Information security hacks - what they are, how they happen and how to protect against them

Ruslan Rakhmetov, Security Vision

In recent years, the media and the Internet have been increasingly filled with news about various cyber attacks - DDoS, data breaches, theft of confidential information, and cyber sabotage. Often the information in such news reports is incomplete and vague, and links to primary sources are either not published, or they may be rather detailed technical reports on cyber incident investigations, which complicates understanding. In some cases, under the guise of ‘leaks’, information is published about massive amounts of data collected by ‘scraping’ publicly accessible websites, including social media - in effect, downloading and analysing large amounts of information from multiple web pages, which may include personal data or sensitive information. Although web administrators often incorrectly set access rights to web pages and misconfigure settings in the robots.txt file (which instructs search engine bots which web pages to index), information collected in this way cannot be considered hacking or leaking in the conventional sense. There are also opposite cases, when a company that allowed its infrastructure to be compromised by hackers, in order to avoid fines and reputational consequences, denies media reports about the incident, claiming that the source of the leak is completely different or that the published data was obtained from publicly available sources. In this article, we will try to understand what hacks are in the context of cybersecurity, how they occur and how to protect against them.

So, to begin with, we need to understand some of the terms that are used when discussing cyber hacks:

1. In English-language literature, the term ‘data breach’ is often used to refer to any cyber incident in which an unauthorised person gained access to information, resulting in a breach of its confidentiality. Thus, ‘data breach’ means not only data leakage, but also data security breach, unauthorised/unauthorised access to data (i.e. access to data in violation of established IS rules and policies). Such unauthorised access to data may result not only from a targeted hacker attack (e.g. attackers steal personal data of a company's customers and make it publicly available), but also from a series of random events that make it impossible to control access to information (e.g. loss of an employee's hard copy personnel file or theft of a smartphone containing corporate information). Conversely, a DDoS attack or equipment failure would not constitute unauthorised access to data, as these types of incidents result in a breach of data availability or integrity, not confidentiality. It should also be considered that, for example, the impact of a ransomware virus that encrypts information on a company's network drives for ransom but does not steal it should also be considered as unauthorised access to data, since it is physically impossible to encrypt the information without reading it.

2. The concept of information security threat (cyberthreat) is also frequently used, which is a set of conditions and factors that create a risk of breach of information security (its integrity, confidentiality, availability) and are a potential cause of a cyber incident.

3. A cyber incident (IS incident) is a sequence of events, including accidental events, which may lead or have already led to a successful cyberattack, disruption of an information asset, or damage to the company's interests.

4. Hacking is usually understood as a cyberattack, i.e. a targeted malicious impact on an information asset (data, IT systems, information processing processes) to realise a cyber threat.

5. Thus, the terms ‘cyberattack’ and ‘cyberincident’ should be distinguished: A cyberattack is a targeted malicious impact (e.g. hacker attack, DDoS or data theft by an insider), while a cyberincident is a broader concept that, in addition to cyberattacks, can include the consequences of unintentional / accidental actions and phenomena, e.g. when a system administrator accidentally deleted a database, when a data centre fire caused equipment to fail, when an SMM manager accidentally published details of a yet-to-be-released product on a corporate social media page.

Of course, hacks would not be possible without the source of this malicious activity - the intruders causing the cyberattacks. Intruders can be external or internal: external intruders do not have legitimate access to protected information, while internal intruders (insiders) are company employees and persons legally connected to the company who have legitimate access to protected data. Examples of external intruders include casual website visitors, competitors, hackers (of varying degrees of professionalism), hacktivists, and cyber warriors. Examples of internal intruders: employees, administrators, managers, outsourcers, contractors, suppliers, customers of the company.

Both external and internal attackers are distinguished by their methods and motives and the level of capabilities to implement cyberattacks: physical or logical (including network) access, access with user or administrative rights, level of preparedness (knowledge and skills of attackers), resource support (financial, technical, personnel capabilities to implement a cyberattack). At the same time, insiders have knowledge of the company's operations and places where important information is stored, and can gain authorised access to it, including with administrative rights. Insiders can be divided into negligent (their unintentional actions may cause a cyber incident), sabotaging (may disrupt the company's work due to their disloyalty or in retaliation), resigning (may copy their work files for use in a new location), and targeted (may be recruited by attackers or infiltrated by competitors for business intelligence).

