Читать книгу Cybersecurity and Third-Party Risk - Gregory C. Rasner - Страница 32

Now that we've covered all the types of cybercrimes, bad actors, and breach threats, let's discuss how a breach is typically carried out. It can be broken down into five main steps: research, intrusion, lateral movement, privilege escalation, and exfiltration. CEO John Chambers once said, “There are two types of companies: Those that have been hacked, and those who don't know yet that they have been hacked.”

Phase 1: Research This phase can begin months before detection. For most attackers, it begins by finding out as much as possible about their target. Searches on LinkedIn and company websites for possible phishing targets are common. Their reconnaissance may include researching who the third parties and affiliates are, locating buildings and Wi‐Fi networks, and discovering information on security systems and any entry points. Like any good attacker, knowing where the target stores its valuables and how they protect them are key components of planning a hack. Once all this intelligence is gathered, the type of tools and methodology can then be determined, and their intrusion can begin.

Phase 2: Intrusion As in the research phase, intrusion can take months before discovery. This phase involves the attacker being focused on breaking into the perimeter of the target, with a persistent foothold being their ultimate goal. Whether they used a phishing campaign to steal credentials or used hacking tools to crack into the network, attackers usually are able to do this and remain nearly invisible to the victim. Once they are inside the network, the attacker will work to ensure their access is long term in the anticipation of revisiting on a regular basis.

The five steps to a breach are shown in Figure 2.3 below.

FIGURE 2.3 The Five Steps to a Breach

Phase 3: Lateral Movement After the access becomes more persistent (the attacker has a solid foothold in the target network), the attacker's goal is to find and access more systems within the network. They will search files, databases, password files, sensitive data locations, and network mapping for this work. Most often, the attacker is impersonating an authorized user, so detection is difficult without robust countermeasures such as SIEM and IDS/IPS. This phase generally takes place months or weeks prior to detection.

Phase 4: Privilege Escalation The majority or totality of sensitive information in most company networks is (or should be) protected behind layers of defense that require special access rights. In cases where these user accounts have elevated access, such as in the case of administrators or data owners, this is called Privileged Access. This type of access allows the attacker to get at the data needed, so they must find a way to escalate their initial access. Once this access is obtained, then the attacker will go after their internal targets: sensitive company documents, PII, mail servers, document systems, and other areas.

Phase 5: Exfiltration In this final phase, the attacker is in the home stretch. They have attained the intel necessary, broken into the network, looked around for the stuff to steal, gained access to those systems, and are now ready to steal it. They steal the data, sometimes damaging critical systems used to track their movements and disrupt operations. Some destroy any evidence with a ransomware attack at this point. Some linger in the network, if they think they are not detected, waiting for new opportunities to exploit their access. Once they have reached this stage, it is very difficult to stop the attack and the cost to the company increases the longer it goes undetected.