• Executive Summary Cloud-based alerting systems often struggle to distinguish between normal cloud activity and targeted malicious operations by known threat actors. • The difficulty doesn’t lie in an inability to identify complex alerting operations across thousands of cloud resources or in a failure to follow identity resources, the problem lies in the accurate detection of known persistent threat actor group techniques specifically within cloud environments. • In this research, we hypothesize how a new method of alert analysis could be used to improve detection. • Specifically, we look at cloud-based alerting events and their mapping to the MITRE ATT&CK® tactics and techniques they represent. • We believe that we can show a correlation between threat actors and the types of techniques they use, which will trigger specific types of alerting events within victim environments. • This distinct, detectable pattern could be used to identify when a known threat actor group compromises an organization.
Article Summaries:
- Unit 42 has announced a new alert‑analysis method that maps cloud‑based security events to MITRE ATT&CK tactics and techniques, enabling the detection of known threat‑actor groups. The research focused on the cybercrime group Muddled Libra and the nation‑state group Silk Typhoon, analyzing alerts from 22 industries between June 2024 and June 2025. Results show distinct alert patterns for each group and a clear link between the actors’ techniques and the industries they target. The findings suggest the feasibility of automated prevention in complex cloud environments, and Unit 42 offers a Cloud Security Assessment and incident‑response support.
Sources: