Defense in depth with Calico Cloud

Last month, we announced the launch of our active cloud-native application runtime security. Calico Cloud’s active runtime security helps security teams secure their containerized workloads with a holistic approach to threat detection, prevention, and mitigation.

As security teams look to secure these workloads, it’s also critical that they employ a defense-in-depth strategy. Calico Cloud’s active runtime security can detect, prevent, and mitigate threats across the entire cyber kill chain for containerized workloads.

What is the cyber kill chain?

The cyber kill chain is a framework used to track the steps a threat actor might take as they attempt to execute a cyber attack on your organization. The cyber kill chain was originally developed by Lockheed Martin to adapt the military concept that details the structure of an attack for cybersecurity threats. Today, this framework is used by security teams from a wide range of organizations to understand and respond to cybersecurity threats.

The Lockheed Martin cyber kill chain consists of seven stages:

  • Reconnaissance: An attacker assesses potential targets and tactics for an attack
  • Weaponization: An attacker prepares the attack by obtaining or setting up the appropriate infrastructure
  • Delivery: An attacker launches their attack
  • Exploitation: An attacker gains access to their target by exploiting a vulnerability
  • Installation: An attacker establishes a persistent foothold in the target’s environment
  • Command & Control: An attacker is able to remotely control and communicate with compromised machines in the target’s environment
  • Actions on objectives: An attacker achieves their goal, such as disrupting business operations, stealing sensitive information, or hijacking infrastructure

The idea behind a defense-in-depth strategy is that you have threat detection and prevention measures across the cyber kill chain. This way, even if an attacker has gotten past initial defenses, you can quickly detect and mitigate an attack to limit its impact on your organization.

Let’s take a look at how Calico Cloud’s runtime threat defense features can help you stop attacks across the cyber kill chain.


Reconnaissance is the first stage of an attack: an attacker is attempting to identify potential targets and tactics for an attack. In particular, an attacker will be scanning internet-facing assets to identify potential vulnerabilities to exploit.

Public cloud instances are particularly popular targets for attackers looking for susceptible targets. It’s quite common for attackers to scan the IP ranges of public cloud providers to find potential targets that have easily exploitable misconfigurations and software vulnerabilities.

With Calico Cloud’s anomaly detection capabilities, you can quickly detect and respond to reconnaissance activity detected in your Kubernetes cluster. Calico Cloud’s anomaly detection feature analyzes network activity and identifies anomalous and suspicious behavior detected in your cluster. This includes common network reconnaissance techniques, such as port scans or IP sweeps.

Once you install anomaly detection, you can review detected suspicious behavior on the Alerts page of the Calico Cloud UI, and drill down into specific alerts using the Service and Threat Graph feature. Here’s an example alert of a port scan that has been detected on the Service and Threat Graph:

From the Calico Cloud UI, you can also quickly mitigate this type of attack activity by creating a network policy. You might want to create an ingress policy to limit what IPs can communicate with your endpoints, as well as limit on which ports and protocols network traffic is allowed.

Delivery and exploitation

Once an attacker has identified a target and set up any required infrastructure to execute the attack, they will begin their attack operations. For containerized environments, this is often in the form of delivering a malicious payload to take advantage of the vulnerabilities or misconfigurations detected during reconnaissance.

Using Calico Cloud’s deep packet inspection (DPI) features, you can easily monitor your Kubernetes cluster’s traffic for suspicious payloads. Calico Cloud makes it really easy to deploy DPI as a Kubernetes custom resource. For each DPI resource, Calico Cloud creates a live network monitor that inspects the header and payload information. Inspected traffic is compared against Snort community rules, and alerts are generated when Snort rules are matched.

Once you configure DPI, you can review alerts generated by DPI in the Calico Cloud Alerts page. Should you believe a pod has been compromised, you can quickly quarantine the pod by applying network policies, thereby mitigating the threat.


Once an attacker has successfully gained access to your environment, they will need to establish a continued foothold in your environment. An attacker will often install a backdoor in order to maintain access.

With Calico Cloud’s malware protection, it can detect the presence of malicious files in your environment. Calico Cloud maintains a threat intelligence database, which includes file hashes of known malicious files. It monitors all files being executed and compares the file hashes to its library of hashes. If a malicious file is detected, an alert is generated, which can be reviewed on the Calico Cloud Alerts page:

Calico Cloud’s malware alerts provide you with rich context (e.g. the full path of the malicious file, and process arguments with which the process was started) in addition to the pod name, namespace, container name, and details of the observed file. This allows you to quickly triage the issue and apply security controls to limit the impact of an attack.

Command and control

In order to remotely control the compromised machines in your environment, an attacker must set up a communication channel between their command and control (C2) infrastructure and the compromised pods. It’s very common for attackers to abuse the DNS protocol for the purposes of C2.

There are many ways that Calico Cloud can detect and prevent C2 activity: anomaly detection, GlobalThreatFeeds, and HoneyPods are all threat defense capabilities that can detect potential C2 communications using different detection techniques. Let’s take a closer look at how you can use GlobalThreatFeeds to prevent C2 communications.

GlobalThreatFeeds allows you to add threat intelligence feeds to Calico Cloud. When used as part of network policies, you can block ingress and egress traffic from network indicators of compromise (IOCs), such as IP addresses and hostnames, from these feeds.

In order to prevent C2 communications, you can create a GlobalThreatFeed resource for a feed of hostnames for C2 servers. You can then create a GlobalNetworkPolicy to block any egress traffic to any hostnames on this feed. You can also configure GlobalAlerts so that you can receive an alert when a DNS query is attempted to one of these hostnames, and take further action to quarantine the workload should the pod be compromised.

Next steps

As detailed above, Calico Cloud provides robust runtime security for containerized workloads across the cyber kill chain. Its threat detection features are easy to deploy and can help advance your organization’s defenses. Moreover, with our active cloud-native security, you can quickly respond to and mitigate detected threats in your environment.

You can get started today on securing your Kubernetes containers with Calico Cloud by signing up for a free Calico Cloud trial.

Join our mailing list

Get updates on blog posts, new releases and more!