The Anatomy of a Cyber Attack:
A Walk-Through Detection Case Study

A cyber-attack happens, on average, every 39 seconds and, according to IBM Security’s Cost of a Data Breach Report for 2022, 83% of businesses have seen more than one breach. With 42 million records, including names, email addresses, passport details, and sensitive healthcare and financial information exposed between March 2021 and February 2022, the situation shows no signs of improvement. Alarmingly, the Cybersecurity and Infrastructure Security Agency (CISA) has reported a 300% increase in cyber-attacks since 2020 and it highlights the financial sector as a high-value target. According to The Boston Consulting Group around 63% of financial institutions have experienced an increase in cyber-attacks, painting a grim picture of the current threat landscape.

Cyberseer-Cyber-Attack-Statistics-Infographic-(6)-1

But what exactly happens during a cyber-attack and how does our Cyberseer SOC team detect cyber-criminals’ intent on hacking their way into your organisation’s systems?

The details that follow are a hypothetical scenario that mirrors real-world situations closely. This example reflects the types of attacks that businesses face and why advanced threat detection is of paramount importance to your organisation.

Initial Alerts: Recognising the Red FlagsCyberseer Cyber Attack Statistics 22 percent of breaches involve phishing

In this hypothetical scenario, our client is a ‘FinCorp’, a financial services provider that has received alerts of unusual login attempts and suspicious email rule changes. These types of anomalies are often precursors to more significant breaches. The Verizon Data Breach Investigations Report has reported that 22% of breaches involved phishing, a common entry point for attackers.

Detection: The First Line of Defence

Once these anomalies have been detected by our SOC team, we use Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) systems to begin an in-depth investigation. These systems are central to our cyber defence operations and play a pivotal role in the early stages of attack identification. Integrated security technologies like SIEM and EDR systems can significantly enhance an organisation’s incident response capabilities. These technologies allow our security teams to identify and respond to incidents much more quickly than traditional methods.

Additionally, for scenarios involving Business Email Compromise (BEC), particularly in an Office 365 environment, we leverage the Unified Audit Log (UAL) to gain visibility and insights into user activities and potential threats, enhancing our ability to detect and mitigate such attacks effectively.

Analysis and Identification

Cyberseer Cyber Attack Statistics £1.4 billion lost due to BECCorrelating data points and behavioural analytics allows us to establish that a potential Business Email Compromise (BEC) attack is taking place. This type of attack is particularly ominous: in 2020, £1.4 billion was lost due to this type of criminal activity.

In our hypothetical case study, spear-phishing emails have served as the entry point for credential theft, which mirrors tactics seen in 22% of cyber incidents. During a BEC scenario investigation, we meticulously examine login locations and IP addresses, session IDs, mailbox rules and forwarding settings, the registration of MFA devices or new device enrolments, data exfiltration activities, access to mail items, and files accessed. This thorough investigation process helps us identify and mitigate the attack effectively.

Response, Mitigation, and Recovery

Cyberseer’s Security Operations Centre (SOC) team quickly isolates the compromised identity to halt the attack’s progress. This includes forcing a sign-out, revoking refresh tokens, resetting passwords, and ensuring MFA requirements are met. Simultaneously, our team communicates with FinCorp’s IT team to coordinate the overall response effort. Urgent actions include disabling the affected accounts—a critical step, as 81% of hacking-related breaches leverage stolen or weak passwords, according to Verizon’s report. Following these immediate response measures, our team continues with the investigation workflow, meticulously examining login locations and IP addresses, session IDs, mailbox rules, new device enrolments, and data access patterns to make sure we effectively disrupt the attack while laying the groundwork for recovery and remediation and completing a comprehensive resolution to the incident.

Recovery and Remediation

The recovery process we use for every client involves comprehensive remedial steps. Cyberseer’s SOC team oversees the resetting of passwords, revoking MFA tokens, disabling compromised accounts, and removing malicious mailbox rules. Additionally, we ensure that the latest security updates and patches are applied to prevent future vulnerabilities.

In a Business Email Compromise (BEC) scenario, recovery includes implementing phishing-resistant MFA, enforcing conditional access policies, maintaining strict password hygiene, and segregating administrative and high-privilege accounts. This approach not only addresses immediate threats but also strengthens overall security posture. While many organisations routinely scan for vulnerabilities, inadequate patch management solutions persist, often due to concerns about disrupting business operations.

Worryingly, 25% of CIOs and CISOs report their organisations are unlikely to be compliant with data security legislation, highlighting the need for robust and proactive cybersecurity measures.

Prevention Methods and Strengthening Defences

Cyberseer Cyber Attack Statistics MFA training can decrease phishiing by up to 40 percentDuring the post-incident analysis, our SOC team prepares recommendations for FinCorp. They emphasise the importance of regular security audits, phishing awareness training for employees, implementing conditional access policies, and enforcing Multi-Factor Authentication (MFA). The SANS Institute notes that such training can reduce phishing susceptibility by up to 40%. By incorporating these measures, FinCorp can significantly enhance its cybersecurity posture and reduce the risk of future incidents.

Lessons Learned

This hypothetical case study of a financial organisation underscores the vital need for proactive security protocols. With the average cost of a data breach in the financial sector at around £4.6million, the investment in Cyberseer detection technologies isn’t just prudent, it’s an essential requirement for business continuity.

Cyberseer’s expertise in early threat detection, analysis and rapid response rates demonstrates the enormous value we offer to our clients. As cyber threats become increasingly more sophisticated, we continue to offer our commitment to safeguarding digital assets and being your trusted partner.

For more information on protecting your business with Cyberseer’s advanced threat detection solutions, please contact our team of experts. Together, we can provide a tailored security strategy that not only defends against today’s cyber threats but also anticipates the future and evolving world of cybercrime.

In the world of cybersecurity, vigilance and agility are crucial. With Cyberseer, you have a partner dedicated to both.

 

Sources: 

https://www.getastra.com/blog/security-audit/cyber-security-statistics/

IBM Security’s Cost of a Data Breach Report : https://www.ibm.com/downloads/cas/3R8N1DZJ

FBI’s Internet Crime Report - https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf

Read On

Resources-Download-2024-SOC-Threat-Findings-Report

NEW: Uncover the Latest Cyber Threats!

Stay ahead in cybersecurity with insights from the 2024 Cyberseer SOC Threat Findings Report

Resources-new-SOC-Services-for-Darktrace-1

Interested in SOC Services for Darktrace?

Enhance your cybersecurity posture and embrace the future of threat detections with Cyberseer's SOC services for Darktrace.

Contact-us

Contact Us

Have questions, need assistance, or ready to enhance your cybersecurity strategy? Our team at Cyberseer is here to help. Reach out to us for personalised guidance and expert advice.

Sign up to receive Cyberseer blogs directly to your inbox: