What does a breach look like?

Understand what a real hacking attack looks like to the attacker and defenders

The IT security world is rocked by news of breach after breach, including the shocking disclosure of the SolarWinds attack. Data is stolen, deleted or corrupted and… well you know. It’s a total mess. Journalists focus on basic outcomes, while technical blogs look at esoteric technical details. We’ve explained, in laymen’s terms, what a breach looks like from an attacker’s point of view. And from the position of the defenders.

Movies vs. reality

In the public imagination an attacker will work to break into a system, tirelessly or casually. The end result will be a successful ‘hack’. This will likely look like some green text (flashing is optional) on a black background saying “ACCESS GRANTED” or similar.

At that stage the game is up and New York’s traffic lights, bank vaults and half the oil tankers in the world will be under the evil genius’ control. If the defenders are lucky a ‘firewall’ will detect the attempt. A red flashing light will then announce a “BREACH” or “INTRUSION”. Remediating this usually requires some rapid typing on one or more keyboards, or pulling some plugs (sparks are optional).

This is not what a breach looks like.

In reality, that initial access of a system is the beginning of an attacker’s journey. It is just one of many opportunities for defenders to detect and repel the breach. In fact, a ‘breach’ is a successful attack that achieves an attacker’s goals of data theft or destruction. Gaining access, if only impotently, might not count, even though it’s not ideal…

What a breach looks like through an attacker’s eyes

Before we explore what a breach looks like to a defender, let’s briefly take a look from the attacker’s side. The first stages of a breach are likely to be an unauthorised login using credentials like usernames and passwords, or a more technical attack using exploits that provide the attacker with a level of access. Attackers like to use known, stolen credentials because doing so is less likely to trigger alerts from intrusion detection measures.

After the very initial stages of the breach an attacker will then interact with the compromised target either manually or using automated tools. This interaction may include installing malware, running commands built into the compromised system (such as PowerShell) or using the system as a hop-off point to log into other systems. Running malware creates a higher risk of detection, but there are many ways to evade detection.

Usernames and passwords FTW

Credentials are generally valuable so, unless the attacker is being very focussed and already has access to what they need, it is likely that they will harvest usernames and passwords from one or more systems on the network. This activity will often involve running tools to either extract the passwords directly or enough information to allow offline cracking.

At this stage the attacker can take steps to ensure they retain access to the network; steal files immediately; install software that continues to steal information; damage data; and misconfigure systems on the network, such as production machinery or other security systems like firewalls. They might also hide malware on systems, ready for use later.

What the defence sees

Endpoint Detection and Response products vary in their design, but their general purpose is to track incoming threats and to allow defence teams to fix issues as and when they occur. The act of looking through logs and other data to find successful attacks is called ‘threat hunting’. This gives one view on what a breach looks like.

Detect it? Fix it!

Ideally this would be an easy task, with only the most important details and clear calls to action being available to busy IT staff. The truth is far from this and security companies are racing to produce good ways to triage cyber attacks. Threat hunters may start their work with an EDR dashboard but usually have to use additional detective work to get enough information together to execute an effective mitigation.

For now, threat hunters generally have access to a dashboard that gives an overview of incidents on the network. The dashboard will often list each suspicious activity individually. Sometimes one attack can generate multiple detections of the same or similar action. For example, installing ransomware should be one line in a list of detections, but in reality it can be detected multiple times.

EDR products can differ in a number of ways. They might be more or less capable of detecting threats. They might present that information in more or less useful ways. And they might provide varying levels of useful actions, possibly including the ability to ‘freeze’ affected systems, placing them into a sort of virtual quarantine. A good EDR solution makes detecting and remediating a breach easy. A poor one will not provide enough information, or be misleading.

So many alerts…

There is also the issue of ‘alert fatigue’, where multiple alerts represent a single attack. Administrators of the dashboard struggle to collate all of the alerts for one attack, while trying to ensure that they don’t miss anything else important that can hide in plain sight in the general noise generated by the detection tools. Sometimes what looks like an alert is just a record of valid system behaviour. And sometimes an EDR dash will get things completely wrong.

Conclusion

Ultimately a breach is a misuse of a computer system and its data. Spotting this misuse is easier when the attacker is using known malware than when they use stolen login details and legitimate commands to control the system. Alerts can be focussed or too wide-ranging. But they are rarely as simple as a red flashing light and a siren.

If you want to know more about how different security products handle breaches check out our public breach response reports.