More than 3 in 5 attacker movements in cloud environments involve lateral movement attempts, according to Google Cloud’s Threat Horizons Report.

Attackers don’t think in silos — and neither should your defenses.

Today’s threats don’t stop at the perimeter. They infiltrate, escalate, and move laterally across the cloud, exploiting weak paths between workloads, regions, and accounts. If you only protect the front door, you're ignoring every hallway inside.

That’s why Aviatrix secures the network from the inside out, following the attacker’s playbook step-by-step and shutting down movement at every stage of the Unified Kill Chain (UKC).

What is the Unified Kill Chain?

The Unified Kill Chain, developed by Paul Pols, expands on traditional frameworks like Lockheed Martin’s Cyber Kill Chain and MITRE ATT&CK. It better reflects modern adversary behavior, especially in multicloud and hybrid environments.

By breaking down the process of a cyberattack into In, Through, and Out, the UKC helps organizations increase their cyber resilience by stopping hacking attempts at multiple stages of an attack.

Unified Kill Chain image - developed by Paul Pols

The UKC models how attackers infiltrate a network:

  • Exploit misconfigurations and credentials

  • Establish outbound command-and-control

  • Move laterally between cloud assets

  • Exfiltrate data over encrypted channels

  • Persist using stealthy, cloud-native techniques

It provides a structure that networking and security teams can use to build layered defenses that reduce dwell time, blast radius, and breach impact.

Understanding the UKC in a Cloud Context

Think of the kill chain like a network of doors inside your enterprise: not just the front entrance, but the internal rooms attackers quietly move through.

In the cloud, that progression often looks like:

  • Reconnaissance – Scanning public IPs, ports, metadata

  • Exploitation – Gaining access via credentials, misconfigurations, or zero-days

  • Command & Control (C2) – Establishing outbound communication via DNS or HTTPS

  • Lateral Movement – Traversing VPCs, regions, or clouds to escalate

  • Exfiltration – Stealing sensitive data through encrypted tunnels

  • Persistence – Maintaining long-term access using misused credentials, cloud-native services, or hidden connectivity paths

Each step is a pressure point. Each one also gives you a chance to break the chain if your defenses are built in the right place.

Aviatrix: Embedded Defense, Not Bolted-On

Legacy tools try to bolt security onto the edge of the cloud. Aviatrix builds it into the network fabric itself, giving you distributed enforcement, dynamic policy, and visibility across cloud and hybrid paths.

Here’s how Aviatrix maps to Unified Kill Chain concepts to protect networks:

UKC Stage

Aviatrix Capabilities

Security Outcomes

Business Outcomes

Reconnaissance

FlowIQ traffic analytics to detect internal or external scan behavior

Segmentation to reduce unnecessary exposure

Identifies early-stage recon attempts; blocks attacker visibility into cloud resources

Shrinks attack surface and improves audit readiness

Exploitation

Microsegmentation by tag, app, or role

FlowIQ anomaly detection for east-west access patterns

Limits attacker movement post-initial access; detects unusual communication paths

Reduces risk of breach escalation and minimizes attacker dwell time

Command & Control

Egress control (default deny, DNS/FQDN filtering)

Encrypted north-south flows for all cloud exits

Disrupts outbound connections to malicious domains; prevents use of DNS/HTTPS-based C2 channels

Prevents data theft and command signal transmission; enables regulatory compliance

Lateral Movement

SmartGroup-driven segmentation between workloads, regions, and clouds

Encrypted east-west transit

Blocks unauthorized lateral access paths; stops attacker pivoting between cloud environments

Contains blast radius and reduces breach impact on critical applications

Exfiltration

Policy-based egress enforcement

High-performance encryption over hybrid and cloud-native paths

Prevents unauthorized data exfiltration; enforces encryption standards across cloud and hybrid paths

Stops regulatory data loss and reduces legal, financial, and brand exposure risks

Persistence

FlowIQ traffic analytics to uncover long-lived or stealthy access patterns

SmartGroup and Terraform-based enforcement automation

CoPilot-driven route and topology visibility to identify unauthorized connectivity paths

Detects indicators of long-term persistence; maintains enforcement

consistency

over time and at scale

Ensures sustained zero trust posture; limits time-to-remediate and supports operational resilience

Real-World Attacks Where Aviatrix Would Have Broken the Kill Chain

These weren’t zero-day-only events. They succeeded because the network didn’t enforce zero trust.

