As cloud adoption surges, the need for scalable, cloud-native security is paramount. This blog explores whether Cloud Detection and Response (CDR) is merely Network Detection and Response (NDR) tailored for the cloud, highlighting the unique challenges and essential solutions SOC teams require to secure dynamic cloud environments effectively.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Adam Stevens
Director of Product, Cloud Security
Share
31
Jul 2024
The need for scalable cloud-native security
The cybersecurity landscape is undergoing a rapid transformation driven by the accelerated adoption of cloud computing, compelling organizations to reevaluate their security strategies. According to Forrester’s Infrastructure Cloud Survey, 2023, cloud decision-makers who are moving to a cloud computing infrastructure estimated they have already moved 39% of their application portfolio to the cloud and intend to move another 53% in the next two years [1].
This explosive growth underscores not only the increased dependency on cloud services, but also the evolving sophistication of cyber threats targeting these platforms, and the critical need for dedicated security measures tailored to cloud infrastructures — thereby making cloud security a pivotal focus for Security Operations Center (SOC) teams.
As organizations increasingly migrate to cloud environments and their reliance on cloud infrastructures deepens, they encounter new security challenges that require reevaluating their security strategies. Traditional measures like Network Detection and Response (NDR) are being reassessed in favor of more dynamic, scalable cloud-native solutions.
However, can we truly say that cloud detection and response (CDR) is fundamentally different? Or is it simply an evolution of NDR tailored for the cloud?
Cloud Detection and Response (CDR) vs Network Detection and Response (NDR)
Cloud Detection and Response (CDR) has emerged as a pivotal technology in the race against threat actors targeting cloud assets. CDR is typically centered around the same foundational principles as NDR. As such, NDR providers are well placed to provide these capabilities within dynamic cloud environments – particularly those providers that are built upon the foundation of understanding your business, its digital footprint, and leveraging that understanding to detect subtle deviations and highlighting anomalies as opposed to pre training or relying on rules and signatures.
However, there are unique challenges within cloud environments that require a wider, richer, context-aware approach.
Why SOC Teams Care
Widespread UseThe shift towards cloud services is no longer a trend but a standard practice across industries. Organizations increasingly rely on cloud infrastructures for essential operations across IaaS, PaaS, and SaaS platforms. According to Gartner, worldwide end-user spending on public cloud services is forecast to grow 20.4% tototal $678.8 billion in 2024, up from $563.6 billion in 2023 [2]. This widespread adoption necessitates a security approach that can operate seamlessly across varied cloud environments, addressing both the scalability and the agility that these platforms offer.
Sophisticated AttacksCyber threats have evolved in sophistication, specifically targeting cloud platforms due to their growing prevalence. Attackers exploit the dynamic nature of cloud services, where traditional security measures often fall short. The cloud has emerged as a major target for threat actors who want to control access to, manipulate, and steal that data. This makes cloud resources a bigger target than ever for attackers. According to the IBM Cost of a Data Breach 2023 report, 82% of breaches involved data stored in the cloud [3]. Examples include data breaches initiated through misconfigured storage instances or through the exploitation of incomplete data deletion processes, highlighting the need for cloud-specific security responses.
Dynamic EnvironmentsCloud environments are inherently dynamic, characterized by the rapid provisioning and de-provisioning of resources, this fluidity presents a significant challenge for maintaining continuous security oversight, organizations need to be able to see what individual assets in the cloud look like at any given moment, who or what can access those, but also to be able to detect and respond to changes in real time. Unlike traditional infrastructure, detection and response in the cloud is challenging because of the ephemeral nature of some cloud assets and the velocity and volume of new app deployment – traditional signature-based detections will often struggle to work with such data.
What SOC Teams Need
Centralized VisibilityEffective security management requires a comprehensive, unified view spanning all operational environments including multi-cloud platforms and on-premises datacenters. Furthermore, in today's complex IT landscape, where organizations operate across both on-premises and various cloud environments, the need for centralized visibility becomes paramount. This comprehensive oversight is crucial for detecting anomalies and potential threats in real time, allowing SOC teams to manage security from a single source of truth, despite the dispersed nature of cloud assets and the heterogeneity of on-premises resources. By integrating these views, organizations can ensure a seamless security posture that encompasses all operational environments, enhancing their ability to respond swiftly to incidents and reduce security gaps.
AutomationGiven the vast scale and complexity of cloud operations, automation in detection and response processes is indispensable. Automated security solutions can instantly respond to threats, or adjust permissions across the cloud, enhancing both the efficiency and effectiveness of security measures.
Containment and RemediationThe capability for swift containment and remediation of security incidents is vital to minimize their impact on business operations. Automated response mechanisms that can isolate affected systems, revoke access, or reroute traffic until the threat is neutralized are essential components of modern CDR solutions.
Unpacking the Essentials: What Sets CDR Apart from NDR
While CDR and NDR share similar goals of threat mitigation, the context within cloud environments brings additional complexities:
Who: The identification of user roles and access patterns in cloud environments is crucial for detecting insider threats or compromised accounts. For example, an account behaving irregularly or accessing unusual data points may indicate a security breach.
What: Understanding what resources are deployed in the cloud (such as VMs, containers, and serverless functions) and the types of data they handle helps prioritize security efforts. Protecting data with varying sensitivity levels requires different security protocols.
Where: The geographic distribution of cloud datacenters affects regulatory compliance and data sovereignty. Security measures must consider these factors to ensure that data storage and processing comply with local laws and regulations.
How: Monitoring the configuration and usage of cloud services helps in identifying misconfigurations and anomalous usage patterns, which are common vectors for attacks. Tools that can automatically scan and rectify configurations in real time are particularly valuable in maintaining cloud security.
Key takeaways and benefits of CDR
As cloud adoption continues to surge, the strategic importance of CDR becomes increasingly evident. However, NDR vendors are well-positioned to provide these capabilities, especially those who deeply understand customer environments by learning the pattern of life of resources rather than relying on static rules and signatures.
Cloud environments, at their core, are still comprised of networks for communication. Interactions between cloud resources need to be monitored in real time, and access to these resources needs to be tracked and managed. As the cloud changes dynamically, the understanding and visualization of what is deployed and where needs to be updated quickly. Above all effective and proportional cloud-native response needs to be provided to mitigate threats and avoid business disruption.
Moreover, the ideal solutions will not only monitor network interactions but also bring in cloud contextual awareness. By combining these insights, SOC teams can gain a deeper understanding of permissions, assess risk vulnerabilities, and integrate all these elements into a single, cohesive platform. Importantly, SOC teams need to go beyond detection and response to actively mitigate potential misconfigurations and stay preventative. After all, proactive security is much better than reactive. By leveraging such comprehensive solutions, SOC teams can better equip themselves to tackle the modern cybersecurity landscape, ensuring robust, responsive, and adaptable defenses.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Defending the Cloud: Stopping Cyber Threats in Azure and AWS with Darktrace
Real-world intrusions across Azure and AWS
As organizations pursue greater scalability and flexibility, cloud platforms like Microsoft Azure and Amazon Web Services (AWS) have become essential for enabling remote operations and digitalizing corporate environments. However, this shift introduces a new set of security risks, including expanding attack surfaces, misconfigurations, and compromised credentials frequently exploited by threat actors.
This blog dives into three instances of compromise within a Darktrace customer’s Azure and AWS environment which Darktrace.
The first incident took place in early 2024 and involved an attacker compromising a legitimate user account to gain unauthorized access to a customer’s Azure environment.
The other two incidents, taking place in February and March 2025, targeted AWS environments. In these cases, threat actors exfiltrated corporate data, and in one instance, was able to detonate ransomware in a customer’s environment.
Case 1 - Microsoft Azure
Figure 1: Simplified timeline of the attack on a customer’s Azure environment.
In early 2024, Darktrace identified a cloud compromise on the Azure cloud environment of a customer in the Europe, the Middle East and Africa (EMEA) region.
Initial access
In this case, a threat actor gained access to the customer’s cloud environment after stealing access tokens and creating a rogue virtual machine (VM). The malicious actor was found to have stolen access tokens belonging to a third-party external consultant’s account after downloading cracked software.
