Turn the Cyber Kill Chain against your attacker

As businesses move to the cloud, the rapid adoption of Infrastructure as a Service (IaaS) is no surprise. Unfortunately, securing the cloud and the data within it is no easy task. The speed and complexity of cloud computing requires a new, software-defined approach that differs from the strategies employed in a traditional, on-premise data center, leaving many wondering where to start.For all the benefits that the cloud has to offer, some of the biggest causes for concern are questions about security. How do you know if you were breached if the server no longer exists? How do you protect yourself from insider threats, external attacks, and data loss in this new, elastic, ever-changing infrastructure? How can you have confidence that your cloud service provider’s security capabilities are up to snuff, when you don’t have visibility into who is accessing your data?

Look no further than the headlines to know that efforts to protect the cloud from attacks often fail. After attackers compromised the company’s Amazon Web Services (AWS) account, Code Spaces, a cloud-based hosting platform that enabled development and collaboration for software teams, was forced out of business. Within 12 hours, the company’s Apache Subversion repositories and Elastic Block Store volumes and nearly all of its virtual machines were destroyed. By the time the company reclaimed its dashboard, the attackers had created alternative AWS logins, questioning the overall security of the system further. At that point, the company chose to shut down and help its customers migrate any recoverable data to other services.

With hindsight we can ask ourselves, what could Code Spaces have done to stop this type of attack? Were there steps it could have taken beforehand to prevent the breach? Were there ways Code Spaces could have slowed down the attack or stopped it in its tracks?

In an era when attacks are becoming more sophisticated and motivations are harder to pin down, organizations must employ strategies to protect against threats to their cloud infrastructure. One such strategy is to defend like an attacker. Created by Lockheed Martin, the “Cyber Kill Chain” model has traditionally been used to describe the evolving stages of a cyber attack. However, if this model is applied to internal security processes, it’s possible for an organization to identify a compromise and eliminate threats before they result in a security breach and data loss that could potentially bring down the entire business, as in the case of Code Spaces.

By approaching the security of your cloud with the mindset of an attacker, you will be able to uncover weak spots and employ more effective defense strategies. Let’s take a look at each step of the Cyber Kill Chain and get into the mindset of an attacker.

1. Reconnaissance
During the reconnaissance step, an attacker gathers information before starting the actual attack. This can be done by looking for publicly available information on the internet in order to find a target that has vulnerabilities that can be compromised or by seeing what vulnerabilities exist within the cloud infrastructure of a specific organization.

Thinking like an attacker, scan your cloud environment looking for openings within the network. Using common network mapping tools like NMap, check for live IP addresses and open ports. Don’t just check for ports that you expect to be open or the ones that have services you know to be listening. Look for non-standard open ports and check for servers listening on these ports. Thousands of TCP and UDP ports are potentially being used and must be checked. Identify your attack surface before the attackers do. Find those vulnerabilities that an attacker would find during their own reconnaissance. You can then come up with a strategy to minimize your attack surface, limiting the number of open doors into the server. In an AWS environment, check for wide open EC2 Security Groups.

And in an effort to catch any potential attackers who are beginning their attack journey at step one, implement continuous security monitoring to alert you to any scanning activity along with abnormal login attempts or failures. By catching an attacker that is trying to brute force their way into your network, you can take the necessary steps to stop the attack before much damage is done.

2. Weaponization
Now that you’ve done reconnaissance on your own network and have taken steps to minimize your attack surface, the next step when thinking like an attacker is to consider the types of exploits and malicious payloads that could be used. This takes us to step three.

3. Delivery
In this step of the Cyber Kill Chain, the attacker executes their attack, and if successful, delivers their payload. There are many ways for an attacker to send an exploit or malicious payload to the victim. Most common is by email though this doesn’t work in every scenario, as when targeting a server vulnerability. One way to detect an attack at this stage is to employ signature-based detection methods. But how can you uncover zero-day exploits?

This is where continuous security monitoring comes in once again. Knowing about a vulnerability before a signature is created for it is a huge advantage against attackers. By being alerted to abnormal behavior on your system, you can stop an attacker before they’re able to establish a foothold in your system.

4. Exploitation
During this stage, the actual execution of the attack, an attacker establishes the initial foothold. This comes by way of a vulnerability in a server service or through the use of compromised credentials. Now that they’ve established a foothold within the network, further access may be gained through the escalation of user privileges. This can often be accomplished via a local privilege escalation exploit.

To catch an attacker at this stage, you should investigate any suspicious activity like downloading of files using wget or scp, especially from untrusted GEOs, unauthorized installs, the addition of new users, suspicious commands, or changes to security groups. There’s still time to minimize the damage at this stage of the attack.

Execution of any of these things from a service account is a strong indicator of compromise.

5. Installation
During the installation step, it’s typical for an attacker to install a program or file in order to maintain the connection and control that allows them to operate their internal assets remotely (more on that below).

For example, after delivering an exploit, an attacker may then install a kernel module or rootkit, allowing them to have continuous access into the system without detection. Being able to identify and stop an attacker’s activities before they’re able to establish this foothold could halt what would have been a more persistent attack.

6. Command and Control
The connection from a compromised server or an outbound connection to an unusual IP address or host can be indicators that an attacker has gained a foothold and is using it to install a program to help them maintain connection and control.

Now that an attacker has created a command and control channel, allowing them to operate internal assets remotely, they may leverage that channel to stop certain services or processes, like antivirus or defensive tools, in order to hide their activity. Suspicious behavior such as this is an indicator that there is an attack underway.

7. Action on Objectives
In this final step of an attack, an attacker carries out their main objective – whether that be compromising the network or accessing valuable data like customer data, Intellectual Property, or healthcare data.

The most effective way to protect data in this final step is by implementing file integrity monitoring (FIM). Monitor who accesses certain files and when. And ensure there is no unauthorized copying of customer data, Intellectual Property, or internal configurations, passwords certs, or keys. Any variations from known processes and users should be an indicator of compromise.

It’s important to have a plan in place to protect against the most common threats to your cloud infrastructure. Understand your own vulnerabilities by thinking like an attacker and mapping your defenses to the Cyber Kill Chain. Taking preventive actions will give you an early warning against these most common threats and help you identify a potential security event before it compromises your data, network, or business.

This article originally appeared in Help Net Security.

See Threat Stack in Action

Get in touch for a demo of Threat Stack's comprehensive instrusion detection platform.

Book Your Demo