Connect with us

Hi, what are you looking for?


Identity & Access

The Anatomy of a Hack: Perception vs. Reality

The number of data breaches has skyrocketed in recent years. Contrary to popular belief and Hollywood story lines, cyber-attacks are rarely carried out by legions of highly sophisticated coders gone rogue, deploying the most advanced techniques to penetrate organizations’ perimeter defenses.

The number of data breaches has skyrocketed in recent years. Contrary to popular belief and Hollywood story lines, cyber-attacks are rarely carried out by legions of highly sophisticated coders gone rogue, deploying the most advanced techniques to penetrate organizations’ perimeter defenses. Reality paints a very different picture: cyber adversaries are no longer hacking to carry out data breaches ― they’re simply logging in by exploiting weak, stolen, or otherwise compromised credentials. Implementing an effective enterprise security strategy requires an understanding of hackers’ tactics, techniques, and procedures ― often called TTPs.

For many years, the anatomy of a hack has been glorified and led to the common belief that data breaches typically exploit zero-day vulnerabilities and require a tremendous amount of code sophistication to “break” through the almost impenetrable perimeter defenses that organizations have put in place. However, post-mortem analysis has repeatedly found that the source of a hack is often compromised credentials. 

Data breaches at Marriott International, Dunkin’ Donuts, and Citrix are just a few examples that illustrate how cyber adversaries are exfiltrating data. According to a recent study by Centrify (PDF), 74 percent of respondents whose organizations have been breached acknowledge it involved access to a privileged account. This number closely aligns with Forrester’s estimate that 80 percent of security breaches involve compromised privileged credentials.

When a privileged account gets compromised, it allows the cyber-attacker to impersonate a legit employee or system and carry out malicious activity without being detected as an intruder. Once hackers compromise a privileged account, they can typically roam at will across an IT environment to exfiltrate data and cause damage. 

Today’s Cyber-Attack Lifecycle

There are many different versions of the “cyber-attack lifecycle” or “kill chain”, but all of them basically contain three major phases, and are applicable for both external and insider threats:

Phase 1: Compromise

Most of today’s cyber-attacks are front-ended by credential harvesting campaigns. Common methods for harvesting credentials include the use of social engineering techniques, password sniffers, phishing campaigns, digital scanners, malware attacks, or any combination of these. Cyber criminals also take advantage of millions of stolen credentials being sold on the Dark Web. Once in possession of stolen, weak, or compromised credentials, the attackers are leveraging brute force, credential stuffing, or password spraying campaigns to gain access to their target environment.

Advertisement. Scroll to continue reading.

Since account compromise attacks can bypass the most hardened security perimeters, organizations need to change their mindset and apply a Zero Trust approach, which assumes that attackers are already inside the network. This will then influence an organization’s security architecture. 

Phase 2: Explore

Once inside the target environment, hackers perform reconnaissance to identify regular IT schedules, security measures, network traffic flows, and scan the entire IT environment to gain an accurate picture of the network resources, privileged accounts, and services. Domain controllers, Active Directory, and servers are prime reconnaissance targets to hunt for additional privileged credentials and privileged access. 

To dramatically limit a hacker’s ability to conduct reconnaissance and move laterally, organizations should consider the following Privileged Access Management (PAM) best practices:

• Apply Multi-Factor Authentication (MFA) Everywhere

• Enforce Just-Enough, Just-in-Time Privilege

• Establish Access Zones

• Leverage a Secure Admin Environment

Phase 3: Exfiltrate and Cover Up

Once an attacker has identified where valuable data resides, they typically look for ways to elevate access privileges in order to exfiltrate the data and conceal their activity to avoid detection. Often, they will attempt to create a back door for exfiltrating additional data later on using SSH keys. 

Several measures for preventing data exfiltration include: enforcing MFA, air-gapping admin accounts as recommended by Microsoft, using host-based auditing and monitoring, as well as taking advantage of machine learning algorithms to monitor privileged user behaviors, identify “anomalous” and high risk activity, and alert on them. 

Ultimately, understanding hackers’ TTPs provides a roadmap for aligning preventive measures with threats. In this context, organizations need to recognize that perimeter-based security, which focuses on securing endpoints, firewalls, and networks is no longer enough. Identity has become the new security perimeter and battleground for mitigating cyber-attacks that impersonate legitimate users. Enforcing least privilege based controls by verifying who is requesting access, the context of the request, and the risk of the access environment can prevent many account compromise attacks.

RelatedCompromised Credentials: The Primary Point of Attack for Data Breaches

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights