
More than 3 in 5 attacker movements in cloud environments involve lateral movement attempts, according to Google Cloud’s Threat Horizons Report.
Attackers don’t think in silos — and neither should your defenses.
Today’s threats don’t stop at the perimeter. They infiltrate, escalate, and move laterally across the cloud, exploiting weak paths between workloads, regions, and accounts. If you only protect the front door, you’re ignoring every hallway inside.
That’s why Aviatrix secures the network from the inside out, following the attacker’s playbook step-by-step and shutting down movement at every stage of the Unified Kill Chain (UKC).
What is the Unified Kill Chain?
The Unified Kill Chain, developed by Paul Pols, expands on traditional frameworks like Lockheed Martin’s Cyber Kill Chain and MITRE ATT&CK. It better reflects modern adversary behavior, especially in multicloud and hybrid environments.
By breaking down the process of a cyberattack into In, Through, and Out, the UKC helps organizations increase their cyber resilience by stopping hacking attempts at multiple stages of an attack.

Unified Kill Chain — developed by Paul Pols
The UKC models how attackers infiltrate a network:
- Exploit misconfigurations and credentials
- Establish outbound command-and-control
- Move laterally between cloud assets
- Exfiltrate data over encrypted channels
- Persist using stealthy, cloud-native techniques
It provides a structure that networking and security teams can use to build layered defenses that reduce dwell time, blast radius, and breach impact.
Understanding the UKC in a Cloud Context
Think of the kill chain like a network of doors inside your enterprise: not just the front entrance, but the internal rooms attackers quietly move through.
In the cloud, that progression often looks like:
- Reconnaissance – Scanning public IPs, ports, metadata
- Exploitation – Gaining access via credentials, misconfigurations, or zero-days
- Command & Control (C2) – Establishing outbound communication via DNS or HTTPS
- Lateral Movement – Traversing VPCs, regions, or clouds to escalate
- Exfiltration – Stealing sensitive data through encrypted tunnels
- Persistence – Maintaining long-term access using misused credentials, cloud-native services, or hidden connectivity paths
Each step is a pressure point. Each one also gives you a chance to break the chain if your defenses are built in the right place.
Aviatrix: Embedded Defense, Not Bolted-On
Legacy tools try to bolt security onto the edge of the cloud. Aviatrix builds it into the network fabric itself, giving you distributed enforcement, dynamic policy, and visibility across cloud and hybrid paths.
Here’s how Aviatrix maps to Unified Kill Chain concepts to protect networks:
UKC Stage | Aviatrix Capabilities | Security Outcomes | Business Outcomes |
---|---|---|---|
Reconnaissance |
| Identifies early-stage recon attempts; blocks attacker visibility into cloud resources | Shrinks attack surface and improves audit readiness |
Exploitation |
| Limits attacker movement post-initial access; detects unusual communication paths | Reduces risk of breach escalation and minimizes attacker dwell time |
Command & Control |
| Disrupts outbound connections to malicious domains; prevents use of DNS/HTTPS-based C2 channels | Prevents data theft and command signal transmission; enables regulatory compliance |
Lateral Movement |
| Blocks unauthorized lateral access paths; stops attacker pivoting between cloud environments | Contains blast radius and reduces breach impact on critical applications |
Exfiltration |
| Prevents unauthorized data exfiltration; enforces encryption standards across cloud and hybrid paths | Stops regulatory data loss and reduces legal, financial, and brand exposure risks |
Persistence |
| Detects indicators of long-term persistence; maintains enforcement consistency over time and at scale | Ensures sustained zero trust posture; limits time-to-remediate and supports operational resilience |
Real-World Attacks Where Aviatrix Would Have Broken the Kill Chain
These weren’t zero-day-only events. They succeeded because the network didn’t enforce zero trust.
Attack / Group | UKC Stages Impacted | What Native Tools Missed | Aviatrix Defenses Applied | When Blocked… |
---|---|---|---|---|
MOVEit / Clop | Recon → Exploit → Exfiltration | No outbound domain/IP filtering | Egress, Encryption, Visibility | Prevented regulated data loss |
Medusa Ransomware | Exploit → C2 → Lateral → Exfiltration | DNS-based C2 allowed; east-west unsegmented | Segmentation, ️ Egress, Encryption | Contained ransomware, avoided downtime |
SolarWinds / UNC2452 | Recon → Exploit → C2 → Lateral | DNS/TLS traffic not inspected; no segmentation | Segmentation, Egress, DNS FlowIQ | Stopped privilege escalation, lateral movement |
APT28 (Fancy Bear) | Recon → Exploit → C2 → Exfiltration | No egress filtering; encrypted C2 allowed | Egress, Encryption, Flow Analytics | Blocked espionage via cloud-native paths |
APT41 (Double Dragon) | Exploit → C2 → Lateral → Exfiltration | Flat networks; no microsegmentation | Segmentation, Egress, Encryption | Isolated cloud workloads from adversary spread |
WannaCry | Exploit → Lateral Movement | Flat networks enabled worm propagation | Segmentation, Encryption | Prevented lateral ransomware blast radius |
Volt Typhoon | Recon → Exploit → C2 → Persistence | No TLS/DNS inspection; no anomaly detection | DNS Egress Control, FlowIQ, Segmentation | Disrupted stealthy APT persistence |
The Breach Is the Result, not the Beginning
Breaches happen when detection comes too late and enforcement comes too shallow.
Most native tools log symptoms after the fact. Aviatrix builds policy into the network itself by stopping traffic where it shouldn’t exist, segmenting what shouldn’t connect, and encrypting what attackers want to steal.
- Distributed Firewall — Policy enforcement across clouds, regions, and workloads
- DNS, FQDN Egress Filtering — Stops C2 and data exfiltration early
- FlowIQ Traffic Analytics — Uncovers attacker movement and policy violations
- Terraform & SmartGroups — Enforce policy-as-code and scale securely with app growth
- High-Performance Encryption — Secure hybrid paths up to 100 Gbps
Aviatrix offers both visibility and active defense across every route.
The Takeaway
Attackers don’t break in. They log in, blend in, and move in silence.
Aviatrix breaks the chain by embedding network policy exactly where attackers operate:
- Blocks C2 and data theft with policy-based egress
- Encrypts routes across clouds, apps, and sites
- Segments environments dynamically by tag, not IP
- Detects attacker movement across east-west flows
Using these embedded network policies and visibility, Aviatrix helps limit breaches, streamline audits, and decrease operational drag.
When security is built into the network, the attacker’s plan fails before it starts.
- Take a free security assessment to learn how your network defenses can be stronger.
- Explore how the Aviatrix Secure High-Performance Datacenter Edge solution provides essential encryption and reliable connectivity.
References
- Unified Kill Chain Whitepaper
- MITRE ATT&CK Framework
- CISA Zero Trust Maturity Model v2.0
- SolarWinds Breach – CISA Advisory
- Volt Typhoon – Microsoft Security Blog
- MOVEit / Clop Ransomware – Bleeping Computer
- HIPAA Security Rule – U.S. Department of Health & Human Services
- PCI DSS v4.0 – PCI Security Standards Council
- GDPR Article 32 – Security of Processing
- CrowdStrike 2024 Global Threat Report
- CISA Cybersecurity Advisory – Stop Medusa
- National Cyber Security Centre – Indicators of compromise by malware used by APT28
- Google Cloud – APT41: A Dual Espionage and Cyber Crime Operation
- National Cybersecurity and Communications Integration Center – WannaCry