00:08
Adam Stofsky
Hello, everyone. I'm here with Joe Santiestaban from ORIC. We're going to talk about the lifecycle.
00:13
Joe Santiesteban
Or the attack path of a data breach.
00:16
Adam Stofsky
So, Joe, before we kick off and talk about how data breaches kind of play out, can you tell us why it's important for people to know this? Obviously, if you're a security engine or you need to know about this, but for everyone else, why is this important?
00:28
Joe Santiesteban
So there's really two reasons. One, a lot of data breaches begin with human error, and that's human error across the company. Lots of people within the business have different responsibilities with respect to data or key systems. And understanding how these events occur can help you kind of be thoughtful and critical on the front end. The other side is you may be called upon one day to support in an incident response regardless of your position in the business. And again, in those situations, it's helpful to understand the framework.
00:58
Joe Santiesteban
What is the lifecycle of a breach? I think I've heard you call it the attack path.
01:03
Adam Stofsky
How do these things play out?
01:05
Joe Santiesteban
I think the easiest way to break this down is into three phases. So the first phase is where the threat actor gains initial access to a system. This can happen in a variety of ways that access can be helpful to a threat actor, but usually what they're trying to do is get access to more sensitive systems and more sensitive data. So the second phase of the process is really focused around the threat actor's activity in an environment where they seek to execute on getting access to more sensitive systems and data. The third phase is really where they kind of execute on their mission, if you will, where the threat actor usually engages in some kind of behavior that is either destructive or theft.
01:49
Adam Stofsky
So it's the initial compromise or the initial access, then the expanding of the access and then the executing of their mission. Those are the three stages. All right, so talk to us about the initial compromise. How does this tend to happen?
02:02
Joe Santiesteban
It can happen in a variety of ways. A couple of the most common ways that we see threat actors gain access to a system are, one, phishing. And so phishing can involve instances where threat actors try to dupe individuals into turning over their credentials, so pretending to be a reputable party and convincing an individual to insert their username and password somewhere. The other way that we see phishing kind of play out is where an email will go into a business or get sent to an individual, and that email has a malicious file attached to it. So it may have some malware that if you download it, you enable the threat actor to get access to it. So phishing is really a big one in those two forms.
02:48
Adam Stofsky
We've all seen both of these. These are very common, aren't they? Yes.
02:51
Joe Santiesteban
Phishing is probably the most common way that threat actors use to try to get access to a system. The other is probably system vulnerabilities. So threat actors seek to identify misconfigurations and vulnerabilities and systems and then exploit them. And businesses are constantly in a position of trying to fix things faster than bad guys can get in. And bad guys often use that delta and the time it takes to do that work to get access to the system.
03:23
Adam Stofsky
So once they're in, this means they've logged in somewhere and they're sitting on the company's network, right. How do they expand their access?
03:31
Joe Santiesteban
So there's a couple of different ways. So you could imagine a user on a laptop like any of us, some of us who work in business, our permissions on our computer are restricted. And so what the first thing the threat actor is trying to do is get access to accounts that have more permissions within an environment, usually some kind of an administrator account. And they have various kinds of malware that they can deploy to try to scrape these credentials from systems within an environment. It may also be that there's kind of maybe sloppy password practices within a business where they're using the same passwords across systems or they're easily guessable. But really it's this process where the threat actor takes a new credential that they're able or a new username and password that they're able to get.
04:19
Joe Santiesteban
Find a system that's more important, look for more important credentials. And they keep going until they get to systems within the organization that kind of control authentication generally and enable the threat actor to execute various kind, like essentially execute on their mission throughout the.
04:38
Adam Stofsky
Process, do whatever they want at that point, essentially when they have that high level access.
04:42
Joe Santiesteban
Yes. The idea being to get as high a level access as possible or as high a level access as you need to do. The action that you're there to do, whether that's destroy or steal something.
04:53
Adam Stofsky
How long does this take? Is this, like, happening over a couple of days? Or can they just sit there for years slowly doing this? What's the time frame like?
05:01
Joe Santiesteban
It could really be either. So we've seen this executed in hours and we've seen it executed over years. And it really depends on what the threat actor is there to do. So sometimes, in particular with sophisticated nation state actors, their goal is to sit in the network and collect intelligence and never be caught. And for those threat actors, that engagement can go on for years before someone catches it.
05:29
Adam Stofsky
Okay, let's go to the last stage then, where this threat actor actually executes their mission. What does that mean?
05:35
Joe Santiesteban
Completing the mission usually involves one of two things destruction or data theft. And there's a bunch of gray in between, and sometimes it's both. So with respect to destruction, the most common activity that we see is malware called ransomware. And so what ransomware does is it encrypts files on a drive, and the goal is to then extort the business for a key that will help them unencrypt the files. And so the most destructive forms of this will seek to encrypt all files within a computer network, including ones that may be used to backup main files that are in use every day. And so the idea is to extort a large ransomware payment. The other side that we see on the data theft side is more along the lines of espionage or kind of intellectual property theft.
06:27
Joe Santiesteban
So you have threat actors that are looking to kind of sit in an environment and not necessarily just grab everything they can, but to focus on getting intellectual property that will help them competitively.
06:40
Adam Stofsky
At each stage of this kind of breach process, a company has legal obligations, right? Certainly stages one and three. But can you just quickly walk through what those broad strokes, what those are?
06:52
Joe Santiesteban
So a lawyer is involved in a data breach response because a business has lots of potential legal obligations and then legal risk that flow from that. So you may need to notify individuals or regulators. You may need to engage with law enforcement, your insurer, your customers. And then on the flip side, there's the potential for litigation or enforcement from these various stakeholders that may be affected by your breach.
07:16
Adam Stofsky
Great. Thank you, Joe. Really appreciate it. Super interesting. Thanks a lot.