Anatomy of a Security Breach

We live and work in an increasingly connected world with the digital revolution changing the way we do business forever. While the benefits of the Internet are many and obvious, there are also negatives to this connected world with security threats and cyberattacks targeting companies and consumer daily.

“Security threats are relentless. A cyberattack can cause millions of dollars in damage—to both your company’s bottom line and its reputation,” writes Microsoft in its “Anatomy of a Breach” white paper.

Cost of a Data Breach Report 2020

The threat to companies from cyberattacks is spelled out in the “Cost of a Data Breach Report 2020” released by the Ponemon Institute and published by IBM.

The report’s 15th year says that the average cost of a security breach is $3.86 million with the United States the most targeted country in the world and healthcare the most targeted industry.

Among other findings from the eye-opening report:

  • Average time to identify and contact a cyberattack is 280 days.
  • 52 percent of security breaches are caused by malicious attacks.
  • 80 percent of security breaches involve customer PII or personally identifiable information.
  • 19 percent of malicious breaches involved compromised credentials.
  • Misconfigured cloud servers also accounted for 19 percent of malicious attacks.

Lost business continues to be one of the biggest hits for companies involved in a security breach, increasing from $1.42 million in 2019 to $1.52 million per attack in 2020.

According to the report, the lost business costs include:

  • Customer turnover
  • Lost revenue due to system downtime
  • Increasing cost of acquiring new business due to diminished reputation

The Four Stages of a Security Breach

Unless you understand the methods and tactics that bad actors use to launch cyberattacks and security breaches it is hard to defend against them. The Microsoft white paper breaks security breaches into four stages.

Stage 1: Getting the Initial Footholdfly-d-IMbquw-IQhg-unsplash

If there was only one or two ways that attackers got their foot in the door then stopping them would be much easier, but malicious threats take advantage of a variety of tactics which are constantly changing as criminals come up with new methods to hack into systems.

Microsoft identifies these common techniques and terms that are used:

  • Exploit: Malicious programs or code that takes advantage of software vulnerabilities, especially productivity applications, to access information on servers or install malware.
  • Malware: Mal is the Latin prefix to denote bad, evil or wrong and companies would agree. This malicious software is versatile and can spam you, steal your information or even lock your device until you pay a ransom. Malware types include adware, file-less/memory, ransomware, spyware, Trojan, virus, and worm.
  • Password Spraying: A newer tactic where attackers use common passwords (think ABC123) hoping to gain entry. The attackers indiscriminately spray their attack across thousands of accounts and multiple companies looking for a weakness.
  • Phishing: Attackers target employees or consumers with emails with malicious URL links that appear to be from a trusted internal source or third-party vendor. The targeted person is then asked to enter personal, financial or company-specific information such as usernames, passwords and account numbers that allow the hackers to unleash serious breaches.
  • Ransomware: Increasingly popular method where attackers lock users out of their computers or network. Entire companies can be held hostage to this type of attack. One type of ransomware simply locks out the user while a more advanced type encrypts all files, folders, and hard drives. Attackers promise to provide an encryption key if paid, usually in the form of Bitcoin, but they do usually release the data when paid.
  • Supply Chain Vulnerabilities: The network management vendor SolarWinds 2020 hack was an example of supply chain vulnerabilities where attackers gain entry via a trusted vendor’s product or software.
  • Watering Hole: Attackers guess which websites that employees of a certain company visit often and then place malware on those sites in an attempt to infect the employees’ devices when they visit.
  • Zero Day: Also known as 0-day, is an attack in which a software security weakness, not identified by the vendor or developer, is exploited.

Stage 2: Gaining Elevated Control

Getting into your system is only the first step as now attackers look for access to those accounts and users that are responsible for managing the system. If they can impersonate these users, they then can manage, update and access resources across the network.

Microsoft identifies these common techniques and terms that are used:

  • Keyloggers: Also called keystroke logging, attackers use malware to record keys that a user presses. Keyloggers can be used to collect passwords, usernames and other valuable information.
  • Network Scanning: Sometimes hackers do not have an obvious target in mind, but once they gain access to a system they browse and lurk looking for resources and vulnerable assets they can attack.
  • Pass the Hash (PtH): Once in a system, attackers may not even need a user’s actual password to log in as them if they can use the underlying NTLM or LanMan hash of the user’s password to authenticate to a remote server or service.

Stage 3: Expanding to the Network

Once attackers have gotten into the system and had their look around, they are now ready to do some real damage and that requires installing a permanent backdoor or other mechanism for long term access to the network.

Microsoft identifies these common techniques and terms that are used:

  • Botnet: Much like a zombie army, hackers can gain control of infected, private computers and use them for large-scale attacks.
  • Command and Control (C&C): Once hackers have a botnet created, they can control with centralized commands from servers. These hackers are often called botmasters.
  • Implant: Attackers use malware to place a small, hidden program on devices that allows them long-term access as needed.
  • Living off the Land: When attackers are able to create fake accounts, they can gain access to the network by basically hiding in plain sight as opposed to using an implant.

Stage 4: Staying for the Short or Long Term

Hackers have gotten their foot in the door, identified their targets and created their access. Now they must decide if they want to hit-and-run or make this a long-term relationship.

Odds are, the longer the attackers stay in your network, the more damage they can wreak.

Microsoft identifies these common techniques and terms that are used:

  • Advanced Persistent Threat (APT): Hackers in it for the long-term, try to avoid detection and steal data over a long-time frame.
  • Assume Breach Mindset: Strategic outlook that puts emphasis on ongoing detection, response, and recovery vs. purely preventative security measures.
  • Backdoor: This entry point into a network allows access until detected.
  • Smash-and-Grab: The name says it all – attackers steal data as quickly as possible and then exits.

Microsoft concludes the white paper by saying: “Understand how targeted attacks typically succeed. Recognize that it’s not a matter of if—but when—you’ll be attacked.”

 

PS LIGHTWAVE provides high-speed, fiber Internet for public and private commercial entities in the Greater Houston and surrounding areas.

Through our high-quality infrastructure, innovative technology and expert, locally based support, we deliver not only the best in connectivity and reliability but in scalability and redundancy. We invite you to learn more about our services, our history and our dedicated team.