Man‐in‐the‐middle (MitM) attack: Otherwise known as eavesdropping attacks, MitM attacks occur when an attacker is able to insert themselves into a two‐way conversation. When successful, the attacker is then able to filter and steal data from the connection. The most common attack type is via an unsecure, or weakly secured, Wi‐Fi access point; or by installing malware to redirect traffic to a bad actor.
Denial‐of‐service (DoS) or distributed denial‐of‐service (DDoS): A DoS attack overwhelms or floods a system or network to the point that it makes it unavailable. A DDoS is a case where multiple attackers are performing a DoS. One of the biggest examples of DDoS attack occurred in February 2020 when Amazon Web Services mitigated the biggest such attack recorded to date.
Brute‐force: When an attacker systematically submits numerous passwords or passphrases until the correct one is found. In 2016, Alibaba was the victim of a successful brute‐force attack that resulted in the loss of 21 million account data records.
Malware: A term used to describe malicious software and includes worms, ransomware, viruses, spyware/adware, and trojans:Worm: A standalone program that replicates itself to spread to other computers. The most famous worm is the Morris Worm (see Chapter 1).Ransomware: A type of malware that uses encryption to remove a data owner's access so that the attacker can hold the data hostage until the data's owner pays the ransom. There has been a large growth of ransomware, and most cyber intelligence sources anticipate this growth to continue as a threat in 2021 and beyond. WannaCry was the biggest ransomware event so far, with over 250,000 systems affected, in 150 countries, with an average of $300,000 paid per system, and over 176 types of encryption used.Virus: A type of malicious code (or program) written to alter the way a computer operates, and designed to spread from one computer to another. The Mydoom virus is the biggest known virus to date, with an estimated $38 billion damages in 2014.Spyware/adware: These include the annoying pop‐up advertisements on search engines, which redirect your search. Some arrive as browser add‐ons purporting to help save money or time. Other instances include being placed as malware on a system or as spyware performing key logging (i.e., the action of recording the keys struck on a keyboard). CoolWebSearch is a browser add‐on that took advantage of security vulnerabilities in Internet Explorer to hijack it, change settings, and send the browsing history to the software publishers.Trojan: The most common type of cyberattack, it typically arrives in the form of a legitimate‐looking email asking the reader to perform an update or click a link for something. The malware is then unknowingly downloaded into the target's computer; hence, the name Trojan. Storm Worm, in 2007, is a well‐known type of trojan horse attack. It tricked victims into clicking an email link to an article that downloaded trojan malware. It affected over 1.5 million systems, and is estimated to have cost $10 billion in damages.
Analysis of a Breach
Now that we've covered all the types of cybercrimes, bad actors, and breach threats, let's discuss how a breach is typically carried out. It can be broken down into five main steps: research, intrusion, lateral movement, privilege escalation, and exfiltration. CEO John Chambers once said, “There are two types of companies: Those that have been hacked, and those who don't know yet that they have been hacked.”
Phase 1: Research This phase can begin months before detection. For most attackers, it begins by finding out as much as possible about their target. Searches on LinkedIn and company websites for possible phishing targets are common. Their reconnaissance may include researching who the third parties and affiliates are, locating buildings and Wi‐Fi networks, and discovering information on security systems and any entry points. Like any good attacker, knowing where the target stores its valuables and how they protect them are key components of planning a hack. Once all this intelligence is gathered, the type of tools and methodology can then be determined, and their intrusion can begin.
Phase 2: Intrusion As in the research phase, intrusion can take months before discovery. This phase involves the attacker being focused on breaking into the perimeter of the target, with a persistent foothold being their ultimate goal. Whether they used a phishing campaign to steal credentials or used hacking tools to crack into the network, attackers usually are able to do this and remain nearly invisible to the victim. Once they are inside the network, the attacker will work to ensure their access is long term in the anticipation of revisiting on a regular basis.
The five steps to a breach are shown in Figure 2.3 below.
FIGURE 2.3 The Five Steps to a Breach
Phase 3: Lateral Movement After the access becomes more persistent (the attacker has a solid foothold in the target network), the attacker's goal is to find and access more systems within the network. They will search files, databases, password files, sensitive data locations, and network mapping for this work. Most often, the attacker is impersonating an authorized user, so detection is difficult without robust countermeasures such as SIEM and IDS/IPS. This phase generally takes place months or weeks prior to detection.
Phase 4: Privilege Escalation The majority or totality of sensitive information in most company networks is (or should be) protected behind layers of defense that require special access rights. In cases where these user accounts have elevated access, such as in the case of administrators or data owners, this is called Privileged Access. This type of access allows the attacker to get at the data needed, so they must find a way to escalate their initial access. Once this access is obtained, then the attacker will go after their internal targets: sensitive company documents, PII, mail servers, document systems, and other areas.
Phase 5: Exfiltration In this final phase, the attacker is in the home stretch. They have attained the intel necessary, broken into the network, looked around for the stuff to steal, gained access to those systems, and are now ready to steal it. They steal the data, sometimes damaging critical systems used to track their movements and disrupt operations. Some destroy any evidence with a ransomware attack at this point. Some linger in the network, if they think they are not detected, waiting for new opportunities to exploit their access. Once they have reached this stage, it is very difficult to stop the attack and the cost to the company increases the longer it goes undetected.
The Third‐Party Breach Timeline: Target
The discussion of the five phases for a breach can be best demonstrated by using Target as an actual example. In December 2013, it was announced that around 70 million payment card data records for Target's shoppers had been stolen through the point‐of‐sale (POS) system. In addition, over 11 GB of data was exfiltrated. The anatomy of how it occurred illustrates both the vulnerability of third parties and how an attacker goes through the five phases.
Research: HVAC vendors were likely targeted as this third party is used as a backdoor to gain access. An internet search could have produced information about how Target works with its vendors and likely would've shown vendor portals. Also easily found is the Microsoft study done on how Target uses its virtualization software, the MS Domain Name Server (DNS), its software for managing system configurations (Systems Center Configuration Manager [SCCM]), and other important intel about internal systems.
Analysis then shows a phishing email was sent to Target's HVAC vendor, Fazio Mechanical, with malware that was a password‐stealing bot. It is suspected that this software sent stolen credentials to the attackers.
Intrusion: Using the stolen credentials from Fazio Mechanical, attackers