We’ve been discussing the Cyber Kill Chain in an organization system. So for this post we’re going to take a look on Cyber Kill Chain in Cloud. Cloud services can boost the attack surface in an organization and also at multiple phases of the Cyber Kill Chain. Below are the Cyber Kill Chain phases in the cloud services.
1) Recon
In the Recon phase, the growth implementation of cloud services gives the attackers extra advantages like they can research which cloud service the victim uses or maybe scan for misconfigured or publicly accessible cloud resources. By doing so the attackers can be exploited to breach into the targeted organization. Besides, the attackers also can take advantage of sensitive information in the cloud services.
2) Weaponize and Exploit
In this phase the attacker will plan the basic infrastructure for their work such as phishing pages, malware distribution points, exploit kit landing pages or command and control domains. These actions can quickly be hosted on cloud services. Furthermore, cloud services are usually not examined or are totally whitelisted by traditional technologies which cannot efficiently identify and analyze context.
3) Delivery
The delivery of the attack from the cloud takes place after the malicious infrastructure has been built up. In this phase, phishing pages and other malicious payloads can now be served from cloud. Additionally, it is very effective to serve phishing pages from the cloud since the fake login page gives a legal certificate and URL that is common to the user. Besides, attackers also can create fake cloud application login pages, aiming to draw the victims and phishing for their value data and information.
4) Callback
After the malware is successfully installed, it needs to be connected to its command and control infrastructure. In this phase attackers can use the connection to expose and go deeper into the victim organization. The cloud plays a crucial role because the attackers can use the trusted cloud services like AWS and Google Drive to conceal the communication channel.
5) Persist
After the attackers gain access to the cloud service, directly or through compromised endpoints, they can move and jump across the cloud services. Once the attackers inside the cloud services, they have full control of the system including stealing data and clearing up the traces and also spin-up new situations for malicious targets like cryptojacking.
Feel free to contact E-SPIN for your specific operation or project requirement, so we can assist you on the exact requirement in the packaged solutions that you may require for your operation or project needs, whether from the red team or blue team context and perspective.