Blog
/
/
May 21, 2020

Securing AWS Cloud Environments

Discover how self-learning AI in AWS environments detects and beats threats early with enterprise-wide analysis.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Andrew Tsonchev
VP, Security & AI Strategy, Field CISO
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
21
May 2020

Cloud platforms transform the way we build digital infrastructure, allowing us to create incredibly innovative environments for business – but often, it’s at the cost of visibility and control.

With complex hybrid and multi-cloud infrastructures becoming an essential part of increasingly diverse digital estates, the journey to the cloud has fundamentally reshaped the traditional paradigm of the network perimeter, while expanding the attack surface at an alarming rate. Meanwhile, traditional security controls still only offer point solutions that rely on retrospective rules and threat signatures and fail to stop novel and advanced attacks.

To shoulder the weight of shared responsibility for cloud security, organizations require the approach offered by Darktrace DETECT & RESPOND. With Self-Learning AI, DETECT continuously learns what normal ‘patterns of life’ look like for every user, device, virtual machine, and container across an organization. By actively developing a bespoke understanding of ‘self,’ the DETECT can identify the subtle anomalies that point to an advanced attack, without any pre-defined assumptions of ‘good’ or ‘bad' and RESPOND can autonomously interfere to stop emerging threats without disrupting business operations.

As more and more businesses turn to AWS to leverage the benefits of cloud infrastructure, gaining visibility and security for AWS-hosted data and applications is absolutely crucial. The advent of AWS VPC traffic mirroring has allowed Darktrace to shine a light on blind spots in our customers’ AWS environments, ensuring that our Cyber AI security platform can stop any type of threat that emerges. With the AI-powered security securing your AWS environment, you can embrace all the benefits of the cloud with confidence.

Self-learning Cyber AI with granular, real-time visibility

VPC traffic mirroring gives our Self-Learning AI access to granular packet data, allowing DETECT to extract hundreds of features from the raw data and build rich behavioral models for our customers’ AWS cloud environments. This real-time visibility to the underlying fabric of AWS environments provided by VPC traffic mirroring helps Darktrace Cyber AI learn ‘on the job,’ continuously adapting as your business evolves. Darktrace provides the only security solution that learns in real time, a critical feature given the speed and scale of development in the cloud.

Unified control: Correlating patterns across infrastructure

Taking a fundamentally unique approach, DETECT actively correlates activity across AWS and beyond – whether your digital ecosystem includes other cloud environments, SaaS applications, or any range of on- and off-premise infrastructure. From a threat detection perspective, this is crucial, as security events detected in one part of an organization are often part of a broader security incident. This ensures that threats in the cloud are not siloed from monitoring of the rest of the infrastructure, nor are the implications for cloud security ignored when intrusions occur elsewhere in the network.

Neutralizing sophisticated and novel attacks

Legacy security controls miss novel and advanced attacks targeting cloud infrastructure. With VPC traffic mirroring supporting Darktrace Cyber AI’s understanding of an organization’s AWS environment, any slight changes from normal behavior that may indicate a potential threat can be detected immediately. This allows the DETECT to catch the full range of cloud-based attacks, from zero-day malware, to stealthy insider threats.

“Darktrace represents a new frontier in AI-based cyber defense. Our team now has complete real-time coverage across our SaaS applications and cloud containers.”

— CIO, City of Las Vegas

How it works: Using VPC traffic mirroring to analyze AWS traffic

For customers leveraging AWS within an IaaS model, Darktrace uses VPC traffic mirroring to collect metadata from mirrored VPC packets in a Darktrace probe known as a ‘vSensor’. The vSensor captures real-time traffic and selectively forwards relevant metadata to a Darktrace cloud instance or on-premise probe. From here, DETECT correlates VPC traffic with cloud, email, network, and SaaS traffic across a customer’s hybrid and multi-cloud infrastructure for analysis.

By utilizing VPC traffic mirroring in this way, the Immune System can perform deep packet inspection on traffic in the customer’s AWS cloud environment, up to and including the application layer. Hundreds of features are extracted from the raw data, ranging from high-level metrics of data flow quantities, to peer relationship meta-data, to specific application layer events. These features allow Darktrace Cyber AI to build rich behavioral models that let it understand normal patterns of life for the organization and detect malicious activity. It is important that Darktrace is able to construct these metrics from the raw data rather than relying on flow logs alone, as flow logs don't provide the required level of granularity or real-time events within connections.

