Hunt cloud adversaries with cloud-native intelligence.
Cloud adversaries operate across four planes — identity, control, container, data — and they cross between them constantly. Generic threat intelligence misses the cloud-specific tradecraft. This page is about the intelligence cloud SOCs actually need, and how the HACKFORLAB platform delivers it.
Your raw cloud telemetry never leaves your account. Only hunt definitions and hit metadata flow.
A SIEM full of IP-based IOCs is not cloud threat intelligence.
Cloud adversaries do not deploy persistent payloads to be hashed. They live inside legitimate cloud APIs, federated identities, and ephemeral containers. The intelligence required is structurally different — and most threat-intel programs have not adapted.
Endpoint-era intelligence assumes persistent artefacts. A binary on disk. A registry key. A scheduled task. The threat-intel pipeline that grew up around endpoint defence catalogues these artefacts as hashes, file paths, mutex names. None of those concepts survive intact when the workload is a serverless function that lives for 200 milliseconds.
Cloud-era adversaries operate as legitimate-looking identities. The kill chain often involves zero malicious binaries. Stolen IAM credentials get used to call standard AWS APIs in unusual combinations. AssumeRole chains traverse permission boundaries. SSM Session Manager sessions land inside instances without ever touching SSH. CloudTrail is the primary source of truth — and threat intelligence needs to express patterns against CloudTrail, not against /tmp filenames.
Cross-plane fusion is mandatory. A cloud attack typically starts in the identity plane, modifies infrastructure in the control plane, lands inside containers, and exfiltrates from the data plane. Intelligence that covers only one plane catches one phase of the chain. Multi-plane intelligence catches the chain.
What “cloud-native threat intelligence” actually catalogues.
Generic IOC feeds are insufficient. Cloud TI needs to cover cloud-API patterns, identity-attack TTPs, container runtime signals, and Living-off-the-Cloud playbooks. HACKFORLAB catalogues all six.
CloudTrail attack patterns
Suspicious AssumeRole chains, role-trust modifications, console-via-CLI pivots, snapshot-share-to-external-account, IAM enumeration sequences. Not single events — sequences of events that constitute the adversary tradecraft.
IAM identity attack TTPs
Persistent backdoor user creation, MFA bypass attempts, federated identity abuse, dormant access-key reuse, cross-account access patterns. Maps directly to MITRE T1078 (Valid Accounts) and its sub-techniques.
Kubernetes audit signatures
Pod-to-pod abuse patterns, service-account token theft, namespace traversal, privileged container creation, secret exfiltration sequences. Tied to K8s API server audit log structure.
Container runtime IOCs
Cryptojacking process hashes (when payloads do exist), mining-pool C2 domains, compromised base image indicators, container escape signatures.
Cloud-native C2
Serverless C2 endpoints (Lambda, Cloud Functions), abuse of cloud messaging APIs (SNS, SQS, Pub/Sub) as C2 channels, DNS-over-HTTPS to attacker-controlled resolvers, S3 bucket-as-dead-drop patterns.
Living-off-the-Cloud TTPs
Legitimate AWS API usage abused for adversary objectives. Cross-region snapshot copying for exfiltration. EC2 metadata service abuse. SSM Session Manager for persistence. Mapped to community playbooks like Stratus Red Team.
Cloud TI catalogued against the matrix adversaries actually use.
Every cloud indicator carries a MITRE Cloud Matrix tag. The kill-chain visualisation below shows seven canonical stages with the technique IDs each maps to — and the kind of intelligence the catalogue holds for each.
The hardest cloud tradecraft to detect — and why TI matters most here.
“Living-off-the-Cloud” (LotC) is the cloud equivalent of LotL. Adversaries use legitimate cloud APIs and built-in cloud services to achieve persistence, lateral movement, and exfiltration without deploying any custom payload. No hashes to detect. No malware signatures. No standout binaries on disk. The detection problem is essentially behavioural.
Behavioural detection requires behavioural intelligence. A single AssumeRole call is normal. A sequence of AssumeRole calls that walks from one tenant to a higher-privilege role across an unusual cross-account trust, in a fifteen-minute window, while CloudTrail log retention is being modified, is highly abnormal. That sequence is what the threat intelligence has to express — not just the individual API calls.
The catalogue captures the sequences. Cloud TI in the platform isn\’t a list of suspicious API calls. It is a catalogue of suspicious patterns: ordered sequences of API events that constitute known adversary tradecraft. Hunt playbooks query for the patterns. Matches produce attribution to known operator clusters.
Stratus Red Team and equivalent emulation tooling drive the catalogue. The platform catalogues adversary patterns observed both in real engagements and in open-source emulation frameworks. When a new LotC technique is published, it becomes a hunt pattern within the same week.
How the platform connects to your cloud telemetry.
S3-stored CloudTrail + VPC Flow
Attach an S3 bucket holding CloudTrail and VPC Flow Logs. Athena query plane runs in your AWS account — your raw telemetry stays on your side. Only hunt definitions and hit metadata leave.
AWS Bedrock telemetry
CloudTrail analysis of LLM-platform abuse: prompt-injection signals, model-output exfiltration patterns, anomalous invocation volumes.
Kubernetes audit logs
Attach EKS audit logs alongside VPC Flow. Cross-source pivots from a pod-API event to the network behaviour that follows.
Equivalent connectors
GCP Audit Logs, Azure Activity Logs, equivalent K8s audit feeds. Same Athena-style query model — your telemetry, your account.
An end-to-end Living-off-the-Cloud walkthrough.
09:14 — Anomalous AssumeRole. The platform\’s catalogue surfaces an AssumeRole call that traverses an unusual cross-account trust path. The pattern matches a known operator cluster\’s preferred initial-access tradecraft.
09:18 — CloudTrail visibility check. A second matching pattern: CloudTrail log retention has been modified in the past hour. This is on the operator\’s standard defence-evasion playbook — they shorten retention to reduce forensic evidence.
09:21 — SSM Session activity. Within minutes of the trust traversal, a Session Manager session is opened into an EC2 instance in a different VPC. No interactive SSH, no key exchange, no perimeter alert.
09:34 — VPC Flow anomaly. The same EC2 instance begins outbound traffic to an internal-looking RDS endpoint. The VPC Flow Log hunt platform flags this as anomalous east-west traffic with a tight beacon period.
09:48 — Snapshot creation. CloudTrail records a CreateSnapshot call on an EBS volume attached to the RDS instance. Within seconds, ModifySnapshotAttribute shares the snapshot to an external AWS account.
09:51 — Detection fires. The “Living-off-the-Cloud Attack-Chain Detection” hunt — already running continuously — fires on the complete sequence. The incident is now in the analyst queue with the full kill chain visible, every stage attributed, every IOC catalogued.
What just happened. Seven minutes from initial trust traversal to exfiltration. No malware. No payload. No signature would have caught it. Cross-plane behavioural intelligence — the kind catalogued by the platform — caught the chain.
