🎉 Exciting news! Coalition has acquired Wirespeed to accelerate cybersecurity for all.

Read more
Cover for The 5 Ways Breaches Happen
Tim MalcomVetter avatar

Tim MalcomVetter

Co-Founder / CEO

The 5 Ways Breaches Happen

This is a reboot of an article I wrote years ago, back when I was running the Red Team program at the world’s largest company. I kept hearing the same recurring comment when discussing tradecraft and how adversaries can breach well-defended target organizations:

Of course you were able to do that, you’re { magic, ninja, super-intelligent } hackers.

Compliments are nice, but I knew something they didn’t: cybersecurity is actually simpler than most people make it out to be. After explaining this over and over again, I knew I needed to condense this knowledge into a shareable format, so I wrote this post explaining there were only 5 … JUST FIVE … ways a Red Team or real adversary could get in:

  1. Vulnerable Public Facing Software (T1190)
  2. Abusing Internet Facing Authentication (T1133, T1078)
  3. Phishing for Malware Execution (T1192, T1193, T1194)
  4. Gaining Physical Access (T1200, T1091)
  5. Supply Chain Attacks (T1195, T1199)

Notice the MITRE ATT&CK TTP (Tactics, Techniques, and Procedures) IDs in parentheses. MITRE had a chance to make this simple for everyone to understand, but, like most cybersecurity technologists, they got sucked into the details and made it more complicated than it had to be, just like NIST did in their cybersecurity framework (should have just been “Prevent, Detect, Respond,” but that’s a topic for another day, if we ever get that bored!). That’s why there are multiple MITRE IDs for 4 of the 5 methods of breaching an organization’s environment.

All Security Operations programs, whether in super-large enterprise or all the way down to the SMB/Startup segment, need to understand and have strategies in place for these 5. So let’s briefly look at how to approach each one. Nobody is exempt based on size, scale, or maturity.

#1. Vulnerable Internet Facing Software

This is a very well-understood (yet somehow still difficult) problem. If you expose something to the Internet, at some point, a vulnerability may be discovered in it. Keep in mind that right now as I write this, history suggests all of us have deeply-hidden security defects in our public-facing infrastructure and applications, but it just hasn’t been found yet.

However, organizations often spend too much time patching theoretical vulnerabilities that never come to fruition. Trying to understand what is important and what isn’t is a challenging problem, hence the debate over CVSS vs EPSS, as well as several governments and cyberinsurance companies maintaining KEV (Known Exploited Vulnerability) lists. Not all vulnerabilities will be exploited. The current trend with external penetration testers and red teamers is that it is getting harder to find a common vulnerability with enough public exploit details to be useful–a very good thing to be sure!

Summarize as: Patch too little, get breached. Patch too much, waste time and resources. Hence, as an industry, we tend to tell everyone to patch everything, even if that’s not what we should do. More on that another time.

Even with patching, though, if the system needing patched runs a common Operating System, you should have Endpoint Detection & Response (EDR) controls running on it. If it’s a cloud workload, it should be a Cloud Detection & Response (CDR) tool. Any exploited vulnerability will require an adversary to escalate privileges and likely move laterally towards another system or resource, so have plans to detect it.

#2. Abusing Internet Facing Authentication

In 2024, as I type this, it’s absolutely appalling if your organization still allows external access to anything of value with a single factor credential. Multi-factor authentication systems should be standard and FIDO U2F / PassKeys are state of the art. That said, don’t count on ANY control. They all fail at some point. So monitor for signs of abuse using a purpose-built Identity Threat Detection & Response (ITDR) tool that can see all of your authentication activity.

Also, don’t ignore all of the alerts that suggest a user account may be performing impossible travel, logging in from a new or unusual location, or from an unexpected time of day or device. As endpoints become harder targets to attack, adversaries will move towards abusing Identities and pivoting into SaaS and cloud applications. Each of those alerts should be triaged to a full verdict (and Wirespeed can help!).

#3. Phishing for Malware Execution

This is different from phishing a person to trick them into revealing credentials. That sort of phishing is really just the category above: abusing internet facing authentication mechanisms.

Phishing for malware execution can happen in more channels than just email. Monitor for and block malware in ALL inbound communication channels, which could also mean instant messaging, customer-facing chat systems (including LLM chat bots!), forums, etc. Any input vector may be an attack vector. Security awareness training will not move the needle enough to warrant it’s expense; humans will click on stupid content. Shoot, I will click the right lures if they’re handcrafted for me and timed perfectly.

Endpoint devices are the prevention and detection surfaces for malware. In 2024, iOS and Android are virtually malware free (it’s super rare and big news when something slips through the app stores). ChromeOS is very well locked down, yet functional for web based SaaS apps, and I know enterprises that rely on it well for their security. MacOS has some malware, but it’s sandboxing and gatekeeping keep it to very low numbers. Windows, on the other hand, continues to be a sieve for malware, and not just because Windows dominates too much of the enterprise endpoint space–many enterprises run large quantities of Macs and we have yet to read about a ransomware outbreak starting on Macs. (I suspect we are not far from cyberinsurance companies charging higher premiums to companies who continue to run Windows endpoints.)

#4. Gaining Physical Access

It is super rare for a financially motivated attacker to go into a building and risk showing a face on CCTV, especially when they can remotely take control of endpoints, drop ransomware, and make money from a different continent. That said, this category also includes rogue contractors who you may let come right in your door.

Do not rely on physical security controls/policies alone. Implement controls to prevent and detect rogue devices. By the way, a malicious insider on your network has already bypassed your physical security perimeter, so monitor as well.

The best way to address this in 2024 is to have your local network be meaningless: run everything in the cloud or as SaaS (Zero Trust), and your local network is only as valuable as a Wi-Fi hotspot at a hotel or conference center–it’s just access to the internet and nothing else.

#5. Supply Chain Attacks

Supply Chain Attacks are where an attacker gets access to the software deployment pipeline of a vendor product or open source tool to introduce backdoor functionality into all consumers of that product.

These are rare, compared to the other vectors, and as of 2024 these look to be most commonly targeted by Nation State level attackers who have time, resources, skill, and patience enought to execute these over months or even years.

The best way to prepare for this is to have everything in your environment instrumented with purpose built detection and response products so that if a supply chain is exploited, and malicious software is quietly planted and dormant for months to years, when it goes hot with a live attacker on the other end, there will be alarm bells ringing in the other categories above.

#Summary

Yes, breaches can be simply and succinctly understood and planned against. Prevention controls will fail, so having defense in depth with Detection controls is paramount. After that, make sure you have excellent Response controls with a partner like Wirespeed in your corner, moving faster than the adversary to disrupt and contain the threat.

Want to see what Wirespeed is all about? Follow us on LinkedIn / X or join our mailing list.