For non-Nitro AWS instances, we deploy lightweight agents known as ‘OS-Sensors’ that feed relevant traffic to a local vSensor and, in turn, to a Darktrace cloud instance or on-premise probe. Once configured, OS-Sensors can easily be scaled as new instances are spun up. Darktrace also offers a specialized OS-Sensor that provides coverage in containerized systems like Docker and Kubernetes.

Richer context with AWS CloudTrail logs

In addition to analyzing data with VPC traffic mirroring, the DETECT also monitors management and data events within AWS. It does so via HTTP requests for logfiles generated by AWS CloudTrail, which monitors events from all AWS services, including:

  • EC2
  • IAM
  • S3
  • VPC
  • Lambda

Different event types produced via CloudTrail are organized by Darktrace into categories based on the action type and the AWS services that generate it. These different categories show up as metrics in the DETECT user interface, the Threat Visualizer. This information is used to provide even richer context in connection with mirrored traffic in VPCs, as well as all cloud, network, email, and SaaS traffic across a customer’s entire digital environment.

Darktrace deployment scenarios for AWS customers

For IaaS environments, Darktrace deploys a vSensor in each cloud environment. Within AWS environments, the vSensor captures real-time traffic with AWS VPC traffic mirroring. The receiving vSensor processes the data and feeds it back to the cloud-based Darktrace instance. AWS customers additionally have the option of deploying a ‘Darktrace Security Module’ to monitor IaaS management and data events at the API level, such as logins, editing virtual servers, or creating new access credentials.

Figure 1: A cloud-only deployment scenario — Darktrace manages a master cloud probe which receives traffic from sensors and connectors in IaaS and/or SaaS environments.

For hybrid IaaS deployments, Darktrace will similarly deploy vSensors, and OS-Sensors as appropriate. Cloud traffic and event data from AWS and any other cloud environments is then fed to a Darktrace probe in the cloud or on-premise network. For the latter scenario, Darktrace will deploy a physical appliance that ingests real-time network traffic via a SPAN port or network tap, allowing it to correlate patterns across the entire digital ecosystem.

Figure 2: A hybrid cloud deployment scenario, with multi-cloud infrastructure across AWS, Azure and GCP

For hybrid SaaS deployments, Darktrace will deploy provider-specific Darktrace Security Modules on either a physical or cloud-based Darktrace probe, in addition to any other relevant vSensors and OS-Sensors in place. SaaS data is then analyzed and correlated with traffic and user behaviors across AWS, other cloud environments, and any on- and off- premise cyber-physical infrastructure.

Figure 3: A hybrid SaaS deployment scenario

Defense against the full range of threats in the cloud

With the deep insight and powerful reaction capabilities of Cyber AI, Darktrace DETECT & RESPOND are the only proven technologies to stop the full range of cyber-threats in the cloud, including:

  • Critical misconfigurations
  • Insider threat
  • Compromised credentials
  • Novel and advanced malware
  • Password brute-force attacks
  • Data exfiltration
  • Lateral movement
  • Man-in-the-middle attacks
  • Crypto-jacking
  • Violations of policy

Case Studies

Crypto mining malware inadvertently installed

Darktrace detected a mistake from a junior DevOps engineer in a multinational organization with workloads across AWS and Azure and leveraging containerized systems like Docker and Kubernetes. The engineer accidentally downloaded an update that included a crypto miner, which led to an infection across multiple cloud production systems.

After the initial infection, the malware started beaconing out to an external command and control server, which was immediately picked up by Darktrace. With the external connection established and the attack mission instructions delivered, the crypto malware infection was then able to rapidly spread across the organization’s expansive cloud infrastructure at machine speed, infecting 20 cloud servers in under 15 seconds.

Extensive visibility into the organization’s AWS environment via VPC traffic mirroring was a key factor allowing Darktrace Cyber AI to identify the scale of the attack. With the dynamic and unified view across the company’s sprawling hybrid and multi-cloud infrastructure provided by Darktrace, the company’s security team was able to contain the attack within minutes, rather than hours or days. Even though the attack moved at machine speed, by leveraging solutions like VPC traffic mirroring to continuously analyze behavior in the cloud, Darktrace caught the threat at an early enough stage – well before the costs could start to mount.

