Post banner
Threat Stack 5 Min Read

Anatomy of an Attack: How the Cloud Gets Hacked

The cloud is very different from on-premise infrastructure in several key ways. Some of these differences become apparent when it comes to external attacks.  To get to the core of how these attacks can unfold differently in the cloud (and how they are the same), Threat Stack recently hosted a webinar in which I interviewed security engineer Anthony Alves about the anatomy of a cloud attack.

If you’ve spent much time with cloud infrastructure, you know about many of the differences that make it so advantageous for businesses, but you may not be as familiar with how attacks unfold in the cloud and how we can fight back most effectively.

Our “Anatomy of an Attack” webinar provides deep insights into the process in order to better prepare you  to defend your organization.


In addition to the webinar recording above, we have put together the following written overview of how the Cyber Kill Chain (how an attack happens) works differently in the cloud.

With on-premise infrastructure, security must be built in layers, starting with a firewall.  A major challenge is maintaining performance by minimizing bottlenecks caused by security technologies that are designed for on-premise infrastructures. While these solutions are often effective, the computing power required to implement and scale them in the cloud will usually outstrip any benefits they provide.

First, you need to understand the differences between cloud and on-premise attack vectors.

Types of Attacks You Will Face

Whether the environment is cloud, on-premise, or hybrid, there are two major types of attacks: targeted and opportunistic. Targeted attacks take place when the attacker knows exactly who they are going after and what they want to achieve. Opportunistic attacks, on the other hand, are about casting a wide net and seeing what comes up. Often this involves scanning for well-known vulnerabilities.

Of course, you want to be protected against both types of attacks, but it’s helpful to understand how they are different since this impacts your security and response techniques. That’s where the next section comes in.

Locking Down Cloud Access

The most important thing you can do is make sure you lock down cloud access as much as you possibly can. This means using multi-factor authentication, monitoring traffic, and requiring employees to use a virtual private network (VPN) to connect to your cloud infrastructure (including remotely). In the cloud, every time you expose systems to the internet so employees can do their jobs, you are also exposing them to attackers. This is why you want to close every possible gap and monitor activity at all times.

The Cyber Kill Chain and the Cloud

You’ve probably heard of the Cyber Kill Chain, which is a way to model the lifecycle of an online attack. Below, we take a look at each stage of the Kill Chain and explain how it differs in the cloud.

Stage One: Reconnaissance

Goal: Find and Identify a Target

In this stage, attackers are trying to find a target. If this is a targeted attack, then they will be looking for a specific company or system they want to go after to accomplish a specific  goal. Before companies moved to the cloud, these attacks were hard to do, so most often attackers would go after a company’s website. In the cloud, however, reconnaissance is easier because attackers can find out what cloud provider you are using and go after you based on this. Additionally, with the advent of the cloud, attackers have the advantage of being able to hide behind dynamic IP addresses, making it harder to pinpoint and neutralize them. They too can build their infrastructure in the cloud and thus launch attacks from anywhere in the world.

Stage Two: Weaponization

Goal: Create an Attack

This stage is not too different from on-premise to the cloud. Simply put, attackers are looking for vulnerabilities to exploit. As soon as a new one hits the media, attackers start weaponizing exploits to go after those vulnerabilities. Whether you are in the cloud or not, your goal here is to patch any vulnerabilities as quickly as you can.

Stage Three: Delivery

Goal: Get the Attack to the Target

In the cloud, delivery is different because the same security layers that we see with traditional infrastructure (like firewalls and other appliances) do not exist. In fact, in many cases, security groups, which most closely resemble a very basic firewall in that ports are open or closed, and routes are configurable but do not have the large feature set of a nextgen modern firewall such as stateful packet inspection, etc., are the only bar to entry at this stage. All the more reason why you should make sure that your security team has the tools they need to keep your systems protected in the cloud.

Stage Four: Exploitation

Goal: Run the Exploit Code

An exploit is an exploit is an exploit. It may begin with “brute force” — the attacker attempting to crack a login and password or somehow getting access to the keys. Or the attacker might be scanning for a known port that has access to an exploitable service to be open due to a recently publicized vulnerability (or, if they’re lucky, a zero-day threat that no one has noticed yet).

Regardless, once an exploit is successfully delivered, this stage is quite similar in the cloud to traditional computing, because it’s all about injecting code that will give the bad guys access to and control over the targeted server.

Stage Five: Installation

Goal: Installation of Persistent Payload

In Stage Five, the goal is to download a payload using file transfer. One advantage that attackers have in the cloud is that DevOps tools have privileged access to just about everything. So getting one’s hands on the keys to the kingdom can be much simpler in the cloud. This means that, as a defender, you need to make sure your systems are as tied down as possible from an access perspective.

As long as access to DevOps tools is tightly controlled, it will be quite difficult for attackers to succeed with this phase.

Stage Six: Command and Control

Goal: Establish Communications

In the cloud, there has historically been a lack of good tools to monitor connections. While network tools like Wireshark do packet capture or network intrusion detection, these can drive your costs way up and decrease system performance. In fact, this can potentially defeat the benefit of working in the cloud in the first place. The bottom line from a defense perspective is that you don’t want attacks to make it to this stage. You want to catch attackers as early as possible in the Kill Chain.

Stage Seven: Action on Objectives

Question: What is the Goal of the Payload?

Finally, attackers want to act on whatever their original objectives may be. An opportunistic attack might look to use server space you are paying for to do Bitcoin mining, for example. In more targeted attacks, the goal may be to steal specific sets of data to use for nefarious purposes. The method in which this is done depends on the objective, but especially with targeted attacks, once the bad guys have succeeded with command and control, it may only take a few hours to accomplish their objectives.

How to Use this Framework

The framework outlined above should help you understand how cloud-based attacks occur and get you thinking about ways you can better defend your network so you can reap the full benefits of the cloud without succumbing to its unique vulnerabilities. (That’s not to say on-premise technology doesn’t have vulnerabilities, but that is a topic for another day.)

In the webinar, we also take a look at a specific attack step-by-step, in order to  help you visualize what the above means for your own organization. We also explain how Threat Stack’s approach to cloud security maps directly to the Cyber Kill Chain and how we can provide you with early warning about attacks, uncover zero-day exploits, recognize unauthorized actions, catch inappropriate installations, and verify that your data is safe at any given point in time.