How long have you got? The lifecycle of a breach

Data breaches can be crippling, punishing victims with not just data loss but also system downtime, reputational damage and costly ransomware demands.
The breach’s life cycle – the time between the initial incident and its containment – can vary hugely based on the type of attack, your network environment and your cybersecurity.

Many breaches go undetected for months, during which attackers may be gathering more data and gaining ever-greater control of your systems. But breaches are not always random or opportunistic attacks. Serious hackers play the long game, following a pattern of events which can give us insight into how to defend against them.

What does the lifecycle of a data breach look like?

Hackers can move fast: the Australian Cyber Security Centre (ACSC) notes that cyberattackers move to exploit software vulnerabilities “at times within hours of public disclosure”. The good guys don’t always move so fast. According to Ponemon research, the average global data breach lifecycle in 2021 was 287 days – that’s a week longer than the previous year – with 212 days between the breach and its detection, and 75 between detection and containment. In Australia, the figures were even longer, with an average lifecycle of 311 days (219 to detect, 92 to contain).

And not all attack vectors are created equal. Compromised credentials, Business Email Compromise (BEC) and malicious insider incidents took the longest to identify and contain, with third-party software vulnerabilities, accidental data or device loss and technical misconfigurations being resolved more rapidly.

With email-borne attacks and insider threats on the increase, according to a Mimecast survey of Australian organisations, longer-tail attacks are an increasing threat. The rise of remote work is offering further opportunities for cybercriminals, with organisations that have over 50% remote workers taking around eight weeks longer to resolve breaches.

Understanding the way hackers think will give you a far better chance of recognising threats before they become major incidents. An attack’s lifecycle is typically broken into around five stages, including target selection and research; attack planning; attack delivery; exploit and lateral movement; and the end game, in which attackers use their control to export or disrupt assets.

Stage 01: Target research and reconnaissance

Some attacks (such as bulk BEC campaigns) work by indiscriminate bombardment, and may not even target a particular company. But the most damaging attacks begin with painstaking reconnaissance and research. Attackers will scan social media feeds for information about a specific company’s personnel and projects as they decide which employees to target and build up the details that can make a social engineering attack believable. Attackers may scan for software or hardware vulnerabilities that can be exploited: anything that will open up a weak point to leverage.

To defend against this, include the dangers of oversharing in awareness training and social media guidelines, use data discovery tools to identify risky posts, ensure your software and hardware are patched, and consider using threat intelligence to identify risks.

Stage 02: Choosing the mode of attack

Hackers use the data they’ve gathered to select the tools they’ll use and shape their attacks. They’re looking to gain system access, which might come via spear-phishing emails (targeting specific individuals) or fake web pages requesting personal information. Strategies may be discussed and malware bought or sold on dark web forums.

Stage 03: Attack commences

After they’ve secured the resources they need and have a strategy mapped out, the hackers will strike. And then, often, nothing happens. At least, on the surface. Your organisation may notice a few malicious links or messages that get ignored or quarantined by email protection. But behind the scenes, attackers are gauging your defences and are waiting for the one mistake that lets them in. And if they’re patient enough, they will find that one momentary slip-up that will let them penetrate your defences.

To defend against this, train your staff to recognise common scams and encourage reporting, ensure your firewalls and other defences are best-in-class, and use DMARC to prevent spoofing.

Stage 04: Exploitation

Like any parasite, once cyberattackers have an entry point, they seek to spread. Stolen credentials and malware may allow further access as attackers explore systems, assess traffic and plan further exploits. The threat may spread rapidly at this stage, as internal access policies are generally set up for collaboration rather than security.

But many hackers are just as prepared to play the quieter, and potentially much more damaging, long game. Command-and-control tools may be used to tap into communication and system management. Security features may be altered, administrator accounts created and remote desktop access activated. System functions may be maintained for months to convince analysts that nothing is amiss.

To defend against this, use network segmentation or zero-trust measures to make lateral movement harder. Detect and respond to suspicious actions and behaviour, listen for reports of scams and disruptions internally and on social media, and keep an eye on hacking forums (which may contain organisation-specific details) on the deep and dark web.

Stage 05: Exporting or disrupting assets

By this stage, attackers may be able to lock users out of critical functions, impersonate users and steal or encrypt confidential data. Files may be removed by FTP or email, or the network taken down by a Distributed Denial of Surface Attack (DDoS). Product orders can be deleted, partner organisations attacked or industrial equipment shut down. This may be the first time a cybersecurity team will become aware of an attack, but it may have been brewing for weeks, months or even years – and the results can be disastrous.

Defensive measures should include incident response tools and a dedicated incident and response team that can rapidly mount effective countermeasures. An effective, up-to-date incident response plan and recent backups will also mitigate the damage caused by a breach – note that your organisation may also have a duty to report it promptly.

The right policy can speed detection and keep criminals at bay

The right defensive measures will make it harder for hackers to find a vulnerability, exploit it and escalate their attack. It’s worth noting that research suggests that companies with security automation or a mature stage of cloud migration detected and contained breaches faster than average.

Identifying and mitigating an individual threat early is an obvious win, but the goal should be overall cyber resilience. A strong cybersecurity posture will make each step harder for attackers, increasing the time and money criminals need to spend in search of a breach, giving you more chance to spot them, and them more incentive to take their schemes elsewhere. You also don’t have to do it all in-house; there are a lot of options for Managed Service Providers and cybersecurity partners in the market that can support your cybersecurity strategy.

Studying the lifecycle of a breach can help you thwart attackers

As we’ve seen, breaches take time. Cyberattackers may spend weeks on planning and reconnaissance before they even start to probe your defences. There may be months between them gaining a foothold and developing enough control to achieve their aims. That period is a window of opportunity for you as well as the criminals: the right measures can help you detect, respond and make yourself a harder target throughout the breach lifecycle.