Developer misuse of AWS cloud infrastructure

At an insurance group, a DevOps Engineer was attempting to build a parallel back-up infrastructure within AWS to replicate the organization’s data center production systems. The technical implementation was perfect, and the back-up systems were created – however, the cost of running the system would have been several million dollars per year.

The DevOps Engineer was unaware of the costs associated with the project and kept management in the dark. The cloud infrastructure was launched, and the costs started rising. Yet with real-time access to the company’s AWS environment provided by VPC traffic mirroring, Darktrace’s Cyber AI was immediately alerted to this unusual behavior, allowing the security team to take preventative action immediately.

With Darktrace Cyber AI, embrace the benefits of AWS

As organizations increasingly turn to the cloud and the threat surface continues to expand, security teams need self-learning AI on their side to gain the strongest insights, illuminate every blind spot, and stop all attacks.

By providing an enterprise-wide Cyber AI platform, Darktrace helps teams overcome the traditional security challenge of manually piecing together incidents across disparate corners of an organization. The unified visibility and control offered by Darktrace PREVENT, DETECTRESPOND, & HEAL reduces the complexity and dashboard fatigue that many teams continue to struggle with, while the system’s multi-dimensional insight enhances its decision-making and threat confidence. Darktrace further augments this process with the Immune System’s AI Analyst capability, which takes the additional step of automatically investigating threats detected by Darktrace and producing concise, AI-generated reports that communicate the full scope of an incident.

With the granular, real-time visibility of VPC traffic mirroring Darktrace, you can be certain your AWS cloud environments are always protected.

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Andrew Tsonchev
VP, Security & AI Strategy, Field CISO

More in this series

No items found.

Blog

/

/

May 8, 2025

Anomaly-based threat hunting: Darktrace's approach in action

person working on laptopDefault blog imageDefault blog image

What is threat hunting?

Threat hunting in cybersecurity involves proactively and iteratively searching through networks and datasets to detect threats that evade existing automated security solutions. It is an important component of a strong cybersecurity posture.

There are several frameworks that Darktrace analysts use to guide how threat hunting is carried out, some of which are:

  • MITRE Attack
  • Tactics, Techniques, Procedures (TTPs)
  • Diamond Model for Intrusion Analysis
  • Adversary, Infrastructure, Victims, Capabilities
  • Threat Hunt Model – Six Steps
  • Purpose, Scope, Equip, Plan, Execute, Feedback
  • Pyramid of Pain

These frameworks are important in baselining how to run a threat hunt. There are also a combination of different methods that allow defenders diversity– regardless of whether it is a proactive or reactive threat hunt. Some of these are:

  • Hypothesis-based threat hunting
  • Analytics-driven threat hunting
  • Automated/machine learning hunting
  • Indicator of Compromise (IoC) hunting
  • Victim-based threat hunting

Threat hunting with Darktrace

At its core, Darktrace relies on anomaly-based detection methods. It combines various machine learning types that allows it to characterize what constitutes ‘normal’, based on the analysis of many different measures of a device or actor’s behavior. Those types of learning are then curated into what are called models.

Darktrace models leverage anomaly detection and integrate outputs from Darktrace Deep Packet Inspection, telemetry inputs, and additional modules, creating tailored activity detection.

This dynamic understanding allows Darktrace to identify, with a high degree of precision, events or behaviors that are both anomalous and unlikely to be benign.  On top of machine learning models for detection, there is also the ability to change and create models showcasing the tool’s diversity. The Model Editor allows security teams to specify values, priorities, thresholds, and actions they want to detect. That means a team can create custom detection models based on specific use cases or business requirements. Teams can also increase the priority of existing detections based on their own risk assessments to their environment.

This level of dexterity is particularly useful when conducting a threat hunt. As described above, and in previous ‘Inside the SOC’ blogs such a threat hunt can be on a specific threat actor, specific sector, or a  hypothesis-based threat hunt combined with ‘experimenting’ with some of Darktrace’s models.

