account activity, making it easier for SecOps teams to trace and correlate suspicious behavior across the user life cycle.
4. Amazon Detective
Amazon Detective is a security analytics and visualization tool that supports security investigation and threat hunting use cases. Detective automatically ingests events from AWS CloudTrail and Amazon VPC Flow logs, as well as findings from AWS GuardDuty.
Amazon Detective supports security investigation and root cause analysis, helping SecOps teams identify anomalous activity and trace APTs back to the attacker’s initial access point.
From there, Detective uses ML algorithms to build a unified view of AWS resource behaviors and interactions that can support threat hunting in AWS. Amazon Detective helps SecOps teams discover advanced persistent threats in AWS by highlighting anomalous activity and suspicious patterns that would have otherwise been missed.
5. AWS Identity and Access Management (IAM) Access Analyzer
AWS IAM Access Analyzer is a service that helps cloud administrators apply fine-grained user permissions, centrally review access patterns, and easily verify who can access what in the AWS environment. With IAM Access Analyzer, SecOps teams can easily identify and monitor privileged account activities to rapidly detect and identify privilege escalations.
However, even if you have these protections in place, it’s important to understand how log data analysis and threat hunting play into the effective detection and response strategy for APTs.
6. Amazon CloudWatch
Amazon CloudWatch provides cloud observability and monitoring capabilities for AWS applications and resources. By monitoring application events, cloud resource utilization, and network traffic with Amazon CloudWatch, SecOps teams can zero in on suspicious application behaviors, unexpected resource access patterns, and anomalous network traffic that could indicate an APT.
Leveraging Log Data for Advanced Persistent Threat Detection
Threat hunting is a critical part of achieving a proactive security posture. There are many threat hunting frameworks and methodologies that provide a well-defined, research-based structure to the approach. Threat hunters operate on the assumption that the cloud environment has already been compromised and the threat already exists.
Effective threat hunting requires access to massive datasets, often involving long-term historical log data. The greater the quantity and quality of IT telemetry data, the more effective the hunts can be. And, the longer that logs are retained, the more historical context can be incorporated into each hunt.
Security log data can come from a variety of sources (including but not limited to):
- Proxies
- DNS queries
- Firewalls
- NetFlow records (network traffic)
- SSL/TLS and other certificate repositories
- Access logs from cloud services
- System event logs from endpoints
- Windows Event logs
- Windows Registry keys
- Endpoint detection and response (EDR) tools
- Application server logs
- Email transaction logs
- System audit records
Security teams can also take advantage of the logs from network performance monitoring solutions and other tools that are already being used for IT operations. While host-level data is most useful for detecting early-stage attacks, network data can reveal the lateral movement that’s typical of APTs.
Activating a Security Data Lake in AWS
Because of the vast number of data sources and tools that aggregate log data in various places, it’s important to have a single source of the truth for more comprehensive visibility into an APT’s potential attack surface. However, many Security Information and Event Management systems (SIEMs) and traditional log management solutions are not optimized for scale. They’re great for real-time network observability, but the deeper threat hunting required for APTs requires a different approach.
In many cases, augmenting a SIEM like Splunk with a security data lake can provide deeper coverage, while reducing the cost of SIEMs for long-term log data retention. Security teams can aggregate all of their log data into low-cost cloud object storage like Amazon S3, relying on it as a single system of record for security threat hunting, root cause analysis, and compliance reporting.
Read: Understanding Security Log Analytics vs. SIEM for Midsized Companies Targeted by Cybercriminals.
From there, a security data lake solution like ChaosSearch can seamlessly ingest log data, automatically detecting and dynamically mapping schema and handling nested JSON structures.
ChaosSearch empowers SecOps teams with unlimited data retention and an integrated source of truth for security data, enabling use cases like APT forensic investigation.
The ingested data is then compressed, indexed, and made available for full-text search, SQL, and Gen-AI querying, empowering security teams to conduct log analysis across all of their log data at scale. This includes:
- Monitoring all IPs, ports, and endpoints that access your organization's systems
- Analyzing flow logs (e.g. VPC Flow Logs)
- Monitoring inbound traffic sources and patterns
- Achieving better CloudWatch log insights
Maintaining a proactive security posture starts with having the right tools in place to effectively discover advanced persistent threats on AWS. With a combination of AWS services, a SIEM and a security data lake solution with built-in data lake observability, threat hunters can more accurately identify APTs, shortening the duration of attacks and potentially saving millions of dollars.
Ready to learn more?
Download our free white paper Save Your Sanity: Achieving the Security Data Lake to learn more about how establishing a security data lake on AWS can support use cases from APT detection to security investigation and root cause analysis.
