Illusive Blog November 30, 2015

How Do Data Breaches Happen? | The Full Anatomy In 6 Steps.

By The Illusive Networks team


Cyber criminals do plenty of research on your company, so isn’t it time you return the favor, and find out what makes them tick before a data breach occurs?

In an ancient Chinese text, Sun Tzu once said,“If you know yourself and not the enemy, for every victory gained you will also suffer a defeat.”

In the world of cyber security, a single defeat can be extremely costly. Tweet: Before you create #CyberSecurity a plan, it’s vital to learn about the anatomy of a #DataBreach Before you create a plan, it’s vital to learn about the anatomy of a data breach – and understand who your attackers are.

In a standard data breach, the type that occurs between 80 to 90 million times per year, there are roughly 6 essential steps, each of which will be outlined below. It’s time for a quick anatomy lesson to strengthen your cyber security program:

Step 1: Active/Passive External Reconnaissance

You’re trying to learn about cyber criminals – and they’re trying to learn about you. There are a number of tools they use to learn about your network before ever launching a threat.

During a passive recon exercise, cyber criminals use tools such as Netcraft to learn about a site’s web server, IP addresses and, most importantly, the date last changed – crucial information that the criminal uses when an attack is underway.


Active recon is riskier and requires an active connection between the attacker and the target. However, tools like Nmap enable attackers to view your site’s open ports and the specific details about your operating system. The more information attackers can gather, the quicker they can infiltrate your network.

Step 2: Social Engineering and Phishing — Gaining Access

data_breachTweet: Research shows that 52% of #CyberAttacks occur because of human error.Research shows that 52% of cyber attacks occur because of human error. Remember what Elliot from Mr. Robot said? “I never found it hard to hack most people. If you listen to them, watch them, their vulnerabilities are like a neon sign screwed into their heads.”

Cyber criminals exploit these weaknesses using social engineering to trick people into breaking standard security protocols. One common social engineering attack is phishing.

In a phishing scheme, cyber criminals set up legitimate-looking emails or websites that trick users into clicking on malicious links. These links can trigger automatic downloads that deliver malware, creating a door for attackers to walk through when infiltrating your network.

Step 3: Internal Reconnaissance—Always Learning More

When attackers have gained access to a user’s workspace, they immediately start studying the surrounding environment. The most valuable data isn’t usually on a user endpoint—attackers must dig deeper to find what they’re looking for.

Step 4: Moving Laterally — Getting Closer to the Goal

This step is repeated until the criminal reaches his/her end-goal. After studying surrounding workstations, attackers move laterally throughout the network.

Lateral movement requires attackers to compromise more user domains and escalate privileges as the target server comes into view. Administrator privileges aren’t necessary, as lateral movements can get attackers where they need to be without  total control.

Step 5: Hitting the Jackpot

Lateral movement continues until attackers reach the server with sensitive data they’ve been searching for – health records, credit card information, employee data, product designs, marketing plans or anything else attackers see as valuable.

Many companies leave their core servers less protected, believing that their perimeter measures will keep criminals out; don’t make this mistake.

Step 6: Exfiltration — Getting Out Alive

This is where attackers resemble Indiana Jones in the opening scene of Raiders of the Lost Ark – outrunning a number of booby traps after taking the idol. They’ve reached their goal and suddenly they’re on a time clock (one that’s getting shorter now as the white hats get smarter).

The longer they spend in the network, the greater risk of detection. They must copy the sensitive data, and send it off to an external command and control server as quickly and as unobtrusively as possible.

Preventing the Next Data Breach: Get Out Ahead of Your Enemy 

Even though security professionals understand these steps on a theoretical level, cyber criminals still find a way to get through. If you want to defeat the enemy, you need to understand their attack vectors.

By implementing deception technology and understanding the steps leading up to a data breach, you can be proactive in your cyber security measures. Keep an eye on your attackers and stop them in their tracks before they can get out of your network.