Skip to content

Lifecycle of a Hack: The 5 Stages of a Data Breach

If your organization discovers a data breach, it’s likely been weeks or months since the initial attack, according to a 2019 Verizon report.

Data breach prevention is the ideal solution. But when prevention fails, discovering a breach as early as possible makes a big difference in your ability to mitigate the fallout.

Social networks, the dark web, and unindexed sites like Pastebin contain a plethora of public data that can signal the first signs of a breach. Data discovery tools that aggregate and search these sources for breach identifiers are valuable assets to cybersecurity and response teams.

What does this data access look like in the context of a breach? Here’s how a data breach happens in five steps, and how data from these sources helps organizations learn how to prevent a data breach or contain it at each stage.

1. The Attacker Discovers a Vulnerability

corporate meeting office board room blurAn attacker’s first step is to find the best point of entry for their target. This can be achieved by discovering vulnerabilities in the target’s code or security systems (e.g. Equifax data breach, Capital One breach). Or, attackers can attempt “hard-hacking” their way in with a brute force method.

New call-to-action

However, the most common vulnerability attackers exploit is human error. For example:

  • Sending phishing emails to personnel under the guise of a trusted entity. These often request login credentials, financial transactions, or clicking links to a malware download. 
  • Practising social engineering over-the-phone to gather information, such as login credentials, that helps the attacker gain system access.
  • Finding public information about a target that gives the attacker account access. For example, if an employee publicly posts about their family or pets on social media, attackers could leverage that information to guess passwords or security questions.

The foundation of a successful attack with these methods relies heavily on sounding legitimate—so the first step is often research. 

Who’s in charge at this organization? Is there an assistant who likely manages executive emails? Are employees active on social media? What are they posting about? Who are the company’s partner organizations? What software, tools, or services does the organization use? This information is often publicly available and helps attackers leverage their strategy.

echosec_-_photo_of_new_employee_IDNew employee posting ID badge publicly on Twitter (cross-posted from Instagram)—discovered using Echosec

Data discovery tools allow security teams to locate any exploitable information on social media and other public sites. For example, a proud new employee posts a picture of their ID badge, including their full name and employee number to Twitter on their first day. This information could hold value for attackers developing a social engineering strategy. Data discovery tools can alert the company’s security team to the image so they can request post removal. 

2. The Attacker Develops a Strategy and Tools

The goal of any attack strategy (and there are many) is largely the same: gain system access. At this stage, the attacker is usually aiming to acquire someone’s login credentials to the target system, or infect it with malware. 

The tools and techniques an attacker uses depend largely on the information they were able to gather in step one. Let’s explore an example.

Let’s say the attacker discovers that the target company has an executive who, according to LinkedIn, is traveling in the UK for business. They also discovered a press release announcing the company’s integration of a new cloud service. By looking at the company’s employee page, the attacker also found the executive assistant’s name and email address.

OSINT tools and techniques for threat intelligence and risk management   <>

This information could be used to create a fake webpage imitating the cloud service’s login screen (a “scampage”). The attacker establishes a convincing narrative (e.g. “I’m at ___ in the UK, and I can’t seem to access our cloud service. Can you login below and let me know if it works for you?”), and sends the scampage link to the assistant from an email address closely resembling the executive’s. Alternatively, the link could infect the assistant’s computer with malware.

Adversaries use anonymized networks, like deep and dark web forums, to discuss attack strategies like this and sell current malware versions. This content informs organizations, straight from the source, about current attack strategies in their industry or targeting them directly. 

unnamed-3-3Social engineering how-to discussion on Dread, the dark web’s equivalent of Reddit—discovered using Beacon

Security teams can use this information to better defend against specific attacks. They can also use up-to-date information to educate customers, employees, and stakeholders on how to identify risks and avoid them.

3. The Attacker Launches Tools to Gain Data and System Control

overhead shot planning meeting laptop team corporate

Whether it’s a malware link, login scampage, or another attack vector, successful deployment means the attacker has an entry point into the target’s system. Now they have a clearer window into its infrastructure so they can dive deeper or make disruptions (aka. distributed denial of service or DDoS attack).

At this point, an attacker can gather the data they’re looking for and call it a day—but often, the goal at this stage is to gain system control for as long as possible. This can be achieved by altering the system’s security features, launching remote access tools (RATs), or creating system accounts. 

CASE FILE │Discovering Financial Fraud with Hidden Online Data   <>    

Adversaries are increasingly developing command-and-control (C2) tools at this stage of the attack, which are used to maintain system control after gaining entry. The go-to C2 tool, Empire, was discontinued in July 2019. This precipitated multiple C2 tool developments for use by both ethical and adverse hackers.

Living off the Land (“LolBas” or “LolBins”) strategies are also becoming more popular at this stage. These use a target’s existing system functions to maintain control, giving security analysts the illusion that their network is running business as usual. 

Again, accessing current hacking discussions and marketplaces on the deep and dark web keeps security teams up-to-date on nefarious control techniques and software. 

unnamed-4-2Users discussing post-exploitation techniques on a criminal dark web hacking forum—discovered using Beacon

At this stage, social media is also a valuable source of attack alerts. Customers and employees often turn to social networks to report phishing emails, suspicious phone calls, or site disruptions that could signal a DDoS attack. 

4. The Attacker Achieves Their End-Goal

Not all attackers have an end-goal—but if they’ve gone this far, the aim is usually to monetize the attack or take down the target’s network (or both). 

Attackers often sell stolen copyrighted, classified, personal, or financial data on the dark web. This leaked data often ends up published on paste sites where it’s publicly accessible. 

Pastebin_-_customer_account_breachesCustomer account breach on Pastebin, including the company’s app login and financial data, as shown in Beacon. This was discovered by searching for the company’s domain.

Another goal is to launch a DDoS attack and take down the network. This is often done to acquire a ransom, or as a form of hacktivism. The international group Anonymous is well-known for these kinds of politically-motivated attacks.

Breached data on a dark web marketplace or paste site is often one of the first signs of an attack available to security teams. Searching these sites for organization-specific data, such as an email domain, helps them catch a breach early on so they have a better chance of containing it. 

5. The Target Discovers the Breach and Manages Any Damages

The longer an attack goes undetected, the more time bad actors have to damage systems and exploit data. This has major costs and can inflict long-term damage to the organization’s reputation. Data breach costs in the US average a whopping USD $8.19 million per incident.

Discovering evidence of a breach across social networks on the surface, deep and dark web, as we’ve seen throughout this article, is an effective way to stay informed at all stages of an attack. This allows organizations to both prevent and mitigate data breaches as early as possible.

Accessing public data also supports organizations who have already suffered a breach and are actively managing a response strategy. Many organizations’ reputations have suffered not solely for being breached, but for how they responded to those affected. As media, stakeholders, and the public react to the event on social networks, organizations can aggregate and analyze this information to better inform an effective PR strategy. 

echosec_-_capital_one_breach_mediaSocial media and news aggregation sample following the Capital One breach in July 2019—discovered using Echosec

Breach Detection, Containment, and Response Tools Crucial for Security Teams

Breaches and other cyberattacks are now understood as an inevitable threat for most industries. Many regions around the world are establishing data breach laws to ensure that organizations optimally secure their networks and respond appropriately to breach incidents. 

For example, the GDPR fines organizations for failing to protect personal data or report breaches within 72 hours of discovery. The consequences and global shifts associated with breached data point to a cross-industry need to prevent and contain attacks as early as possible in their lifecycle. 

New call-to-action

Social media and hidden deep and dark web networks contain critical data for detecting and contextualizing breaches. Organizations invested in protecting their data must also invest in tools that make these sources easily accessible at every stage of an attack.

Contact us to learn how you can access breached data sources more efficiently.