Conducting a threat hunt in the energy sector with experimental models

In Darktrace’s recent Threat Research report “AI & Cybersecurity: The state of cyber in UK and US energy sectors” Darktrace’s Threat Research team crafted hypothesis-driven threat hunts, building experimental models and investigating existing models to test them and detect malicious activity across Darktrace customers in the energy sector.

For one of the hunts, which hypothesised utilization of PerfectData software and multi-factor authentication (MFA) bypass to compromise user accounts and destruct data, an experimental model was created to detect a Software-as-a-Service (SaaS) user performing activity relating to 'PerfectData Software’, known to allow a threat actor to exfiltrate whole mailboxes as a PST file. Experimental model alerts caused by this anomalous activity were analyzed, in conjunction with existing SaaS and email-related models that would indicate a multi-stage attack in line with the hypothesis.

Whilst hunting, Darktrace researchers found multiple model alerts for this experimental model associated with PerfectData software usage, within energy sector customers, including an oil and gas investment company, as well as other sectors. Upon further investigation, it was also found that in June 2024, a malicious actor had targeted a renewable energy infrastructure provider via a PerfectData Software attack and demonstrated intent to conduct an Operational Technology (OT) attack.

The actor logged into Azure AD from a rare US IP address. They then granted Consent to ‘eM Client’ from the same IP. Shortly after, the actor granted ‘AddServicePrincipal’ via Azure to PerfectData Software. Two days later, the actor created a  new email rule from a London IP to move emails to an RSS Feed Folder, stop processing rules, and mark emails as read. They then accessed mail items in the “\Sent” folder from a malicious IP belonging to anonymization network,  Private Internet Access Virtual Private Network (PIA VPN) [1]. The actor then conducted mass email deletions, deleting multiple instances of emails with subject “[Name] shared "[Company Name] Proposal" With You” from the  “\Sent folder”. The emails’ subject suggests the email likely contains a link to file storage for phishing purposes. The mass deletion likely represented an attempt to obfuscate a potential outbound phishing email campaign.

The Darktrace Model Alert that triggered for the mass deletes of the likely phishing email containing a file storage link.
Figure 1: The Darktrace Model Alert that triggered for the mass deletes of the likely phishing email containing a file storage link.

A month later, the same user was observed downloading mass mLog CSV files related to proprietary and Operational Technology information. In September, three months after the initial attack, another mass download of operational files occurred by this actor, pertaining to operating instructions and measurements, The observed patience and specific file downloads seemingly demonstrated an intent to conduct or research possible OT attack vectors. An attack on OT could have significant impacts including operational downtime, reputational damage, and harm to everyday operations. Darktrace alerted the impacted customer once findings were verified, and subsequent actions were taken by the internal security team to prevent further malicious activity.

Conclusion

Harnessing the power of different tools in a security stack is a key element to cyber defense. The above hypothesis-based threat hunt and custom demonstrated intent to conduct an experimental model creation demonstrates different threat hunting approaches, how Darktrace’s approach can be operationalized, and that proactive threat hunting can be a valuable complement to traditional security controls and is essential for organizations facing increasingly complex threat landscapes.

Credit to Nathaniel Jones (VP, Security & AI Strategy, Field CISO at Darktrace) and Zoe Tilsiter (EMEA Consultancy Lead)

References

  1. https://spur.us/context/191.96.106.219

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

/

May 6, 2025

Combatting the Top Three Sources of Risk in the Cloud

woman working on laptopDefault blog imageDefault blog image

With cloud computing, organizations are storing data like intellectual property, trade secrets, Personally Identifiable Information (PII), proprietary code and statistics, and other sensitive information in the cloud. If this data were to be accessed by malicious actors, it could incur financial loss, reputational damage, legal liabilities, and business disruption.

Last year data breaches in solely public cloud deployments were the most expensive type of data breach, with an average of $5.17 million USD, a 13.1% increase from the year before.

So, as cloud usage continues to grow, the teams in charge of protecting these deployments must understand the associated cybersecurity risks.

What are cloud risks?

Cloud threats come in many forms, with one of the key types consisting of cloud risks. These arise from challenges in implementing and maintaining cloud infrastructure, which can expose the organization to potential damage, loss, and attacks.

