In part 1 of this story, we used a bank robbery as a metaphor for a cyberattack. At the end of Part 1, the robbers had made it to the vault. In part 2 we will consider how they break in and how they get the goods back out.
Step 4: Breaking into the Vault and Finding the Data
Getting into the vault follows the same pattern used to get to the vault. The robbers search for keys left laying around that would unlock it, they recruit an employee to let them in or they plant a bug that will blow open the entrance. Once they get into the vault, they have to get into the safe deposit boxes that hold the data/loot.
There are three general access methods.
They may gain low-level access to the storage holding your data and be able to read raw data blocks. If you have encrypted your data-at-rest, then they have achieved nothing as they will not be able to read the data. Otherwise, they can start looking for valuable data.
There is one exception to this last paragraph. If the bad guys get low-level access to your storage, they can encrypt it themselves and then you cannot access it. They might then make you pay for the key to decrypt your data or leave you data-less. This is a ransomware attack.
They can also gain access by tapping into your internal network (assuming that you encrypt external network traffic. If not, then there is another avenue of attack that does not require a break-in to your bank at all). If you encrypt data in transport, then bad actors cannot read the data.
If the bad guys access your data through a user ID and password with READ access to the data via a routine that decrypts the information, then they are in. Stopping this attack goes back to the discussions about protecting passwords.
Note that all of this requires constant communication in and out. Note further that it can take days, weeks or months to move around and find keys and communicate data for evaluation. If you are monitoring communication, you have the opportunity to detect these communications and stop it.
Step 5: Finding the Loot
Once in and with data in hand, the bad guys still have to find the valuable data. This is like getting into the vault and having to look through every safe deposit box for goods you can sell. For every safe deposit box with jewelry, money, gold or certificates, there will be several with lockets of your great grandmother’s hair and your high school graduation tassel. So the bad guys have to search around.
Searching through a standard READ routine may expose an unusual access pattern that can be detected if you look through your database log files. Usually, a READ is part of a regular transaction that follows the same steps: READ A, READ B, READ C, WRITE A. If you see an odd pattern you can investigate.
Step 6: Getting It Out
Once the robbers find the loot, they have to bag it up and find a way to get it back out of the doors they came through. It could be that the doors are too small to handle the loot so they may have to find a new set of keys, maybe to the loading dock, so that they can exfiltrate the volumes of data. These steps to get out provide another opportunity to detect suspicious behavior and sound an alarm.
Step 7: Covering Their Tracks
Once the cybercriminals get the loot out, their job is not done. They would like to cover their tracks so that there is no evidence of the robbery. The bad guys hide their tracks by erasing the system logs that recorded their activities.
Your job is not done either. You want to detect the theft as soon as possible to reduce the impact, so you continue to monitor your logs. Further, when you get a new technology designed to look for evidence of an attack, you should train that new capability by looking at your log history. You may find that the bad guys left six months ago. That is better than never knowing you were hacked.
You might also detect the theft by monitoring the Dark Web. Observing the Dark Web is the crime novel equivalent of watching the network of fences who might sell the loot on the black market.
The point of this story was to convey a conceptual understanding of the makeup of a cyberattack. If you are a CISO, this is remedial. If you are a CIO or CEO, hopefully, these concepts help you to understand why your CISO wants more log data, better tools to scan log data, tools to discover patterns in log data, password management tools or any of the long list of products designed to thwart cyber-bank robbers. The story may help you to understand why your CISO wants a new System and Organization Control (SOC) center.
Cybersecurity is very hard. Hacking is not so hard. Criminals can easily build servers to scan for vulnerabilities in hundreds to thousands of sites per second.
The common cybercriminal only has the tools to break into enterprises with weak defenses. The bad guys break into the small banks with the least protection. Cynical as it sounds, having good defenses sends the bad guys to your weaker compatriots.
The expert cybercriminals and the State-sponsored cyberspies look for easy marks, too. They can scan tens of thousands of sites for vulnerabilities per second. They are looking for keys to help them get into a bigger target. If you are a big target, then you have to use every possible technique to stop entry, stop communications, detect movement and thwart exfiltration.
Vigilance is a fundamental requirement.
Rob Klopp is part of the GovLoop Featured Contributor program, where we feature articles by government voices from all across the country (and world!). To see more Featured Contributor posts, click here.