With these stolen tokens, the attacker was able to authenticate to the customer’s Azure environment and successfully modified a security rule to allow inbound SSH traffic from a specific IP range (i.e., securityRules/AllowCidrBlockSSHInbound). This was likely performed to ensure persistent access to internal cloud resources.
Detection and investigation of the threat
Darktrace / IDENTITY recognized that this activity was highly unusual, triggering the “Repeated Unusual SaaS Resource Creation” alert.
Cyber AI Analyst launched an autonomous investigation into additional suspicious cloud activities occurring around the same time from the same unusual location, correlating the individual events into a broader account hijack incident.
Figure 2: Cyber AI Analyst’s investigation into unusual cloud activity performed by the compromised account.
Figure 3: Surrounding resource creation events highlighted by Cyber AI Analyst.
Figure 4: Surrounding resource creation events highlighted by Cyber AI Analyst.
“Create resource service limit” events typically indicate the creation or modification of service limits (i.e., quotas) for a specific Azure resource type within a region. Meanwhile, “Registers the Capacity Resource Provider” events refer to the registration of the Microsoft Capacity resource provider within an Azure subscription, responsible for managing capacity-related resources, particularly those related to reservations and service limits. These events suggest that the threat actor was looking to create new cloud resources within the environment.
Around ten minutes later, Darktrace detected the threat actor creating or modifying an Azure disk associated with a virtual machine (VM), suggesting an attempt to create a rogue VM within the environment.
Threat actors can leverage such rogue VMs to hijack computing resources (e.g., by running cryptomining malware), maintain persistent access, move laterally within the cloud environment, communicate with command-and-control (C2) infrastructure, and stealthily deliver and deploy malware.
Persistence
Several weeks later, the compromised account was observed sending an invitation to collaborate to an external free mail (Google Mail) address.
Darktrace deemed this activity as highly anomalous, triggering a compliance alert for the customer to review and investigate further.
The next day, the threat actor further registered new multi-factor authentication (MFA) information. These actions were likely intended to maintain access to the compromised user account. The customer later confirmed this activity by reviewing the corresponding event logs within Darktrace.
Case 2 – Amazon Web Services
Figure 5: Simplified timeline of the attack on a customer’s AWS environment
In February 2025, another cloud-based compromised was observed on a UK-based customer subscribed to Darktrace’s Managed Detection and Response (MDR) service.
How the attacker gained access
The threat actor was observed leveraging likely previously compromised credential to access several AWS instances within customer’s Private Cloud environment and collecting and exfiltrating data, likely with the intention of deploying ransomware and holding the data for ransom.
Darktrace alerting to malicious activity
This observed activity triggered a number of alerts in Darktrace, including several high-priority Enhanced Monitoring alerts, which were promptly investigated by Darktrace’s Security Operations Centre (SOC) and raised to the customer’s security team.
The earliest signs of attack observed by Darktrace involved the use of two likely compromised credentials to connect to the customer’s Virtual Private Network (VPN) environment.
Internal reconnaissance
Once inside, the threat actor performed internal reconnaissance activities and staged the Rclone tool “ProgramData\rclone-v1.69.0-windows-amd64.zip”, a command-line program to sync files and directories to and from different cloud storage providers, to an AWS instance whose hostname is associated with a public key infrastructure (PKI) service.
The threat actor was further observed accessing and downloading multiple files hosted on an AWS file server instance, notably finance and investment-related files. This likely represented data gathering prior to exfiltration.
Shortly after, the PKI-related EC2 instance started making SSH connections with the Rclone SSH client “SSH-2.0-rclone/v1.69.0” to a RockHoster Virtual Private Server (VPS) endpoint (193.242.184[.]178), suggesting the threat actor was exfiltrating the gathered data using the Rclone utility they had previously installed. The PKI instance continued to make repeated SSH connections attempts to transfer data to this external destination.
Darktrace’s Autonomous Response
In response to this activity, Darktrace’s Autonomous Response capability intervened, blocking unusual external connectivity to the C2 server via SSH, effectively stopping the exfiltration of data.
This activity was further investigated by Darktrace’s SOC analysts as part of the MDR service. The team elected to extend the autonomously applied actions to ensure the compromise remained contained until the customer could fully remediate the incident.
