Editor's Note: This is Part 1 in a series covering tactics and techniques used by a threat actor. Check out Part 2 for a walk through "The Attacker's Playbook: Phishing" by Jeremy Johnson, Director of Offensive Security.
Our press and industry overuse the word, “breach,” and it causes confusion. Not all security breaches are alike.
I remember the day I sat in front of a regulator and tried to explain the difference between a customer account take-over and a DDOS attack. It was like trying to explain the difference between a knife and a faucet. I nearly gave up.
The things we label as a “breach” can have remarkably different impacts. Some are annoying, some impact services, and others mean important data was stolen.
Our overuse of the word, “breach,” does us all a disservice. For those that aren’t information security specialists, I will mine into the mountain of things we call “breaches” here.
3 Crucial Components of InfoSec
Let’s first step back and talk about what matters. The triad of Confidentiality, Integrity, and Availability (CIA Triad) summarizes three crucial components of security:
- Confidentiality means that information is accessible only to people that are authorized to see it
- Integrity means that information remains as correct and consistent as when it was recorded
- Availability means that there is reliable access to the information
If C, I, or A is significantly compromised, you’ll likely see some press about a breach. Here are some things we often call “breaches”.
Theft of Data
Using a variety of techniques, nefarious actors steal protected data. This “breach of confidentiality” is what most of us think of when we hear the word, “breach.” The stolen data may be useful in identity theft and future financial fraud: social security number, date of birth, name, driver’s license, or account numbers.
Personal data could also include medical records, which can be useful in medical and insurance fraud or advanced social engineering. On the other hand, the stolen data could be corporate secrets—detailed intellectual property, the plans to a stealth fighter, or the next episodes of your favorite television series. Stolen data could also include confidential, personal pictures which can be used for blackmail or ransom demands.
A future post by our Director of Offensive Security will cover some of the “Tactics, Techniques, and Procedures” that hackers use to steal data.
On a smaller scale, individual account takeovers are a “breach of confidentiality” that may be facilitated by widespread malware (see: What is Malware?) such as keylogging or successful phishing campaigns. Essentially, the nefarious actor compromises individual accounts by stealing individual account usernames and passwords.
The credentials could be for an individual financial account such that the bad actor is able to steal assets and money. The account could be a high-visibility politician’s email account, allowing the release of embarrassing or theft of classified information. In some cases, an account takeover leads to more widespread data theft: if an administrator’s account is compromised, that can be the start to much worse things.
Multi-factor authentication is a key way to reduce the risk of account takeovers.
We often call ransomware infections “breaches,” and they are essentially a disruption of availability. Ransomware is bad software (see "What is Ransomware and how do I prevent it?") that sneaks into a computer through an email attachment, document macros, or other means. The software encrypts data that the computer can see, and charges a ransom if the user wants the password to decrypt their own data—hence the name. Sometimes the password works, and sometimes it doesn’t.
Good backups are an essential “must-have” to protect yourself from ransomware, as well as a host of other potentially ugly situations.
Some malware, or bad software, simply seeks to disrupt operations, purposely causing a “breach of availability.” This could be an old-school virus that corrupts data, makes a computer unusable, or presents an endless stream of unsightly images while blasting something you don’t want your office-mates to hear. It could disrupt the basic operations of shipping companies or voice dictation solutions. It could be a more sophisticated piece of software that spins centrifuges so fast they break apart. It could shut down electrical grids. This malware is a super-set that includes ransomware, as ransomware has the effect of disrupting operations.
With some generic malware, the impact is broad and untargeted. In other cases, the impact is the result of targeted injection by nefarious actors or nation states—although even in targeted cases, the malware can “get into the wild” and affect a broader set of parties.
Availability outages may be caused by DOS attacks: “Denial of Service" attacks. This is a situation in which some—and often a large number of—compromised devices “attack” an organization by sending an immense amount of network requests. The DOS saturates the network and overwhelms the devices that try to respond to the requests. The result is that an organization or a website will be unavailable until the DOS subsides, or until the organization finds a way to redirect or filter out the DOS traffic.
In some cases, a DOS may be used as a distraction while some other breach is attempted, but generally, a DOS attack does not involve theft of data.
We don’t usually call “disinformation” a breach, but this article would be incomplete without discussing the power of big-data-powered digitally-accelerated propaganda that can be used to influence individual opinion and impact public stability, policy, politics, and elections. Disinformation could be considered a “breach of integrity,” as it can lead people to rely on falsified information.
Cyber Espionage and Warfare
The line between the “breaches” above and actual cyber warfare isn’t clear. Suffice it to say, nation states can, and do, facilitate all of the “breaches” described above, with the goal of spying on or attacking other nations. Similarly, cyber terrorism attacks people and nations with the goal of disrupting life and inciting terror.
Clearly, breaches can be very different in nature, with quite different consequences. While all of the consequences can be extremely negative, it’s time we quit reacting to the generic word “breach” and focus on what really happened, and what impacts occurred.
Tell me more…
If you’re interested in technical detail on the Tactics, Techniques, and Procedures that lead to breaches, as well as insights into the motivations behind bad actors, keep an eye out for our follow-on piece by our own Director of Offensive Security Services.