The Evolving Kill Chain (On-Premise vs. SaaS)

The Evolving Kill Chain

Software as a Service (SaaS) has revolutionized business operations, offering convenience and efficiency. However, with this convenience come new cybersecurity challenges. Hackers continuously evolve their tactics, creating sophisticated attack methods for SaaS applications that differ from those targeting on-premise applications. For instance, on-premise attacks often focus on endpoint exploitation, while cloud attacks may target Identity Providers, bypassing the need to exploit endpoints. This article will explore these differences and help you defend your data and business. We will review the attacker’s kill chain and discuss how to stop it with various defensive measures. To understand this better, let’s start with a review of the seven links in the attacker’s kill chain.

The Kill Chain we need to pay attention to in order to prevent breaches of our company.

What you begin to see when analyzing the SaaS kill chain vs. the on-premises kill-chain is there are new and difficult areas to focus on.   Let’s look more closely at the differences in these kill chains.

What is the Difference between On-Premise and SaaS Kill Chains?

The SaaS kill chain is a series of steps that cybercriminals follow to exploit SaaS platforms. These steps involve researching a cloud application and the target company, gathering information on users, and eventually compromising sensitive data. The process can be broken down into the following stages:

  • Reconnaissance: Hackers research and identify potential SaaS targets. They scan SaaS applications for vulnerabilities, buy exposed passwords on the dark web, and search for outdated software or hardware. On-premise applications are largely invisible to such digging outside of buying exposed accounts.

  • Weaponization and Delivery: Attackers gain access to the SaaS system through phishing emails, exploiting vulnerabilities, or using stolen credentials from other breaches via the dark web. On-premise applications require hackers to breach an endpoint or the company VPN first.

  • Exploitation: In SaaS, hackers create secondary accounts or update recovery methods to ensure continued access. In on-premise attacks, hackers install malware to gain and maintain such access.

  • Installation and Command & Control: In SaaS systems, attackers often already have broad access, leading to data exfiltration and ransom demands. On-premise attackers escalate privileges to move freely and access sensitive data.

  • Actions on Objective – Data Exfiltration: In SaaS, hackers use automated scripts to quickly and silently exfiltrate valuable data. In on-premise attacks, hackers map the network, identify valuable data, and exfiltrate it, often after deleting backups.  In SaaS, deleting data is sometimes skipped because it triggers a red alert to cloud providers that something is very wrong. 

  • Actions on Objective – Encryption Event: Finally, hackers encrypt all valuable data and issue ransom demands. They may also threaten to release data publicly or report breaches to regulators, adding layers of extortion.

Real-World Example

In 2023, Okta, a major identity management company, experienced a significant breach. Attackers used stolen credentials to access Okta’s support case management system, which contained session cookies. These cookies were then used to impersonate real user accounts and bypass multi-factor authentication. As a result, several Okta customers, including Cloudflare and 1Password, were targeted, leading to unauthorized access to sensitive data such as Jira tickets and source code. This incident underscores the critical importance of robust access management and vigilance against social engineering attacks in securing SaaS applications​ (Valence SaaS Security – 5 Lessons from the Okta Breach)​​.

How to Protect Your Business

Defending against the SaaS kill chain requires a multi-layered approach. Here are practical steps your business can take:

  • Employee Training: Regularly educate employees about phishing attacks and social engineering tactics. This helps staff recognize and avoid potential threats against both on-premise and SaaS applications.

  • Strong Authentication: Implement multi-factor authentication (MFA) to add an extra layer of security. MFA makes it harder for attackers to gain access, even with a valid password. However, be aware of recent evil-proxy malware that by-passes both of these protective measures.

  • Regular Updates: Keep all software, including SaaS applications, up to date with the latest security patches. Hold vendors accountable (see vendor management below). 

  • Monitor and Respond: Continuously monitor your networks and cloud applications for unusual activity. Use advanced threat detection tools and a SEIM,  to quickly identify and respond to potential breaches.

  • Data Encryption: Encrypt sensitive data both at rest and in transit. This ensures that even if data is stolen, it remains unreadable to unauthorized users.

  • Access Controls: Limit access to sensitive data based on the principle of least privilege. Only necessary access should be granted.

  • Backup and Recovery: Regularly back up data and ensure a robust disaster recovery plan is in place. This helps recover from ransomware attacks and data loss incidents.

  • Vendor Risk Management: Assess and manage the security practices of third-party vendors. Ensure they adhere to your security standards to avoid supply chain attacks. A SOC2 TypeII 3rd party assessment is ideal for vendor management checks.

  • Secure Configuration: Ensure SaaS applications are configured securely. Disable unnecessary features and enforce strong passwords and Multi-Factor Authentication (MFA) in all cases.

  • Incident Response Plan: Develop and regularly update an incident response plan. This prepares your team to act quickly and efficiently in case of a breach.

The Human Element

While technology and tools are essential in defending against cyber threats, the human element remains crucial. Encouraging a culture of security awareness within your organization makes a significant difference. Employees should feel empowered to report suspicious activities and understand their role in protecting company data. Remember, once a year training is no better than an annual trip to the gym.  Your employees need to build muscle memory with regular trainings and phishing simulations.  Check out CyberHoot’s cybersecurity training and testing here!


The evolving kill chain (on-premise vs. SaaS) represents an evolutionary threat to businesses. Understanding the attack stages and implementing robust security measures at each stage of the attacker Kill Chain can help mitigate these risks. By staying informed and proactive, you can protect your valuable data and maintain the trust of your customers in an increasingly digital world.

Cybersecurity is not a one-time effort but an ongoing process that requires you to stay alert, to provide your employees with continuous education, and to adapt new strategies to thwart these new evolving kill chain threats.

Secure your business with CyberHoot Today!!!

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.