Attack / Group

UKC Stages Impacted

What Native Tools Missed

Aviatrix Defenses Applied

When Blocked…

MOVEit / Clop

Recon → Exploit → Exfiltration

No outbound domain/IP filtering

Egress, Encryption, Visibility

Prevented regulated data loss

Medusa Ransomware

Exploit → C2 → Lateral → Exfiltration

DNS-based C2 allowed; east-west unsegmented

Segmentation, ️ Egress, Encryption

Contained ransomware, avoided downtime

SolarWinds / UNC2452

Recon → Exploit → C2 → Lateral

DNS/TLS traffic not inspected; no segmentation

Segmentation, Egress, DNS FlowIQ

Stopped privilege escalation, lateral movement

APT28 (Fancy Bear)

Recon → Exploit → C2 → Exfiltration

No egress filtering; encrypted C2 allowed

Egress, Encryption, Flow Analytics

Blocked espionage via cloud-native paths

APT41 (Double Dragon)

Exploit → C2 → Lateral → Exfiltration

Flat networks; no microsegmentation

Segmentation, Egress, Encryption

Isolated cloud workloads from adversary spread

WannaCry

Exploit → Lateral Movement

Flat networks enabled worm propagation

Segmentation, Encryption

Prevented lateral ransomware blast radius

Volt Typhoon

Recon → Exploit → C2 → Persistence

No TLS/DNS inspection; no anomaly detection

DNS Egress Control, FlowIQ, Segmentation

Disrupted stealthy APT persistence

The Breach Is the Result, not the Beginning

Breaches happen when detection comes too late and enforcement comes too shallow.

Most native tools log symptoms after the fact. Aviatrix builds policy into the network itself by stopping traffic where it shouldn’t exist, segmenting what shouldn’t connect, and encrypting what attackers want to steal.

Aviatrix offers both visibility and active defense across every route.

The Takeaway

Attackers don't break in. They log in, blend in, and move in silence.

Aviatrix breaks the chain by embedding network policy exactly where attackers operate:

  • Blocks C2 and data theft with policy-based egress

  • Encrypts routes across clouds, apps, and sites

  • Segments environments dynamically by tag, not IP

  • Detects attacker movement across east-west flows

Using these embedded network policies and visibility, Aviatrix helps limit breaches, streamline audits, and decrease operational drag.

When security is built into the network, the attacker’s plan fails before it starts.

References

  1. Unified Kill Chain Whitepaper

  2. MITRE ATT&CK Framework

  3. CISA Zero Trust Maturity Model v2.0

  4. SolarWinds Breach – CISA Advisory

  5. Volt Typhoon – Microsoft Security Blog

  6. MOVEit / Clop Ransomware – Bleeping Computer

  7. HIPAA Security Rule – U.S. Department of Health & Human Services

  8. PCI DSS v4.0 – PCI Security Standards Council

  9. GDPR Article 32 – Security of Processing

  10. CrowdStrike 2024 Global Threat Report

  11. CISA Cybersecurity Advisory - Stop Medusa

  12. National Cyber Security Centre - Indicators of compromise by malware used by APT28

  13. Google Cloud - APT41: A Dual Espionage and Cyber Crime Operation

  14. National Cybersecurity and Communications Integration Center - WannaCry

Benson George
Benson George

Sr. Principal Product Marketing Manager

Benson brings deep experience across the security stack—from securing connected devices and embedded systems to quantifying and reducing cloud attack surfaces and enforcing encryption standards. He brings a threat-informed perspective to cloud architecture—helping enterprises defend against today’s advanced attack techniques and tomorrow’s unknown risks.

PODCAST

Altitude

subscribe now

Keep Up With the Latest From Aviatrix

Cta pattren Image