There are three major types of cloud risks:

1. Misconfigurations

As organizations struggle with complex cloud environments, misconfiguration is one of the leading causes of cloud security incidents. These risks occur when cloud settings leave gaps between cloud security solutions and expose data and services to unauthorized access. If discovered by a threat actor, a misconfiguration can be exploited to allow infiltration, lateral movement, escalation, and damage.

With the scale and dynamism of cloud infrastructure and the complexity of hybrid and multi-cloud deployments, security teams face a major challenge in exerting the required visibility and control to identify misconfigurations before they are exploited.

Common causes of misconfiguration come from skill shortages, outdated practices, and manual workflows. For example, potential misconfigurations can occur around firewall zones, isolated file systems, and mount systems, which all require specialized skill to set up and diligent monitoring to maintain

2. Identity and Access Management (IAM) failures

IAM has only increased in importance with the rise of cloud computing and remote working. It allows security teams to control which users can and cannot access sensitive data, applications, and other resources.

Cybersecurity professionals ranked IAM skills as the second most important security skill to have, just behind general cloud and application security.

There are four parts to IAM: authentication, authorization, administration, and auditing and reporting. Within these, there are a lot of subcomponents as well, including but not limited to Single Sign-On (SSO), Two-Factor Authentication (2FA), Multi-Factor Authentication (MFA), and Role-Based Access Control (RBAC).

Security teams are faced with the challenge of allowing enough access for employees, contractors, vendors, and partners to complete their jobs while restricting enough to maintain security. They may struggle to track what users are doing across the cloud, apps, and on-premises servers.

When IAM is misconfigured, it increases the attack surface and can leave accounts with access to resources they do not need to perform their intended roles. This type of risk creates the possibility for threat actors or compromised accounts to gain access to sensitive company data and escalate privileges in cloud environments. It can also allow malicious insiders and users who accidentally violate data protection regulations to cause greater damage.

3. Cross-domain threats

The complexity of hybrid and cloud environments can be exploited by attacks that cross multiple domains, such as traditional network environments, identity systems, SaaS platforms, and cloud environments. These attacks are difficult to detect and mitigate, especially when a security posture is siloed or fragmented.  

Some attack types inherently involve multiple domains, like lateral movement and supply chain attacks, which target both on-premises and cloud networks.  

Challenges in securing against cross-domain threats often come from a lack of unified visibility. If a security team does not have unified visibility across the organization’s domains, gaps between various infrastructures and the teams that manage them can leave organizations vulnerable.

Adopting AI cybersecurity tools to reduce cloud risk

For security teams to defend against misconfigurations, IAM failures, and insecure APIs, they require a combination of enhanced visibility into cloud assets and architectures, better automation, and more advanced analytics. These capabilities can be achieved with AI-powered cybersecurity tools.

Such tools use AI and automation to help teams maintain a clear view of all their assets and activities and consistently enforce security policies.

Darktrace / CLOUD is a Cloud Detection and Response (CDR) solution that makes cloud security accessible to all security teams and SOCs by using AI to identify and correct misconfigurations and other cloud risks in public, hybrid, and multi-cloud environments.

It provides real-time, dynamic architectural modeling, which gives SecOps and DevOps teams a unified view of cloud infrastructures to enhance collaboration and reveal possible misconfigurations and other cloud risks. It continuously evaluates architecture changes and monitors real-time activity, providing audit-ready traceability and proactive risk management.

Real-time visibility into cloud assets and architectures built from network, configuration, and identity and access roles. In this unified view, Darktrace / CLOUD reveals possible misconfigurations and risk paths.
Figure 1: Real-time visibility into cloud assets and architectures built from network, configuration, and identity and access roles. In this unified view, Darktrace / CLOUD reveals possible misconfigurations and risk paths.

Darktrace / CLOUD also offers attack path modeling for the cloud. It can identify exposed assets and highlight internal attack paths to get a dynamic view of the riskiest paths across cloud environments, network environments, and between – enabling security teams to prioritize based on unique business risk and address gaps to prevent future attacks.  

Darktrace’s Self-Learning AI ensures continuous cloud resilience, helping teams move from reactive to proactive defense.

[related-resource]

Continue reading
About the author
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Your data. Our AI.
Elevate your network security with Darktrace AI