Continued reconissance
Around the same time, the threat actor continued to conduct network scans using the Nmap tool, operating from both a separate AWS domain controller instance and a newly joined device on the network. These actions were accompanied by further internal data gathering activities, with around 5 GB of data downloaded from an AWS file server.
The two devices involved in reconnaissance activities were investigated and actioned by Darktrace SOC analysts after additional Enhanced Monitoring alerts had triggered.
Lateral movement attempts via RDP connections
Unusual internal RDP connections to a likely AWS printer instance indicated that the threat actor was looking to strengthen their foothold within the environment and/or attempting to pivot to other devices, likely in response to being hindered by Autonomous Response actions.
This triggered multiple scanning, internal data transfer and unusual RDP alerts in Darktrace, as well as additional Autonomous Response actions to block the suspicious activity.
Suspicious outbound SSH communication to known threat infrastructure
Darktrace subsequently observed the AWS printer instance initiating SSH communication with a rare external endpoint associated with the web hosting and VPS provider Host Department (67.217.57[.]252), suggesting that the threat actor was attempting to exfiltrate data to an alternative endpoint after connections to the original destination had been blocked.
Further investigation using open-source intelligence (OSINT) revealed that this IP address had previously been observed in connection with SSH-based data exfiltration activity during an Akira ransomware intrusion [1].
Once again, connections to this IP were blocked by Darktrace’s Autonomous Response and subsequently these blocks were extended by Darktrace’s SOC team.
The above behavior generated multiple Enhanced Monitoring alerts that were investigated by Darktrace SOC analysts as part of the Managed Threat Detection service.
Figure 5: Enhanced Monitoring alerts investigated by SOC analysts as part of the Managed Detection and Response service.
Final containment and collaborative response
Upon investigating the unusual scanning activity, outbound SSH connections, and internal data transfers, Darktrace analysts extended the Autonomous Response actions previously triggered on the compromised devices.
As the threat actor was leveraging these systems for data exfiltration, all outgoing traffic from the affected devices was blocked for an additional 24 hours to provide the customer’s security team with time to investigate and remediate the compromise.
Additional investigative support was provided by Darktrace analysts through the Security Operations Service, after the customer's opened of a ticket related to the unfolding incident.
Figure 8: Simplified timeline of the attack
Around the same time of the compromise in Case 2, Darktrace observed a similar incident on the cloud environment of a different customer.
Initial access
On this occasion, the threat actor appeared to have gained entry into the AWS-based Virtual Private Cloud (VPC) networkvia a SonicWall SMA 500v EC2 instance allowing inbound traffic on any port.
The instance received HTTPS connections from three rare Vultr VPS endpoints (i.e., 45.32.205[.]52, 207.246.74[.]166, 45.32.90[.]176).
Lateral movement and exfiltration
Around the same time, the EC2 instance started scanning the environment and attempted to pivot to other internal systems via RDP, notably a DC EC2 instance, which also started scanning the network, and another EC2 instance.
The latter then proceeded to transfer more than 230 GB of data to the rare external GTHost VPS endpoint 23.150.248[.]189, while downloading hundreds of GBs of data over SMB from another EC2 instance.
Figure 7: Cyber AI Analyst incident generated following the unusual scanning and RDP connections from the initial compromised device.
The same behavior was replicated across multiple EC2 instances, whereby compromised instances uploaded data over internal RDP connections to other instances, which then started transferring data to the same GTHost VPS endpoint over port 5000, which is typically used for Universal Plug and Play (UPnP).
What Darktrace detected
Darktrace observed the threat actor uploading a total of 718 GB to the external endpoint, after which they detonated ransomware within the compromised VPC networks.
This activity generated nine Enhanced Monitoring alerts in Darktrace, focusing on the scanning and external data activity, with the earliest of those alerts triggering around one hour after the initial intrusion.
Darktrace’s Autonomous Response capability was not configured to act on these devices. Therefore, the malicious activity was not autonomously blocked and escalated to the point of ransomware detonation.
Conclusion
This blog examined three real-world compromises in customer cloud environments each illustrating different stages in the attack lifecycle.
