IaaS Detection

Also known as:

  • Cloud Detection and Response (CDR)

What problem does it target?

Attackers exploit Cloud (Infrastructure as a Service - AWS, Azure, GCP, etc) workloads mainly using the following methods:

  1. Abusing resources via the data plane - e.g. exploiting a vulnerability over an internet-facing port, then accessing internal data and services.
  2. Abusing resources via control-plane APIs - e.g. create user, grant permissions, access data, delete data. These typically require valid credentials.

Organizations needed a way to detect those malicious activities.

What does this solution do?

Cloud detection solutions aim to reduce the costs and increase the effectiveness compared to the development of manual detection logic. Automated response is rarely used because containment of production workloads can cause expensive downtime.

CDR tools:

  • Continuously monitor cloud-native telemetry (e.g., CloudTrail, GCP Audit Logs, Azure Activity Logs)
  • Use behavioral analytics, rules, and ML to detect suspicious activity (e.g., unusual role assumptions, new regions, exfil attempts)
  • Trigger alerts or automated responses (e.g., isolate instance, revoke token)
  • Some platforms integrate identity, vulnerability, and exposure data to contextualize detections

Advanced CDR may include:

  • Agentless runtime detection across workloads
  • Identity behavior modeling
  • Integration into SOAR or SIEM platforms

Limitations and Evolving Landscape

  • CDR tools may lack deep application context, making it difficult to detect attacks that originate at the application layer and move laterally.
  • Modern attacks (such as the MoveIT exploit) often span multiple layers: application, workload, and cloud. Complete visibility and response require correlating events across all these layers.
  • Cloud Application Detection & Response (CADR/ADR) is a new and distinct category focused on deep, runtime application-layer detection and response in cloud environments. For more, see Cloud Application Detection and Response (CADR/ADR).

Who is this for?

  • Organizations running critical workloads in AWS, Azure, GCP
  • Security teams needing visibility into the cloud control plane
  • Companies that want to detect active threats without installing agents on every asset

Who might not benefit from this?

  • Organizations without cloud workloads
  • Environments where native CSP alerts (e.g., AWS Config rules, Azure Defender) are deemed sufficient
  • Teams that already rely on full CNAPP platforms with detection baked in

Pitfalls and remedies

Pitfall Remedy
Too many low-value alerts (noise) Customize detection rules to your environment; suppress expected behavior
Blind spots in telemetry Ensure all regions, accounts, and services are properly integrated (especially in multi-account setups)
Slow response to detections Integrate with SOAR or automate responses (e.g., quarantine IAM user, disable keys)
Lack of visibility into container or workload layer Consider integrating with CWPP or CNAPP platforms to expand detection beyond control plane

Sample products

  • AWS GuardDuty  One of the first Cloud detection tools. Native to AWS. Lightweight and effective.
  • Wiz Defend  part of Wiz CNAPP platform, integrates identity, posture, and workload signals
  • Palo Alto Prisma Cloud (Defend)  detection across cloud and container environments
  • Lacework  anomaly detection using behavior modeling and telemetry analysis
  • Microsoft Defender for Cloud  unified alerts across Azure and multi-cloud

All trademarks are property of their respective owners.
Copyright © 2025 Deepblue Consulting – All rights reserved.