Exfiltration and access
The average dwell time — the amount of time where an attack goes undetected — is between three and nine months. Historically, the longer the dwell time, the more negatively impacted the target becomes, often due to the number of systems impacted and the amount of data exfiltration. For more sophisticated compromises, typically involving nation-states, the threat actor can often be in the environment for a year. The following types of data and access are vulnerable:
- Credit card information (payment card industry-regulated data)
- Consumer and customer information (personally identifiable information or PII)
- Employee information (including PHI and PII)
- User credentials and domain controller access
- Business email access
- Automated clearinghouse and wire fraud
- Intellectual property
Third-party hop
Threat actors typically find the weakest link with third-party vendors, contractors, and connections.
- Threat actors use third-party relationships to attack by leveraging the vulnerabilities of their technology or engineering to gain access to other organizations
- Another common exploit path is the use of shared local or domain administrator credentials across domain-joined devices and, in many cases within the same organization, nondomain devices
Impersonation
From phishing and business email hijacking to stolen credentials and social engineering, impersonation is a classic way to gain access, get information, or have someone take action on behalf of the threat actor.
Weaponized IPS
While not as common in the headlines, denial of service and distributed denial of service continue to be major issues for many businesses, especially those where online availability ties directly to revenue such as gaming, entertainment, and hospitality services. Compromise of a large number of systems is needed and often executed with significant dwell time before system owners, individuals, or businesses become aware.
Ransomware
Ransomware attacks make up 46.4% of the total number of data breach threats reported by healthcare organizations.1 Unlike other compromises, a ransomware compromise may require a direct cost if the ransom is paid plus the cost for incremental cleanup, follow-up, and regulatory fines. Unlike other breaches, ransomware carries the heavy business decision burden of whether to pay or not pay.
Medical devices and applications
Advances in medical devices play an important role in modern healthcare. Globally, 60% of healthcare providers use Internet of Things (IoT) devices in their facilities. These IoT devices have operating systems that connect to the internet and are vulnerable to compromise. These high-risk vulnerabilities could allow attackers to perform malicious activities such as stealing PHI, causing devices to malfunction, and accessing a facility’s network. Research shows that IoT incidents could account for 25% of all healthcare cyberattacks.1
Ownership of your domain controller
The sensitivity and totality of the domain controller is not novel regarding breach or systemic exploitation. In fact, gaining domain administrator or enterprise administrator privileges is often the proverbial crown jewel of the most basic penetration test. Once a threat actor gains credentials with expansive local administrator privileges, the actor can run through a number of exploits that allow data exfiltration, extended reconnaissance, and outright theft in addition to executing a ransomware payload.
In almost all enterprise, big-impact, large-scale breaches, a compromised domain controller practically guarantees success. In fact, the actor can also weaken or entirely disable other controls with domain administrator privileges, which makes a defense-in-depth strategy so critical. If your organization places sole reliance on, for instance, an endpoint detection and response (EDR) platform to prevent a ransomware payload and the actor has gained access to the domain controller, you may be severely disappointed with the result.
A defense-in-depth strategy contemplates ample prevention with dynamic detection controls to provide the most favorable outcomes. A key component of the preventive strategy should address technical and process controls related to your domain controller.
There are many ways for a breach to occur. We’ve covered the nature of a broad ransomware infection distributed across the enterprise, but systems can be affected in much smaller numbers with stolen credentials, through email, via unpatched systems, using open ports, and more. In this case, the outcome is usually limited to a single or few systems. The impact of an event like this is relative.