The cyber kill chain is used to model a cyber intrusion, identifying the different stages involved in a cyber-attack. The model is well established, but recently I have been asked multiple times to help information security teams understand the ways in which the kill chain has changed with the advent of cloud applications. In this blog post, I will summarize how I normally answer this question, showing some examples of malicious campaigns that have made use of the cloud to evade traditional security technologies.
There are multiple ways to represent the cyber kill chain but its simplest form involves seven stages.
- Recon: typically used in targeted attacks, in this phase the attackers gather intelligence about their victims.
- Weaponize: in this phase, malicious actors prepare their attack vectors (for example develop the payloads used for the attack or setup the infrastructure).
- Delivery: this phase is where the malicious payload is delivered to the designated victim (for example via a spear-phishing email or a drive-by campaign).
- Exploit: if a vulnerability is exploited to execute code on the victim’s system, it will occur in this phase.
- Install: the malware is installed in the compromised system
- Callback: once the malware is successfully installed, it will check-in to the attacker’s command and control infrastructure (from where the attackers can control the a