Skip to main content

Evolving the kill chain approach to protect cloud-based applications

(Image credit: Image Credit: Chaiyapop Bhumiwat / Shutterstock)

As an information security professional, you’re likely to have heard about the cyber kill chain framework being used for identification and prevention of cyber intrusions.

The model was established by Lockheed Martin, and follows the military approach of the same name: describing and tackling each stage of a threat. These stages are referred to as reconnaissance, weaponisation, delivery, exploitation, installation, command and control - and finally, actions on objectives. 

While the model fits both physical and cyber threats, it’s important to note that not all steps of the kill chain are used in every cyber attack. For example, the first and last stages ‘Recon’ and ‘Persist’ typically feature only in targeted attacks. The duration of an attack can also vary, depending on its nature. Opportunistic attacks must be executed quickly, and the end value to the malicious actor often hinges on the number of the victims rather than their ‘quality’.

The kill chain terminology has had some criticism in cyber security use; some say that it reinforces traditional perimeter-based and malware-prevention based defensive strategies and doesn’t adequately protect against insider threats. However, the model has evolved significantly since its inception, and today it helps us to understand the modus operandi and to combat both targeted attacks carried out by APTs, and opportunistic threats like ransomware, phishing or cryptojacking.

But of course, cyber attacks are evolving as quickly as the technology they target and it’s understandable that infosec professionals are now calling for a greater understanding of the ways in which the kill chain has changed with the advent of cloud applications. If not properly secured, cloud services can increase the attack surface for an organisation - and at multiple phases of the kill chain.

So, let’s take a look at how organisations can use the kill chain approach to tackle this new breed of attacks on their critical cloud applications.

Exploiting cloud services within the kill chain

The best way for infosecurity professionals to address their cloud-based security concerns is to look closely at each stage of the kill chain, assessing where malicious campaigns use cloud to evade traditional security technologies.

The Recon phase is a good place to start. At this stage of the chain, malicious actors can use multiple methods to gather intelligence from a victim - and the growing adoption of cloud services simply gives attackers additional entry points. Attackers can research which cloud services are used by their victims (so they can build tailored phishing pages or malicious plugins for the apps used by the victim), or scan for misconfigured or publicly accessible cloud resources that can then be exploited to break into the targeted company. They can also take advantage of sensitive information inadvertently shared in apparently innocuous cloud services.

The Weaponise phase sees the malicious actor set up the necessary infrastructure for their work: from phishing pages and malware distribution points to command and control domains. Today, these resources can easily be hosted on cloud services and it is increasingly common to see malicious campaigns distributing their payload from cloud services, and even using cloud services as a safe haven for their command and control.

Importantly, cloud applications are often not inspected regularly enough, or are completely white-listed by traditional technologies which cannot effectively recognise and analyse context. It’s here that we see the role of cloud in the Exploit phase. A context-aware system would notice data that is being dropped into an AWS or Azure, for example, which is external to the organisation, but traditional security technologies cannot do this. So, cybercriminals use cloud services to evade detection and remain under the radar.

Once the malicious infrastructure has been constructed, the next logical step is the Delivery of the attack vector from the cloud. Phishing pages can now be served from the cloud, as can any other potentially malicious payloads. We have also identified campaigns abusing cloud services as redirectors to malware distribution sites used for targeted attacks.

Once the malware is installed, it needs to connect to its command and control infrastructure. Attackers can use this connection to leak information, enslave the compromised endpoint in a botnet to launch DDoS attacks or spam campaigns, or establish a foothold to move laterally and dig deeper into the victim organisation. Again, the cloud plays an important role in this phase, as the attacker can use trusted cloud services like AWS and Google Drive to hide the communication channel. The reason is always the same: evasion.

The characteristics of cloud play an important role in the Persist phase too. Once they access the cloud service - directly or via a compromised endpoint - attackers can move laterally and hop across cloud services. They can not only change the configuration of critical services hosted in the cloud, escalate privileges to gain increased access, steal data and clear up their traces, but also spin up new instances for malicious purposes like cryptojacking.

It is of course incredibly important that we do not ring fence or separate cloud attack vectors and surfaces in our consideration of – and response to – the kill chain. An attack can use a combination of “traditional” attack vectors, such as web and email, as well as cloud services.  We use the term “Hybrid Threats” to define attacks that leverage this mixed approach to remain under the radar of traditional security solutions.

How to overcome cloud-based challenges

By looking at each stage of the kill chain, we can see that infosec professionals are right to be cautious. Cloud adoption rates across a range of businesses and industries have reached 96 per cent, and, although on-premises resources are unlikely to disappear in the near future, the cloud now forms the foundation of most IT infrastructures and strategies.

We can see that cloud applications present significant and unique challenges to security, and perhaps the greatest challenge of all in the cloud native era results from the fact that cloud infrastructure and services are always evolving.

The only way to combat cloud-native threats is by using cloud-native security technology. It seems obvious, perhaps, that only a cloud-native technology can detect and mitigate cloud-native threats - and a threat-aware, instance-aware, unified platform like Netskope can assemble a more complete picture of your position, find hybrid threats and enforce usage policies.

Once that technology is in place, there are a number of discrete initiatives that can help to tackle cloud based security challenges.

These involve the need to perform a regular continuous security assessment of all IaaS resources to prevent misconfigurations that can be exploited by malicious actors, and to perform a regular DLP scan of any externally shared content in sanctioned cloud applications to prevent inadvertent leakage of information that can be exploited by malicious actors.

Organisations must prepare for both unsanctioned services and unsanctioned instances of sanctioned cloud services and well as ensuring that staff are effectively trained on using cloud services safely and securely. Many breaches come as a result of human error, so it’s important to warn users about the pitfalls of cloud applications, for example warning them to avoid executing unsigned macros and macros from an untrusted source, even if the source seems to be a legitimate cloud service. More fundamentally, organisations must warn users to avoid executing any file unless they are very sure that they are benign - and counsel against opening untrusted attachments, regardless of their extensions or filenames.

Sample policies to enforce include the need to scan all uploads from unmanaged devices to sanctioned cloud applications, looking for malware. A good option is to block unsanctioned instances of sanctioned / well-known cloud apps to prevent attackers from exploiting user trust in cloud, or prevent the transfer of data to S3 buckets external to the organisation. While this seems a little restrictive, it significantly reduces the risk of malware infiltration attempts via cloud.

It is clear that, just as the cloud has revolutionised the way data and applications are deployed over the past decade, it has also fundamentally changed IT security needs.

Indeed, although legacy security processes might still play some role in securing modern workloads, organisations that are fully committed to the security and compliance needs posed by the cloud today must overhaul their security strategies for the cloud native era.

Paolo Passeri, Cyber Intelligence Principal, Netskope (opens in new tab)
Image Credit: Chaiyapop Bhumiwat / Shutterstock

Paolo Passeri is the Cyber Intelligence Principal at Netskope and also a blogger at: Paolo is a passionate security enthusiast with over 20 years experience in the Information Security arena. He also supports Netskope's customers in protecting their cloud journey.