CLOUDBURST: Cloud-Layer Observations Using Beacons for Unified Real-time Surveillance and Threat Attribution

Abstract

Modern cloud-native environments present a fundamentally different exfiltration threat surface than traditional file-based scenarios. Attackers targeting AWS, GCP, Azure, and OCI steal S3 presigned URLs, container images, Kubernetes secrets, Terraform state modules, and IAM role tokens -- artefacts that existing honeytoken and beacon frameworks do not address. We present CLOUDBURST, the first formal taxonomy and measurement framework for cloud-native passive beacons, comprising six vector classes across four major cloud providers. We introduce the Cloud Attribution Score (CAS), a four-component metric that explicitly models ephemeral infrastructure penalty (Ep), IAM coverage depth (Ic), and multi-cloud correlation bonus (Mb) -- dimensions absent from all prior attribution quality metrics. Experiments across 21 deployed beacons, 205 simulated callbacks, and three attacker sophistication levels yield four principal findings. First, IAM Canary Roles achieve the highest CAS (mean 0.450) and Detection Resistance (DR = 0.873), making them the most deployable vector. Second, S3 Presigned URLs achieve the highest detection resistance (DR = 0.890), surviving all three cloud-native scanner models (AWS Macie, Checkov/tfsec, Prisma Cloud/Wiz). Third, ephemeral infrastructure churn degrades CAS from ≈ 0.79 at deployment to ≈ 0.18--0.22 at 48 hours for all vectors (p < 0.001), establishing the first quantitative model of attribution decay in containerised environments. Fourth, Serverless Function Triggers exhibit the worst detection resistance (DR = 0.611) due to their explicit outbound HTTP callback pattern, motivating covert callback channel design as future work. No significant CAS difference is observed across cloud providers (H = 1.99, p = 0.57), confirming that CLOUDBURST is provider-agnostic in its effectiveness.