It’s 2am. I’ve just answered a frantic call from the CEO of a large local corporation. He has just received a ransomware demand, requesting the equivalent of R50 million in cybercurrency or all the personal data of the company’s clients will be released on the dark web.
He informs me that his IT team have already identified the breach and deleted it, but he still needs assistance with the ransomware demand.
As a digital forensics expert, I immediately know three things.
- The IT team, who do not deal with hacks and breaches on a daily basis, and who are not digital forensics experts, have done the exact opposite of what they should have done. In our experience, most IT teams are inexperienced in identifying the Point of Compromise (POC) when a breach occurs. It’s not within the realm of daily IT expertise. The result is that the hackers often leave a backdoor open or some breadcrumbs that will allow them back into the network.
- The second is that without digitally tracing the POC, it is difficult to audit the system and find all of its remaining vulnerabilities. This also leaves the system vulnerable.
- And the third is that unless the entire environment is forensically investigated, it is impossible to report to the regulator what happened, how the hackers gained access and what was taken.
A deep dive forensics audit is critical in today’s regulatory landscape. Consumers have the right to initiate a data subject request, which means that if a hack occurred, a company needs to be able to confirm whether or not a customer’s data was breached, and to what extent.
In one of the major local and publicly announced incidents in 2022, hackers gained access to first names, surnames, email addresses and cellphone numbers belonging to a few million people. The breach was through a third-party service provider, but the company is ultimately responsible and liable.
It’s these realities that lead to early-hour phone calls for me and my team. Time is of the essence, and the digital forensics element is crucial. Yes, we assist with ransomware demands and know how to negotiate with hackers, but our most important role is tracking, tracing and preserving evidence. If a business cannot confirm exactly what was breached, how and the steps taken to both protect the system and recover stolen data, they can be subject to repeat attacks, criminal charges, hefty fines, and enormous reputational damage.
Five steps to a successful hack
With that in mind, we thought it might be worthwhile to spend not only a day in the life of a company that has been hacked, but take a look at what was happening nine months prior to the hack – because that’s often how long a business has been targeted for.
Step 1: Reconnaissance
Industry research has shown that, on average, advanced attacks nest inside organisations for 200 days before discovery. That’s a long time for an attacker to stealthily gather private data, monitor communications and map the network.
Here’s what the hacker is doing:
- Identifying a vulnerable target and exploring the best ways to exploit it
- Mapping the organisational structure and identifying the weakest link – employees (targeted phishing emails are often used to identify who will take the bait later during the actual attack)
- Who is more vulnerable – the company or one of its third-party providers?
- If an email address can be breached – just one – the hacker can get into the system and quietly siphon out data. We have seen this on numerous occasions and even though it looks like only two email addresses out of 700 have been compromised, that’s all a hacker needs
- Now passwords can be hacked outside of the organisation until the hacker is ready to attack.
Step 2: Access and escalation
Once weaknesses in the target network have been identified, the cyber attackers plan how they will gain access and then escalate to moving through the network undetected.
Here’s what the hacker is doing:
- Having gained privileged access through months quietly capturing and cracking passwords, the attacker is moving stealthily through the system, looking like they belong there
- Often, privileges are escalated to admin accounts so that they can gain even greater network access.
Step 3. Exfiltration
Exfiltration comes in many forms. Is the hacker stealing data? Are they changing the banking details of suppliers so that they receive payments instead?
Here’s what the hacker is doing:
- Moving freely around the network, hackers can steal, erase or change data
- This data can be held for ransom (either because it is blocked or there is a threat it will be released)
- Or any data can be altered within the organisation for the hackers to exploit in another way.
With the freedom to move around the network, the attackers can now access systems with an organisation’s most sensitive data – and extract it at will. But stealing private data is not the only action intruders can take at this time. They can also change or erase files on compromised systems.
Step 4. Sustainment
Assume that any hacker will want to leave a backdoor. This is known as ‘sustainment’ or ensuring that they can quietly stay within a network.
Here’s what the hacker is doing:
- Secretly installing malicious programs that allow them to return as frequently as they want
- Thanks to the elevated privileges that were acquired earlier, dependence on a single access point is no longer necessary
- The attackers can come and go as they please.
Step 5. Hiding their tracks
Usually, the attackers want to hide their tracks. While this is not universally the case, it’s most likely that some form of measures have been taken to confuse, disorientate or divert a digital forensic audit. If an IT team is inexperienced in containing and tracing digital attacks, the hackers will be even more successful in their attempt to hide any breadcrumbs (and make it easier to gain access again later).
Here’s what the hacker is doing:
- Removing their digital footprints, either stealthily or by executing ransomware to destroy all traces
- Making it difficult to identify what data was stolen, what has been altered and where the point of compromise is.
How Cyanre helps
We’ve seen what the hacker’s life looks like, but what about a day in the life of a business who has been hacked?
- The initial breach is detected
- IT immediately jumps into action, closes the breach, but leaves the business open to additional attacks and regulatory issues because there is no clear digital forensics trail
- It is unclear what data has been stolen – or how it could be used
- It is unclear if any data has been changed or manipulated
- It is unclear where the Point of Compromise was and where the system is therefore vulnerable.
As digital forensics experts, we receive the late-night calls because of our ability to:
- Contain attacks while
- Simultaneously ensuring a full digital forensic investigation is done, which is defensible and can therefore be used in court, and will satisfy insurance companies and any third parties
- Ensure that all traces of the hackers are removed from a system, identifying and plugging any vulnerabilities.
- Assisting with the rebuilding of the environment.
Hacking is becoming more and more sophisticated. Cyanre’s cyber forensics expertise is cutting edge to meet and exceed this need.