/
Illumio Products

How to Stop a Cloud Attack Chain With Illumio CloudSecure

More companies are using cloud services than ever, and it’s expanding the attack surface at an alarming rate. There are many more opportunities for attackers to break into networks and move around until they reach your critical assets or install ransomware.

But cloud intrusions can be difficult to detect. Since modern cyber crime methods don’t deploy malware, there’s no abnormal behavior to call attention to them. They usually use legitimate ports to move through the network to the target.  

That’s why it’s so important to build Zero Trust in the cloud. It moves the trust boundary as close to critical resources as possible. In this blog post, walk through a real cloud attack chain and learn how Zero Trust Segmentation with Illumio CloudSecure can help you stop attack chains in the cloud.  

Real-life example: A successful cloud attack chain

Most application security platforms protect the cloud by finding and responding to threats. But this method isn’t enough — many cloud security breaches in recent years weren’t discovered for a long time. In fact, 47% of all data breaches in the last year originated in the cloud, according to research by Vanson Bourne.  

It's just as important to survive undetected threats as it is to protect against the ones we know about. Both known and unknown threats need to be stopped.

A screenshot of a computerDescription automatically generated
The cloud attack chain’s flow of events, from initial entry to successful data exfiltration. Attackers bypassed security tools, taking advantage of the network’s weakest link: easy lateral movement.
What happened? The attack chain

Attackers used stolen high-level credentials to breach the network. The organization had multiple security solutions in place, but attackers created backdoors into the network to successfully steal data. They avoided detection tools and didn’t deploy malware, leaving the breach undetected for months.  

The organization’s security tools were only looking for known threats and suspicious behavior. Since the attacker’s behavior used legitimate means to access the network, they were able to easily move across the environment, or move laterally, to access applications.  

The network layer had some level of segmentation in place using security groups, but they were broad segments. Once the attackers had accessed the initial application, it was easy for them to move to other applications.  

What could’ve been done? Stopping lateral movement  

It would’ve been far more difficult for the attackers to reach resources if they couldn’t move between applications. Limiting lateral movement would’ve protected the cloud environment from not only known breaches but also undetected, unknown ones.

A successful security architecture needs to protect against both the known and unknown threats without adding operational complexity.  

In the example above, only security groups at the cloud network boundaries were restricting lateral movement. The problem with security groups in virtual private clouds (VPCs) or virtual networks (VNETs) is that they’re network-centric solutions. With many app owners not fully understanding traffic dependencies between their applications, security groups are all too often added to the network very broadly – or not at all. This allows a wide range of traffic to pass through, creating wide-open doors that attackers can easily move through.  

Relying on traditional network security tools doesn’t work in modern hybrid cloud architectures. This is because resources constantly spin up and down and can be moved around between hosts for optimal performance. Traditional network addressing is no longer a reliable way to identify an application in the cloud.  

How Zero Trust Segmentation tackles cloud attack chains

It’s time to separate cloud workload and application security from network-centric security. They have very different priorities.  

Zero Trust Segmentation (ZTS) acts as the backstop to cloud attack chains. It uses segmentation controls at the application level without relying on traditional network-centric segmentation.

Most modern operating systems have ports open by default and in listen mode, such as Linux Secure Shell (SSH) and Windows Remote Desktop Protocol (RDP). If attackers compromise a workload, they can use either of these ports to connect to a neighboring host. Then, they can use them to gain access to critical resources or deliver malicious payloads.

From the perspective of threat actors, these open ports are unlocked doors which are easy to pass through as they move around the network, hunting for the desired target. ZTS stops this unnecessary lateral access between applications. This means attackers get contained to their original entry point and can't spread further into the network.

How Illumio CloudSecure extends ZTS to the hybrid multi-cloud

With Illumio CloudSecure, you can build application-centric ZTS at scale. By focusing on the unique security needs of each application, CloudSecure reduces your attack surface and stops lateral movement.  

Here are the three steps CloudSecure takes to stop a cloud attack chain before it spreads across your applications.  

1. See all cloud traffic and application dependencies

You can’t enforce what you can’t see. That's why it's crucial to get end-to-end visibility into all application traffic across your entire hybrid, multi-cloud environment.  

As part of the Illumio ZTS Platform, CloudSecure will show all traffic between all workloads for any application in your cloud environment:
   

A screenshot of a computerDescription automatically generated
Illumio CloudSecure helps you see all application traffic between all cloud resources.
2. Define least-privilege access between applications

CloudSecure uses a label-based policy model which maps existing cloud tags to Illumio’s multi-dimensional labels. It identifies workloads along boundaries that make sense to business owners and application owners instead of network-centric addressing. These labels define policies on hosts that belong to applications.

3. Automatically implement cloud security policies

CloudSecure will then implement these policies using cloud-native security tools, such as security groups and network security groups (NSGs).  

Security teams don’t need to use IP addresses and ports to implement policy. CloudSecure puts the application-centric policy into the syntax that cloud-native controls can understand. Then, it discovers the required cloud-native controls it needs to deploy this policy on.

A screenshot of a computerDescription automatically generated
Illumio CloudSecure defines policy using labels, not specific network addressing or ports.

Using a label-based policy model means that every cloud resource associated with an application will have the right label.  

In the cloud attack example above, if the system was divided into segments, it would’ve made it much harder for the attackers to move from one application to another. The attack would’ve been contained to a small group of resources instead of spreading quickly to all of them before being detected.

Start your free trial of Illumio CloudSecure today. Contact us to learn more about stopping breaches across your hybrid multi-cloud with the Illumio ZTS Platform.

Related topics

Related articles

Your First and Best Investment in Zero Trust
Illumio Products

Your First and Best Investment in Zero Trust

See how Illumio is your first and best investment in Zero Trust.

Little-Known Features of Illumio Core: Core Services Detector
Illumio Products

Little-Known Features of Illumio Core: Core Services Detector

Learn how Illumio's Core Services Detector can help you quickly find a complete inventory of which applications are running on all your workloads and automatically recommend labels.

Why Are We Accepting Blind Spots in Endpoint Traffic Visibility?
Illumio Products

Why Are We Accepting Blind Spots in Endpoint Traffic Visibility?

Learn how to achieve centralized, end-to-end endpoint visibility with Illumio Endpoint.

Why 93% of Security Leaders Say Cloud Security Requires Zero Trust Segmentation
Zero Trust Segmentation

Why 93% of Security Leaders Say Cloud Security Requires Zero Trust Segmentation

Get insight from new research on the current state of cloud security and why Zero Trust Segmentation is the key to cloud resilience.

Why Traditional Cloud Security Is Failing — And 5 Strategies To Fix It
Cyber Resilience

Why Traditional Cloud Security Is Failing — And 5 Strategies To Fix It

Learn why traditional security tools can’t provide the flexible, consistent security needed in the cloud and five strategies to build modern cloud security.

Zero Trust Segmentation Is Critical for Cloud Resilience
Zero Trust Segmentation

Zero Trust Segmentation Is Critical for Cloud Resilience

Cloud resilience starts with Zero Trust. Learn the top three cloud issues solved by Zero Trust Segmentation, as shared by ZTS creator John Kindervag.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?