Attack Detail & Analysis
Below we’ll explain the types of attacks used in the comics, provide statistics about their prevalence, and discuss possible defensive measures. This attack and successful breach required a combination of several steps. That’s how all breaches are. While it may not be possible to stop them all the steps, you should try to stop several and only need to succeed in preventing one.
BEC & Pretext Attacks
Pretext is similar to phishing attacks, but a lot more effective. Pretext attacks usually impersonate someone to establish trust and have a high success rate in manipulating individuals.
According to the Verizon DBIR, pretexting was the most prevalent social engineering attack in use in 2023. Business Email Compromise (BEC) increases attack effectiveness further and has also increased significantly since last year.
Social engineering attacks are becoming more and more sophisticated and effective. It is a battle we must fight, but one we cannot win. It is extremely likely attacks of this nature will penetrate most perimeters.
Stolen Credentials
86% of initial access in 2023 was using stolen credentials (Verizon DBIR). It is one of the most common and highly effective means to gain access to the organization and is becoming harder and harder to stop with employees working remotely.
MFA is one way to help defend against stolen credentials, but it has multiple limitations as demonstrated by the high success rate of stolen credentials.
Root Passwords
All administrators have a file with credentials to the different systems they administer. It is the only way to “remember” dozens of strong passwords.
If a hacker finds his way to an administrator desktop or to this file, they will be able to get anywhere the administrator can.
Password vaults have limited effectiveness in protecting these credentials for multiple reasons, including that access to the administrator desktop will compromise any system they connect to.
Overlapping Controls
With an administrator password to the server or the database, there’s only one thing that could stop this attack – database security.
Since this organization didn’t have effective database security, security personnel were unaware of the attack and didn’t stop it.
Data-centric defenses and, in particular, database defenses, can be highly effective.
In this case, the attacker stole the data and encrypted it for ransomware. That means the organizations will discover it’s been breached. If the attacker chose to only steal the data, the organization would be unaware of the attack. They may only learn about it when a 3rd party discovers the data and cross-references it to conclude its origin.
Final Thoughts
This attack uses the most common and most effective means for a data breach. It doesn’t use zero-day vulnerabilities, unique knowledge, or exceptional talent. This is a highly realistic scenario for an attack you may encounter and that will probably succeed and go undetected.
While it’s possible to further improve perimeter defenses,it’s likely effective attacks such as these will penetrate. That is the reason these types of attacks are the most common – they work.
Without effective data-centric defenses to protect the data, this type of scenario is likely to end up in a successful breach. The perimeter can be easily penetrated and only effective internal defenses on the application and database can stop these common attacks.