In the ongoing debate surrounding the most effective ways to monitor, detect, classify and tackle malicious threats, the kill chain framework is a consolidated model, writes Paolo Passeri, Cyber Intelligence Principal in Netskope, a cloud security product company.
This military-inspired methodology for defeating adversaries relies on constructing a model for the stages of an attack, so that defenders have the opportunity to detect and stop the attacker at each stage.
For proponents of the kill chain, the watch-word is early intervention; the closer to the beginning of the kill chain an attack can be stopped, the better, and the quicker an attack can be stopped, the lower the potential impact and damage for the target.
However, as with many security approaches, there are some critics of the kill chain terminology. Some argue that the first phases of the chain happen outside the defended network, making it difficult to identify or defend against actions in these areas. For some, the methodology is said to reinforce traditional perimeter-based and malware-prevention based defensive strategies whilst others have noted that the traditional cyber kill chain isn’t suitable to model the insider threat.
Since its inception, the model has evolved significantly and today, it helps us to combat opportunistic attacks as well as targeted attacks carried out by advanced persistent threats (APTs).
Cyber criminals are evolving as quickly as the technology they target; an exponential increase in the number of breaches, combined with the shift to the cloud, has meant the attack surfaces and vectors have concurrently expanded to the point of near uncontrollability.
In the wake of this increasing threat level, it’s perhaps no surprise that information security teams are calling for a greater understanding of the ways in which the kill chain has changed with the advent of cloud applications.
Securing the cloud
The advent of cloud services has had a major impact on cyber security. On one hand, malicious campaigns can use the cloud to evade traditional security technologies. In fact, cloud environments are implicitly trusted, making it easier for traffic to bypass traditional perimeter defences that are not context and instance aware. On the other hand, cloud applications augment the attack surface, since malicious actors have new ways to break into an organisation, exploiting misconfigurations or poorly secured data shared through the internet. All these aspects pose significant threats to systems and data.
In order to tackle those threats, cloud-enabled businesses need to fully understand what the stages of the intrusion kill chain look like, and how the cloud affects them.
At the recon stage of the chain, the growing adoption of cloud services gives attackers additional entry points as they seek to gather intelligence about a victim. Attackers can research which cloud services are used by their victims, (so they can build tailored phishing pages or malicious plugins for the apps used by the victim), or scan for misconfigured or publicly accessible cloud resources that can then be exploited to break into the targeted company.
The weaponize phase sees the malicious actor set up the necessary infrastructure for their work: from phishing pages and malware distribution points to command and control domains. These resources can easily be hosted on cloud services and it’s increasingly common to see malicious campaigns distributing their payload from cloud services. The reason, as mentioned before, is that cloud services are implicitly trusted, and too often bypassed by legacy on-premise security solutions, and hence is easier for an attacker to deliver the malicious payload.
In fact, once the malicious infrastructure has been constructed, the next step in the chain is the delivery of the attack vector. Phishing pages can now be served from the cloud (and evade the existing security solutions), as can any other potentially malicious payloads.
Once the malware is installed, it needs to connect to its command and control infrastructure. Again, the cloud plays an important role in this phase of the kill chain, as the attacker can use trusted cloud services like AWS and Google Drive to hide the communication from security technology which lacks the needed visibility and context into cloud services.
The characteristics of cloud play an important role in the persist phase of the kill chain too. Once they access the cloud service, directly or via a compromised endpoint, attackers can move laterally and hop across cloud services. They can not only change the configuration of critical services hosted in the cloud, escalate privileges to gain increased access, steal data and clear up their traces, but also spin up new instances for malicious purposes like cryptojacking.
Your cloud, your policy
By looking at each stage of the kill chain, we can see that infosec professionals are right to be concerned. The only way to effectively combat cloud-native threats is by using cloud-native security technology. Once that technology is in place, the first step to tackling cloud-based security challenges is in a policy audit, and potentially an overhaul.
Ensuring policies are stringent and well communicated and that users are consequently educated is vital. Many breaches come as a result of human error and delegating this policy building process to a third party such as, for example, your cloud service provider, is simply not good enough since cloud security is a shared responsibility model. Your cloud security policy, like your broader data security policy, must be your responsibility – and it must adapt and flex as new services and new threats are born.
Simple acts boost protection: for example, granular adaptive access control and multi factor authentication. Continuous security assessment helps to ensure that no misconfigurations in IaaS services can be exploited by attackers, whilst data leakage prevention in the cloud can avoid that sensitive information is shared outside the organisation via cloud service, whether the sharing is the consequence of a mistake or the action of a malicious insider.
Organisations must prepare for both unsanctioned services and unsanctioned instances of sanctioned cloud services and well as ensuring that staff are effectively trained on using cloud services safely and securely. It sounds simple, but warning users to avoid executing unsigned macros and macros from an untrusted source, even if the source seems to be a legitimate cloud service, is important.
So, whilst the benefits of cloud services are clear, so too is growing use of cloud by the attackers themselves. The security tools and processes that once sufficed simply cannot be adapted to secure cloud-based workloads effectively. Businesses must evolve their approach to keeping applications secure, harnessing a cloud-native technology and working to secure processes and services at every stage of the chain.
