The Anatomy of a Hack: Perception vs. Reality

The number of data breaches has skyrocketed in recent years. Contrary to popular belief and Hollywood story lines, cyber-attacks are rarely carried out by legions of highly sophisticated coders gone rogue, deploying the most advanced techniques to penetrate organizations’ perimeter defenses. Reality paints a very different picture: cyber adversaries are no longer hacking to carry out data breaches ― they’re simply logging in by exploiting weak, stolen, or otherwise compromised credentials. Implementing an effective enterprise security strategy requires an understanding of hackers’ tactics, techniques, and procedures ― often called TTPs.

For many years, the anatomy of a hack has been glorified and led to the common belief that data breaches typically exploit zero-day vulnerabilities and require a tremendous amount of code sophistication to “break” through the almost impenetrable perimeter defenses that organizations have put in place. However, post-mortem analysis has repeatedly found that the source of a hack is often compromised credentials. 

Data breaches at Marriott International, Dunkin’ Donuts, and Citrix are just a few examples that illustrate how cyber adversaries are exfiltrating data. According to a recent study by Centrify (PDF), 74 percent of respondents whose organizations have been breached acknowledge it involved access to a privileged account. This number closely aligns with Forrester’s estimate that 80 percent of security breaches involve compromised privileged credentials.

When a privileged account gets compromised, it allows the cyber-attacker to impersonate a legit employee or system and carry out malicious activity without being detected as an intruder. Once hackers compromise a privileged account, they can typically roam at will across an IT environment to exfiltrate data and cause damage. 

Today’s Cyber-Attack Lifecycle

There are many different versions of the “cyber-attack lifecycle” or “kill chain”, but all of them basically contain three major phases, and are applicable for both external and insider threats:

Phase 1: Compromise

Most of today’s cyber-attacks are front-ended by credential harvesting campaigns. Common methods for harvesting credentials include the use of social engineering techniques, password sniffers, phishing campaigns, digital scanners, malware attacks, or any combination of these. Cyber criminals also take advantage of millions of stolen credentials being sold on the Dark Web. Once in possession of stolen, weak, or compromised credentials, the attackers are leveraging brute force, credential stuffing, or password spraying campaigns to gain access to their target environment.

Since account compromise attacks can bypass the most hardened security perimeters, organizations need to change their mindset and apply a Zero Trust approach, which assumes that attackers are already inside the network. This will then influence an organization’s security architecture. 

Phase 2: Explore

Once inside the target environment, hackers perform reconnaissance to identify regular IT schedules, security measures, network traffic flows, and scan the entire IT environment to gain an accurate picture of the network resources, privileged accounts, and services. Domain controllers, Active Directory, and servers are prime reconnaissance targets to hunt for additional privileged credentials and privileged access. 

To dramatically limit a hacker’s ability to conduct reconnaissance and move laterally, organizations should consider the following Privileged Access Management (PAM) best practices:

• Apply Multi-Factor Authentication (MFA) Everywhere

• Enforce Just-Enough, Just-in-Time Privilege

• Establish Access Zones

• Leverage a Secure Admin Environment

Phase 3: Exfiltrate and Cover Up

Once an attacker has identified where valuable data resides, they typically look for ways to elevate access privileges in order to exfiltrate the data and conceal their activity to avoid detection. Often, they will attempt to create a back door for exfiltrating additional data later on using SSH keys. 

Several measures for preventing data exfiltration include: enforcing MFA, air-gapping admin accounts as recommended by Microsoft, using host-based auditing and monitoring, as well as taking advantage of machine learning algorithms to monitor privileged user behaviors, identify “anomalous” and high risk activity, and alert on them. 

Ultimately, understanding hackers’ TTPs provides a roadmap for aligning preventive measures with threats. In this context, organizations need to recognize that perimeter-based security, which focuses on securing endpoints, firewalls, and networks is no longer enough. Identity has become the new security perimeter and battleground for mitigating cyber-attacks that impersonate legitimate users. Enforcing least privilege based controls by verifying who is requesting access, the context of the request, and the risk of the access environment can prevent many account compromise attacks.

Related: Compromised Credentials: The Primary Point of Attack for Data Breaches