The kill chain is originally a military model, designed to delineate the lifecycle of an attack. For some time now it has been used by security professionals to map out cyber threats, allowing methodical planning and assessment in an effort to avoid, mitigate and shut down cyber attacks.
The kill chain model is pretty simple and easy to remember, but the methods and tactics chosen by both attackers and defenders inevitably evolve over time to reflect new technologies available to both parties. Right now, it is cloud technology that is driving changes at every stage of the cyber kill chain.
Recon (naissance)
This first phase of the kill chain is seen in targeted, rather than opportunistic attacks and involves research on the part of the malicious actor to determine which weaknesses within your organisation’s systems could be compromised in an attack.
The growing adoption of cloud services gives attackers a new area of investigation when looking for systematic weaknesses. Malicious actors can research which cloud services you are using to create fake login pages delivered via spear phishing with the intent of phishing your users or even worse steal their OAUTH token (something successfully engineered in both opportunistic and targeted attacks in the past).
They can also scan for misconfigured or publicly accessible cloud resources that can be exploited to break into your organisation. They can also take advantage of sensitive information inadvertently shared in apparently innocuous cloud services. In March it was reported that searching just 13% of all GitHub public repositories over a period of six months revealed more than 100,000 repos leaking API tokens and cryptographic keys.
Weaponize
The weaponize phase sees the malicious actor build the necessary infrastructure to mount their attack on you. These may be phishing pages, malware distribution points, exploit kit landing pages, or command and control domains and today; these resources are increasingly likely to be hosted on cloud services. It is becoming more and more common to see malicious campaigns using cloud services as a safe haven for their command and control. The reasons for this are the same ones that drove your own organisation to use cloud; cloud services offer unmatched resiliency and availability, scalability at a manageable cost, and allow the creation of resources with a single click.
Delivery
As well as choosing cloud services to host the operational infrastructure of an attack, we also see a huge growth in cloud services as the delivery method of attack vectors. Serving phishing pages from the cloud is particularly effective since the fake login page presents a legitimate certificate and a URL that sounds familiar to the user and ultimately breaches the ‘human firewall’. A malicious payload delivered from a known cloud service has a higher probability of being executed as the user implicitly trusts the source, despite any possible pop-up warning. Campaigns abusing cloud services as redirectors to malware distribution sites used for targeted attacks have also been identified.
Exploit / Install
Cloud services are all-too-often not inspected or are completely whitelisted by traditional technologies which cannot effectively recognise and analyse context. Here we see the role of cloud in the exploit phase of the Cyber Kill Chain. A context-aware system would notice data that is being dropped into an AWS or Azure instance external to the organisation, but traditional security technologies cannot do this. So, cyber criminals exploit this weakness and use cloud services to evade detection and remain under the radar of your traditional security solutions.
Callback
Once the malware is installed, it needs to connect to its command and control infrastructure (Callback). Attackers can use this connection to leak information, enslave the compromised endpoint in a botnet to launch DDoS attacks or spam campaigns, or establish a foothold to move laterally and dig deeper into the organisation. And again, the cloud plays an important role in this phase, as attackers can use trusted cloud services like AWS and Google Drive, as well as popular applications like Twitter or Slack, to hide the communication channel. The reason is always the same: evasion.
As explained in the exploit phase, if your organisation has already sanctioned the use of AWS or Google Drive, this traffic will usually be allowed as legacy technologies don’t have instance-awareness and therefore cannot recognise whether the connection is directed to the organisation’s own instance of AWS / Drive or an instance of AWS / Drive employed by a malicious third party. In many cases, the traffic to sanctioned cloud services will not even be inspected for malware or anomalous patterns since SSL inspection is a resource-intensive task for legacy on-premise technologies and introduces latency at levels that unacceptably impact the user experience.
Persist
The characteristics of cloud play an important role in the persist phase of the kill chain. Once they access the cloud service, directly or via a compromised endpoint, attackers can move laterally and hop across cloud services. They can not only change the configuration of your critical services hosted in the cloud, escalate privileges to gain increased access, steal your data and clear up their traces, but they can also spin up new instances of cloud services for malicious purposes like cryptojacking. Stolen credentials, leaked accounts, or misconfiguration of cloud services are typical ways used by attackers to break into cloud services and move laterally.
It is of course incredibly important that we do not ring fence or separate cloud attack vectors and surfaces in our consideration of - and response to - the kill chain. An attack can use a combination of ‘traditional’ attack vectors, such as web and email, as well as cloud services. Hybrid threats are attacks that leverage this mixed approach to remain under the radar of traditional security solutions.