The first case showcased a notable progression from a SaaS compromise to a full cloud intrusion, emphasizing the critical role of anomaly detection when legitimate credentials are abused.
The latter two incidents demonstrated that while early detection is vital, the ability to autonomously block malicious activity at machine speed is often the most effective way to contain threats before they escalate.
Together, these incidents underscore the need for continuous visibility, behavioral analysis, and machine-speed intervention across hybrid environments. Darktrace's AI-driven detection and Autonomous Response capabilities, combined with expert oversight from its Security Operations Center, give defenders the speed and clarity they need to contain threats and reduce operational disruption, before the situation spirals.
Credit to Alexandra Sentenac (Senior Cyber Analyst) and Dylan Evans (Security Research Lead)
Top Eight Threats to SaaS Security and How to Combat Them
The latest on the identity security landscape
Following the mass adoption of remote and hybrid working patterns, more critical data than ever resides in cloud applications – from Salesforce and Google Workspace, to Box, Dropbox, and Microsoft 365.
As SaaS applications look set to remain an integral part of the digital estate, organizations are being forced to rethink how they protect their users and data in this area.
What is SaaS security?
SaaS security is the protection of cloud applications. It includes securing the apps themselves as well as the user identities that engage with them.
Below are the top eight threats that target SaaS security and user identities.
1. Account Takeover (ATO)
Attackers gain unauthorized access to a user’s SaaS or cloud account by stealing credentials through phishing, brute-force attacks, or credential stuffing. Once inside, they can exfiltrate data, send malicious emails, or escalate privileges to maintain persistent access.
2. Privilege escalation
Cybercriminals exploit misconfigurations, weak access controls, or vulnerabilities to increase their access privileges within a SaaS or cloud environment. Gaining admin or superuser rights allows attackers to disable security settings, create new accounts, or move laterally across the organization.
3. Lateral movement
Once inside a network or SaaS platform, attackers move between accounts, applications, and cloud workloads to expand their foot- hold. Compromised OAuth tokens, session hijacking, or exploited API connections can enable adversaries to escalate access and exfiltrate sensitive data.
4. Multi-Factor Authentication (MFA) bypass and session hijacking
Threat actors bypass MFA through SIM swapping, push bombing, or exploiting session cookies. By stealing an active authentication session, they can access SaaS environments without needing the original credentials or MFA approval.
5. OAuth token abuse
Attackers exploit OAuth authentication mechanisms by stealing or abusing tokens that grant persistent access to SaaS applications. This allows them to maintain access even if the original user resets their password, making detection and mitigation difficult.
6. Insider threats
Malicious or negligent insiders misuse their legitimate access to SaaS applications or cloud platforms to leak data, alter configurations, or assist external attackers. Over-provisioned accounts and poor access control policies make it easier for insiders to exploit SaaS environments.
SaaS applications rely on APIs for integration and automation, but attackers exploit insecure endpoints, excessive permissions, and unmonitored API calls to gain unauthorized access. API abuse can lead to data exfiltration, privilege escalation, and service disruption.
8. Business Email Compromise (BEC) via SaaS
Adversaries compromise SaaS-based email platforms (e.g., Microsoft 365 and Google Workspace) to send phishing emails, conduct invoice fraud, or steal sensitive communications. BEC attacks often involve financial fraud or data theft by impersonating executives or suppliers.
BEC heavily uses social engineering techniques, tailoring messages for a specific audience and context. And with the growing use of generative AI by threat actors, BEC is becoming even harder to detect. By adding ingenuity and machine speed, generative AI tools give threat actors the ability to create more personalized, targeted, and convincing attacks at scale.
Protecting against these SaaS threats
Traditionally, security leaders relied on tools that were focused on the attack, reliant on threat intelligence, and confined to a single area of the digital estate.
However, these tools have limitations, and often prove inadequate for contemporary situations, environments, and threats. For example, they may lack advanced threat detection, have limited visibility and scope, and struggle to integrate with other tools and infrastructure, especially cloud platforms.
AI-powered SaaS security stays ahead of the threat landscape
New, more effective approaches involve AI-powered defense solutions that understand the digital business, reveal subtle deviations that indicate cyber-threats, and action autonomous, targeted responses.
