It’s 6:03am and you receive an email, Teams message, and text message alerting you to an emergency meeting of all company leadership at 7:00am in the office. You arrive on time but remain caffeine deficient as your first cup of coffee has yet to be consumed. Once everyone is seated, looking far more disheveled than usual, the CEO shares that the business has suffered a massive data breach. And because this story is so common and unfolds in almost the exact same manner in every instance, the first question asked is, “HOW DID THIS HAPPEN?”
The answer: cybercrimes often begin with a breach of security measures resulting from vulnerabilities in an organization’s systems, processes, or even human factors. Understanding the nuances of a breach in a virtual environment can be difficult so we will parallel the story of the virtual breach with the story of a physical break-in. Here’s how the story typically unfolds:
Chapter One: Identify Vulnerabilities
The process usually starts with attackers identifying vulnerabilities within the target organization’s infrastructure. These vulnerabilities could be weaknesses in software, outdated systems, misconfigured settings, or unpatched security flaws. Attackers may use automated scanning tools or conduct manual reconnaissance to identify these weaknesses.
In the case of a physical breach, such as the infiltration of an art gallery, an individual with criminal intent would first “case the joint.”
Chapter Two: Exploit Identified Vulnerabilities
Once vulnerabilities are identified, attackers exploit them to gain unauthorized access to the organization’s systems or networks. This could involve techniques such as exploiting software vulnerabilities (e.g., zero-day exploits), brute-forcing weak passwords, or leveraging misconfigured security settings to bypass authentication mechanisms.
Once weaknesses in the security of the art gallery are identified, the criminal would exploit these weaknesses to gain access to the building itself. In this story, the criminal identified a vulnerability of the security check process for deliveries arriving early on Tuesday mornings as the employee in charge simply waves all trucks through without looking up from their phone.
Chapter Three: Initial Access
With a foothold gained through the exploitation of vulnerabilities, attackers establish initial access to the organization’s environment. This could involve compromising a single user account, infiltrating a vulnerable server, or exploiting a misconfigured network device. Once inside, attackers can begin their reconnaissance and lateral movement within the network to escalate privileges and access sensitive data.
The criminal’s initial access is through the loading bay where they unload cleaning and art preservation supplies as a cover for their presence.
Chapter Four: Evasion and Persistence
To avoid detection and maintain access for an extended period, attackers employ evasion techniques and establish persistence mechanisms. This could involve using stealthy malware that evades detection by security tools, encrypting communication channels to hide their activities, or implanting backdoors to regain access even if discovered and removed.
Now that the criminal has successfully infiltrated the building, they begin additional reconnaissance and procure a security badge from the unlocked office of the HR Director. They also set up a small camera that allows them to see the art objects being unpacked. Knowing what has arrived will help the criminal determine when they want to conduct the robbery that has been the goal of all this work.
You now possess a rudimentary understanding of how a data breach begins, but the initial question, “How did this happen?” cannot be fully answered without exploring the common entry points (aka vulnerabilities) attackers leverage.
UP NEXT: Let Me Get the Door
Sources:
https://csrc.nist.gov/https://its.ucsc.edu/security/breaches.html