Connect with us

Hi, what are you looking for?


Identity & Access

The Anatomy of a Hack: Perception vs. Reality

The number of data breaches has skyrocketed in recent years. Contrary to popular belief and Hollywood story lines, cyber-attacks are rarely carried out by legions of highly sophisticated coders gone rogue, deploying the most advanced techniques to penetrate organizations’ perimeter defenses.

The number of data breaches has skyrocketed in recent years. Contrary to popular belief and Hollywood story lines, cyber-attacks are rarely carried out by legions of highly sophisticated coders gone rogue, deploying the most advanced techniques to penetrate organizations’ perimeter defenses. Reality paints a very different picture: cyber adversaries are no longer hacking to carry out data breaches ― they’re simply logging in by exploiting weak, stolen, or otherwise compromised credentials. Implementing an effective enterprise security strategy requires an understanding of hackers’ tactics, techniques, and procedures ― often called TTPs.

For many years, the anatomy of a hack has been glorified and led to the common belief that data breaches typically exploit zero-day vulnerabilities and require a tremendous amount of code sophistication to “break” through the almost impenetrable perimeter defenses that organizations have put in place. However, post-mortem analysis has repeatedly found that the source of a hack is often compromised credentials. 

Data breaches at Marriott International, Dunkin’ Donuts, and Citrix are just a few examples that illustrate how cyber adversaries are exfiltrating data. According to a recent study by Centrify (PDF), 74 percent of respondents whose organizations have been breached acknowledge it involved access to a privileged account. This number closely aligns with Forrester’s estimate that 80 percent of security breaches involve compromised privileged credentials.

When a privileged account gets compromised, it allows the cyber-attacker to impersonate a legit employee or system and carry out malicious activity without being detected as an intruder. Once hackers compromise a privileged account, they can typically roam at will across an IT environment to exfiltrate data and cause damage. 

Today’s Cyber-Attack Lifecycle

There are many different versions of the “cyber-attack lifecycle” or “kill chain”, but all of them basically contain three major phases, and are applicable for both external and insider threats:

Phase 1: Compromise

Advertisement. Scroll to continue reading.

Most of today’s cyber-attacks are front-ended by credential harvesting campaigns. Common methods for harvesting credentials include the use of social engineering techniques, password sniffers, phishing campaigns, digital scanners, malware attacks, or any combination of these. Cyber criminals also take advantage of millions of stolen credentials being sold on the Dark Web. Once in possession of stolen, weak, or compromised credentials, the attackers are leveraging brute force, credential stuffing, or password spraying campaigns to gain access to their target environment.

Since account compromise attacks can bypass the most hardened security perimeters, organizations need to change their mindset and apply a Zero Trust approach, which assumes that attackers are already inside the network. This will then influence an organization’s security architecture. 

Phase 2: Explore

Once inside the target environment, hackers perform reconnaissance to identify regular IT schedules, security measures, network traffic flows, and scan the entire IT environment to gain an accurate picture of the network resources, privileged accounts, and services. Domain controllers, Active Directory, and servers are prime reconnaissance targets to hunt for additional privileged credentials and privileged access. 

To dramatically limit a hacker’s ability to conduct reconnaissance and move laterally, organizations should consider the following Privileged Access Management (PAM) best practices:

• Apply Multi-Factor Authentication (MFA) Everywhere

• Enforce Just-Enough, Just-in-Time Privilege

• Establish Access Zones

• Leverage a Secure Admin Environment

Phase 3: Exfiltrate and Cover Up

Once an attacker has identified where valuable data resides, they typically look for ways to elevate access privileges in order to exfiltrate the data and conceal their activity to avoid detection. Often, they will attempt to create a back door for exfiltrating additional data later on using SSH keys. 

Several measures for preventing data exfiltration include: enforcing MFA, air-gapping admin accounts as recommended by Microsoft, using host-based auditing and monitoring, as well as taking advantage of machine learning algorithms to monitor privileged user behaviors, identify “anomalous” and high risk activity, and alert on them. 

Ultimately, understanding hackers’ TTPs provides a roadmap for aligning preventive measures with threats. In this context, organizations need to recognize that perimeter-based security, which focuses on securing endpoints, firewalls, and networks is no longer enough. Identity has become the new security perimeter and battleground for mitigating cyber-attacks that impersonate legitimate users. Enforcing least privilege based controls by verifying who is requesting access, the context of the request, and the risk of the access environment can prevent many account compromise attacks.

RelatedCompromised Credentials: The Primary Point of Attack for Data Breaches

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...