It’s important to understand how criminals gain access to systems in order to better manage your organization’s network data loss prevention. While the playbook for network penetrations varies from attacker to attacker, there are some consistent patterns that emerge from each enterprise-level incident. Network penetrations can be broken down into three steps, each with distinct signatures.
1. On-Ramp to the Network. Attackers have to get a foothold in the network, and this is most often done by social engineering targets to download malware or submit credentials to a phishing site. Additional on-ramps include watering holes, compromised logins, third-party hacks, and exploiting vulnerable third-party apps, particularly content management systems.
2. Navigating the Network. Once inside, attackers will use internal documentation to further their attack, pivoting from corporate user to corporate user via compromises to eventually gain access to documents and databases.
3. Exfiltration. Data exits the system in surprisingly simple fashions. Sometimes it is hidden in traffic, but more often than not, it is zipped or encrypted and moved off the network to a drop site before detection systems can alert users and data loss can be stopped.
Human Error in Network Data Loss Prevention
Nearly all of the network attacks involve the following failures, oversights, or policy breakdowns:
- Human error is almost always involved. Whether attackers enter through the front door or move laterally through the network, the attackers need employees to take some sort of action, whether it is entering credentials into a phishing site or opening a malicious attachment.
- Employees use corporate emails to register for third-party sites that have been hacked and, even worse, reused passwords.
- Lack of two-factor authentication for access to VPN networks, databases, and shares contribute to many of the breaches and magnify password reuse problems.
- WordPress plugins are exploited for credentials to access servers or to create phishing pages. In general, servers running CMS applications are hackers’ on-ramp of choice.
- Once inside networks, reconnaissance is performed through corporate directories, wikis, and share sites. Attackers find targets with desired accesses and move laterally using malware or phishing sites sent from internal email.
- Network traffic monitors fail or are evaded during exfiltration.
This article was excerpted from “Basic Training in Network Security.” Read the article to learn best practices in data loss prevention and discover which components of any corporate network are most vulnerable.