To carry out cyber intrusions, the described perpetrators (sources of cyber threats) try to find and exploit vulnerabilities, i.e. weaknesses, errors or flaws in the configuration of defences, information systems, business processes. Software vulnerabilities can be discovered as a result of their purposeful search by IS researchers or hackers, who also actively use illegal exploit exchanges (malware exploiting new vulnerabilities). Vulnerabilities are characterised by the degree of danger, including the ease of exploitation of the vulnerability and its impact on the confidentiality, integrity, availability of the protected asset. Once a vulnerability has been discovered, attackers must find a way to exploit it: they can use various methods to deliver and launch exploits (e.g. email phishing or attacking an internet-accessible web server), or exploit identified breaches and errors in a company's technical and organisational processes (e.g. failure to properly vet candidates before hiring them, allowing attackers to introduce an insider). Methods of cyber threats can be classified by the tactics, techniques, and procedures used by attackers (abbreviated as TTPs), a non-exhaustive list of which can be found on the website of the MITRE ATT&CK project.

Modern complex cyberattacks are carried out after thorough preparation and are roughly divided into the following stages: reconnaissance; selection, creation or acquisition of tools (viruses, hacker utilities, infrastructure) for the attack; initial access (penetration into the infrastructure); launch of the TTP; entrenchment in the attacked infrastructure; privilege escalation; concealment of malicious actions from defence solutions and IS specialists; access to credentials (logins, passwords); in-depth analysis of the attacked infrastructure; and horizontal advancement through the infrastructure.

Having understood what cyber hacks are and how they occur, here are some types of sophisticated cyber attacks typical of modern times:

1. Encryption virus attacks have become a huge problem for many companies around the world: the first widespread ransomware viruses 15-20 years ago merely blocked PCs (e.g., by disrupting the normal OS startup process), then their creators moved to encrypting data and then demanding a ransom for decryption - but these threats were effectively countered by companies using backups and detecting mass file encryption (modification) operations on network drives, which allowed them to stop the attack in time. Next, attackers moved on to the tactic of stealing confidential information and personal data and then encrypting or disabling the infrastructure - this made it difficult to investigate and recover from a cyberattack, and the attackers demanded a ransom not only for decryption, but also for non-disclosure of the information stolen as a result of the attack. Then hackers went even further and switched to a triple extortion tactic: the stolen data was analysed and then its owners (e.g. registered users of the compromised website or clients of the attacked law firm) faced a ransom demand for its non-disclosure. This type of cyberattack has become a big problem in Western countries, with companies in those countries facing both high fines for personal data breaches and a recent legislative ban on ransom payments to extortionists. In addition, recent investigations into cybercrime extortion groups have shown that, contrary to their promises, once ransoms are paid, they do not delete the information stolen from victims and may use it in further attacks.

2 Supply chain attacks are a difficult threat to detect and are particularly dangerous in Open Source solutions, which are characterised by multiple cross-dependencies and transitive dependencies of software components and modules. For example, a service utility that was developed by an enthusiastic independent developer can be used in fairly large Open Source products with multiple installations in corporate infrastructures. If unauthorised changes are made to the source code of this utility by its author that carry destructive functionality, these malicious changes will spread across multiple infrastructures when the packages dependent on the utility are updated. If such a utility is developed by a team of independent developers, the attackers only need to compromise the account of one of the programmers with the rights to make changes to the source code. In addition, attackers can offer the authors of the utility their help, ostensibly to improve the programme, but once they gain trust, they will make changes to the source code with hidden malicious functionality. However, even the use of proprietary commercial software does not provide insurance against such supply chain attacks, as the software company's infrastructure can be compromised and malware can be injected into distributions or updates.

3. attacks through trusted relationships with suppliers, contractors, and partners are also quite difficult to detect, especially given the possible nuances of interaction between counterparties. In such attacks, attackers hack into small, poorly protected companies that interact with a wide range of large customers or partners that are not only more interesting to hackers, but also better protected from hacking. For example, instead of hacking a notional Apple company, hackers may try to attack one of the many suppliers (e.g., the Russian Monocrystal plant that supplies raw materials for iPhone displays and glass for the Apple Watch) that maintains an electronic document flow with the target company or uses customised remote connections to its infrastructure - these communication channels will make it much easier for attackers to get to the ‘big fish’ they are interested in.

Finally, we should also discuss methods of defending and countering cyber intrusions. Of course, it would take hundreds of pages to describe all possible preventive, policy, proactive and compensatory measures, but let's try to focus on the most effective ones: according to the Pareto principle (the so-called ‘80/20 rule’), only 20 per cent of efforts produce 80 per cent of results.

1. Formation of a clear, mature, controlled cybersecurity management system, in accordance with which all IS processes, organisational and technical protection measures, ways to prevent and respond to cyber incidents will be built;

2. Availability of a vulnerability management procedure (OS, software, security software updates). 3;

3. availability of a backup procedure;

4. Use of multi-factor authentication;

5. Compliance with vendors' recommendations in terms of secure configuration of OS, software, protection systems;

6. Conducting employee training on cyber hygiene rules and cyber security principles in the company;

7. Developing ways to identify attacks that use social engineering methods.