Not all hacks are created equal, but many have familiar markings: Often, hacks start with a reconnaissance mission and end with stolen data, or malware that infiltrates company networks. Known as the Cyber Kill Chain, many cyberattacks can be broken down into seven steps or fewer.
The more your company knows about the ins and outs of a hacker’s objective, the easier it is to take cautionary measures. And while cleaning up after a hack can be complex and costly, many preventative solutions are simple. Here we break down the anatomy of breaches and hacks—and compare scenarios between (hypothetical) companies with and without security solutions in place. Plus, we shed light on major cyberattacks across industries, from healthcare to tech, proving that a cyberattack can happen to the best of us.
The anatomy of a cyberattack
When examining an attack, cybersecurity professionals often reference the seven-step Cyber Kill Chain, first introduced by Lockheed Martin Corp.
- Command and control (C2)
Not all attacks contain all seven steps. For example, they may not use an exploit (step 4) or malware (step 5).
A typical cyberattack scenario
Here’s a simplified example of one of the many potential scenarios in a multiphase attack that starts out with phishing. You’ll notice that it follows the general outline of the seven steps above, but not necessarily in the same order.
Infrastructure: Cybercriminals establish the infrastructure needed to carry out the attack. They may use a phishing kit that includes everything necessary for launch, from images and source code to a website. Some kits come complete with a massive set of email addresses, as well as an email template. In a targeted attack, the cybercriminals first conduct reconnaissance to probe systems for vulnerabilities, find high-value targets within the business, gather employee info from social networks, assess what tools the company uses, and so on. This enables them to zero in on the best targets when sending the phish.
Phishing emails: Impersonating a legitimate company, the attackers send phishing emails, attempting to lure the recipients into clicking on a link. The link redirects to a fake login page or a site that contains malware.
Logins: The site either captures the credentials when the user tries to authenticate or downloads malware to steal the credentials—for example, a username and password that’s stored in the web browser.
Additional payloads: With the credentials compromised, the attackers launch the next phase. This typically involves exploiting system vulnerabilities, creating backdoors, and deploying new malware payloads to escalate privileges and move laterally. Attackers continue to map the infrastructure and compromise more systems connected to the network.
Data exfiltration: If the attackers are successful in establishing a command-and-control channel to manipulate the IT systems remotely, they’ll move on to carry out their actual objective. If that objective is to steal information, they may use malware and a staging server to collect the data, then exfiltrate it off the network. At this point, the hack becomes a data breach.
A tale of two hacks
A simple security measure can keep your company protected during a cyberattack. Let’s look at this hypothetical example of cybercriminals targeting two fake companies: A Corp. and B, inc.
Bad actors acquire a list of corporate email accounts from both companies on the dark web. After getting employee names off social media, the cybercriminals use each company’s email conventions to generate a long list of emails. Armed with a list of common passwords (e.g., qwerty, password, 123456), they launch a password spray attack—using one password at a time with each email to try to log into the targeted app or system, then waiting for 30 minutes to avoid triggering a red flag.
Cyberattack Scenario 1: A Corp.
After working at it for several hours, the attackers find a successful email and password combination. All they need is one.
The attackers use the compromised credentials to conduct network reconnaissance, elevate privileges, and eventually go for the win—stealing A Corp.’s customer data. By the time A Corp. discovers the data breach, the bad actors are long gone, and the company is looking at months of costly recourse.
Cyberattack Scenario 2: B, Inc.
The attackers targeting B, Inc. have exhausted their initial email list, with no success. They decide to change tactics, enacting more reconnaissance to identify high-value targets within B, Inc.
With a new list of select names, they proceed with a brute-force attack—using “dictionary” passwords or guessing passwords based on information from social media posts (e.g., favorite sports team or family pet’s name). Still, no success.
What the bad actors don’t know is that B, Inc. uses a password manager. Once a quarter, IT admins even consult their password health dashboard to see their overall company security score and work with employees who may need to update passwords that could compromise the company. And since the password manager makes it easy for employees to use strong passwords, they don’t have to resort to using easily guessable passwords, like names of pets, which hackers could easily figure out.
Recent cyberattacks at Zoom, Nintendo & More
The London-based currency-exchange company’s online operations were crippled for several weeks in January 2020 after a ransomware attack. The attackers demanded a ransom of several million dollars and threatened to publish exfiltrated customer data if Travelex didn’t pay. The losses from the double extortion contributed to a financial crisis at the company, and Travelex entered into administration—the U.K.’s equivalent to bankruptcy—later in the year.
Healthcare: Universal Health Services
Universal Health Services (UHS), which serves 3.5 million patients at 400 U.S. and U.K. locations, suffered an estimated loss of $67 million in a ransomware attack in September 2020. Many UHS hospitals around the U.S. had to redirect patients elsewhere for treatment and cancel appointments. Staff also had to revert to all-paper methods. Restoration of the IT systems took close to a month.
A cybersecurity company discovered half a million Zoom accounts for sale on the dark web in April 2020, available at a bulk price of $0.002 per account. The compromised data included email addresses, passwords, and personal meeting URLs and host keys. Zoom itself wasn’t breached—the exposed accounts appeared to be a case of credential stuffing, with attackers using previously stolen credentials in a large-scale, automated attempt to gain access to Zoom accounts.
Public sector: Veterans Administration
The U.S. Veterans Administration (VA) suffered a data breach that exposed the sensitive data of 46,000 military veterans in September 2020. The attackers targeted a third-party vendor—a payment-processing system provider—with the goal of stealing money that VA sent to healthcare providers. The attackers used social engineering to compromise access authentication protocols.
Travel and hospitality: Marriott International
In March 2020, the global hotel company notified more than 5 million guests that their personal information was exposed due to a vulnerability in the company’s app. An unauthorized party accessed the data from mid-January through the end of February by using two employees’ login credentials, and the company disabled both accounts upon discovery of the incident.
The Japanese gaming giant suffered a data breach that exposed the accounts of 300,000 customers in spring 2020. The cybercriminals then took over numerous accounts, and gamers reported financial losses. Exposed data included names, birth dates, emails, and countries of residence. Some security researchers believe the attackers used credential stuffing and compromised credentials from previous data breaches.
Information technology: SolarWinds
An unprecedented-scale attack on U.S. IT company SolarWinds, reported in December 2020, put numerous high-profile companies, government agencies, and other organizations at risk of hacking and data breaches. The attackers gained access to the SolarWinds software and added malicious code, which was then sent to customers during routine software updates. The hack wasn’t discovered for months. Reports later identified a weak password (solarwinds123) created by an intern as the catalyst for the attack.
Don’t wait for a cyberattack. Take action now.
Download our free ebook, A Business Guide to Data Breaches and Hacks, to get a 360° perspective that includes causes, consequences, and prevention techniques.