Anatomy of a Stealthy Cyber Attack: 10 Steps to Take in the Aftermath of a Data Breach

They say if you can only see one step ahead, take that one. Or you could take the ten steps that Kate O’Flaherty has mapped out for any organisation that has fallen victim to a cyber attack

Cyber attacks are going unnoticed, with firms failing to discover adversaries until after the damage has occurred. Let’s take the example of media giant Newscorp, which recently admitted that attackers had access to their systems for two years following a breach in 2020.

GoDaddy was another victim of cyber criminals hiding in systems, with the domain registration and web hosting firm confessing that an intruder had accessed sensitive data and installed malware over the course of three years.

Cyber criminals can cause much damage by lying in wait, spying on companies or slipping quietly (but potently) into the supply chain. The SolarWinds attackers managed to go undetected for months, penetrating major companies and governments by implanting code in a legitimate software update.

“Once attackers have established a presence in a target network, they can cover their tracks, gain additional footholds by creating backdoors and use legitimate credentials to hide in plain sight,” says Chuck Herrin, CTO at cybersecurity firm Wib.

“Depending on their motivations, they can begin exfiltrating sensitive data, spread [it] further laterally – including into partner networks – or deploy ransomware to gain leverage and monetise access.”

So how do attackers hide in systems, how can they be discovered, and what can be done to limit the damage after this type of breach has occurred?

Living off the land

Companies can’t always be blamed when breaches go unnoticed because attackers have increasing means of being stealthy. For example, the SolarWinds hack went unobserved for over a year by mimicking legitimate network traffic and circumventing threat detection techniques, says Aare Reintam, COO of cybersecurity company CybExer Technologies.

“By acting like a normal system update, the attacker can collect data to determine which processes are being used, by whom and at what times.”

“Once attackers have established a presence in a target network, they can hide in plain sight” Chuck Herrin

In security terms, this type of stealthy method is called “living off the land”, says Paul Baird, chief technical security officer at cloud security firm Qualys. “This sees attackers using legitimate tools and software to hide their tracks or gain more access,” he explains.

Hidden adversaries can gain access to data such as usernames and passwords, achieve the highest levels of privileges and establish what the company’s most critical services are – allowing them to hit the ones that matter.

When such attacks are discovered, it’s often through security monitoring and analysis of system logs and other types of activity. Baird says typical early signs of a breach include unusual network traffic patterns. “Another signal is if company information is traded in criminal forums on the dark web.”

Yet, attacks are often reported (by security researchers or law enforcement) rather than discovered by the breached company. Breaches might also be found after the adversary has stolen the data and demands the company pay a ransom.

And then what?

Mona Schroedel, information and data protection specialist at law firm Freeths, regularly deals with the aftermath of cyber attacks. As soon as a breach is discovered, a complex number of steps must be put in motion within set regulatory time frames, she says. “This doesn’t give organisations much time to ponder the circumstances, so we always recommend a breach response plan should be in place and regularly stress tested.”

When you discover a breach, it’s crucial not to alert the attacker. “Instead, you will have to carry out reconnaissance work to understand the details, including the how, what, why, and when, to build a clear picture of the successful attack,” Baird advises.

Once you understand the attack, you can initiate a process to remove the adversary “in one swift move”, according to Baird. “You don’t want to engage in a drawn-out cat-and-mouse game, as this is time-consuming and can lead to further damage.”

But at the same time, it’s essential to be prepared for the loss of services as the attacker is removed from the network. “Once adversaries realise they have been found, they can turn destructive, causing further damage as they no longer need to be stealthy,” warns Baird.

Beyond breach prevention

With stealthy cyber attacks such as these increasingly under the spotlight, cybersecurity goes far beyond breach prevention. But companies can protect themselves in several ways while adhering to limited budgets.

The most cost-effective approach is to simplify the operating environment as much as possible, ensuring a consistent focus on the basics of cybersecurity. “90% of success in cybersecurity comes from consistently doing the basics really well, such as patching and software lifecycle management,” says Herrin.

Another critical consideration is an incident response plan, including steps for identifying and containing potential threats, outlining procedures for notifying relevant stakeholders and communicating with the broader organisation, says Baird.

“You will have to carry out reconnaissance work to understand the details [of the attack], including the how, what, why, and when”Paul Baird

It’s a good idea to have specialist insurance in place to assist with the fallout of any breach, says Schroedel. “We see an increase in claims for damages in even small technical breaches, which can quickly become costly as fees are incurred by the claimant’s solicitors. If that happens, appropriate specialist insurance is invaluable.”

Often insurers will also make recommendations for improvements to security, which might reduce the risk of an incident and associated premiums, she adds.

Cyber breaches are often discovered by the people who accidentally provided access to the cyber attacker in the first place, making it more likely that the employee responsible could panic and try to hide the evidence. Because of this, it’s important to train staff to be open and transparent around data protection and information security, ensuring people understand they will not be penalised for speaking up, says Schroedel.

At the same time, stay up-to-date with the latest threats and attack techniques. “This can be done by monitoring security news and participating in industry forums and conferences,” says Baird. “You can learn a lot from your peers to help you stay ahead.”