X0012 6018 ACCESS POINT PIN ACCOUNT LOGIN //10112 0.0001 ENTER 2.0611 ENTER 770986
Anatomy of Your Breach

Today’s biggest heists might not look like the movies.

But rest assured, I’m just as destructive. I’m better organized and more sophisticated.
And there’s more at stake than ever before: data, intellectual property, and financial gain. Before you can stop me, it’ll take you days to even notice I’m there—146 days, 1 Anatomy of a Breach: How Hackers Break In, Microsoft, 2016 on average.

In fact, I’m probably already there. Most breaches go fully undetected and completely unknown.
So, how do you plan on stopping me?

The cost is high. Cyber attacks cost organizations

$0

In 2015, the average cost paid for each lost/stolen record containing sensitive or confidential information was $154. 2 2015 Cost of a Data Breach Study: Global Analysis, Ponemon Institute, 2015

Can you catch your company’s potential threats before it’s too late?

The total cost of a data breach increased from 2013–2015 by 23%

Costs extend far beyond financial, like brand image, customer loss, incident response and recovery, system upgrades/security fixes, legal fees, regulatory fines, PR/marketing response expenses, and revenue/income loss. 3 2015 Cost of a Data Breach Study: Global Analysis, Ponemon Institute, 2015

0 / 1.0000   BREACH

15 120-RAC X0013-511 XY

1Phase 1: The Break-In


struct group_info *groups_alloc(int gidsetsize){

    struct group_info *group_info;

    int nblocks;

    int i;



    nblocks = (gidsetsize + NGROUPS_PER_BLOCK - 1) / NGROUPS_PER_BLOCK;

    /* Make sure we always allocate at least one indirect block pointer */

    nblocks = nblocks ? : 1;

    group_info = kmalloc(sizeof(*group_info) + nblocks*sizeof(gid_t *), GFP_USER);

    if (!group_info)

        return NULL;

    group_info->ngroups = gidsetsize;

    group_info->nblocks = nblocks;
            

Complex IT environments mean big hacking opportunities.

Phishing emails

Using phony websites or email messages that appear to come from a trusted contact (like third-party vendors or other internal employees) to trick users into giving out personal, financial, or enterprise-specific information used to gain unauthorized internal infrastructure access through malicious web links, documents, and other infection points.

Merging networks,
infrastructure, and software
Password laziness
Malware

“Malicious software” programs that steal information, lock your PC until you pay a ransom, or use it to send spam. Common malware types include viruses, worms, and Trojans.

compromising
the network
Ignored software
update notifications
Server misconfigurations
Software holes
Watering holes

Websites frequently visited by intended targets. Malicious links to malware are placed on the site to try to infect the target.

What are your main BYOD security concerns?

0%
Data leak/loss
0%
User-downloaded unsafe apps or content
0%
Unauthorized access to company data and systems
0%
Malware
1 in 5

organizations suffers a mobile security breach, primarily driven by malware and malicious Wi-Fi. 4 BYOD and Mobile Security: 2016 Spotlight Report, Crowd Research Partners, 2016

WARNING STAT /

Employee training to avoid user error is a major security defense, yet barely half of companies surveyed by CompTIA said their companies even offer some form of security training...

just 54%
120-RAC 0.0001 ENTER

Key access points:

Email Attachments
Email attachments
Email Links
Email links
Email Links
Social media
Email Links
Social engineering
20 2.0611 ENTER USER FOLDER ACCESSED

Once I find the weakest point in your security, the rest is just a walk in the park.

560-RAC
DEFENSE STRATEGY /
Provide consistent notifications to update your software and networks, reduce privileges or number of accounts with access, and provide training to employees to learn how to be vigilant about phishing emails.
MICROSOFT SOLUTIONS /
Office 365 Anti-Spam / Anti-Malware

Detect and prevent the execution of malicious code on endpoints that are sent through email with Office 365 Anti-Spam/Anti-Malware.

Azure Multi-Factor Authentication

Authenticate and protect access to internal email and information accessed from corporate or BYOD devices through Azure Multi-factor Authentication.

Office 365 Message Encryption

Prevent attackers from sending legitimate-looking emails through Microsoft’s confidentiality assurance, 365 Message Encryption.

if (gidsetsize <= NGROUPS_SMALL)
XX-101

Phase 2: The Inside Man2


struct group_info init_groups = { .usage = ATOMIC_INIT(2) };

struct group_info *groups_alloc(int gidsetsize){

    struct group_info *group_info;

    int nblocks;

    int i;



    nblocks = (gidsetsize + NGROUPS_PER_BLOCK - 1) / NGROUPS_PER_BLOCK;

    /* Make sure we always allocate at least one indirect block pointer */

    nblocks = nblocks ? : 1;

    group_info = kmalloc(sizeof(*group_info) + nblocks*sizeof(gid_t *), GFP_USER);

    if (!group_info)

        return NULL;

    group_info->ngroups = gidsetsize;

    group_info->nblocks = nblocks;

    atomic_set(&group_info->usage, 1);



    if (gidsetsize <= NGROUPS_SMALL)

        group_info->blocks[0] = group_info->small_block;

    else {


            

With a foot in the door, now anyone at your company is a target,
as I scan (network scan Cataloguing accessible systems (like host machines, services, and active network resources) to create a target list to break into with newly acquired administrative credentials. ) for new access points to greater payoff.
Often the most common targets are:

Employees with higher access than needed
Users who continually ignore updates
Business managers who outsource their IT—a simple decision with potentially huge consequences
DENIED ACCESS

Often, the only way to take control of a system is to identify system managers and impersonate their ability to manage, update, and access system resources, since these functions are typically beyond a normal user’s capability.

On the lookout for higher access privileges, I start searching for my next mark.

User accounts with administrative access
Built-in and downloadable tools
Opportunities to consolidate local system control
Another system with even higher administrative privileges or greater access to valuable data
DEFENSE STRATEGY /
Develop a stronger security strategy to help prevent a devastating attack in implementing “least privilege” access, and reduce employee workload with a hosted solution.
MICROSOFT SOLUTIONS /
Device Guard

Allow only enterprise approved applications from executing through Device Guard.

Windows Defender Advanced Threat Protection

Continuously detect and report any endpoint malicious activity through Windows Defender Advanced Threat Protection.

Microsoft Passport

Store system 2-factor authentication where an attacker can’t steal and abuse through Microsoft Passport.

3 Phase 3: Spread Out


struct group_info *groups_alloc(int gidsetsize){

    struct group_info *group_info;

    int nblocks;

    int i;



    nblocks = (gidsetsize + NGROUPS_PER_BLOCK - 1) 
/ NGROUPS_PER_BLOCK;

    /* Make sure we always allocate at least one indirect

block pointer */

    nblocks = nblocks ? : 1;

    group_info = kmalloc(sizeof(*group_info) + nblocks*

sizeof(gid_t *), GFP_USER);

            
group_info->blocks[0] = group_info->small_block;

    else {

        for (i = 0; i < nblocks; i++) {

            gid_t *b;

            b = (void *)__get_free_page(GFP_USER);

            if (!b)

                goto out_undo_partial_alloc;

            group_info->blocks[i] = b;

        }

    }

    return group_info;

struct group_info *groups_alloc(int gidsetsize){

    struct group_info *group_info;

    int nblocks;

    int i;



    nblocks = (gidsetsize + NGROUPS_PER_BLOCKER);

    if (!group_info)

            
ENTER PASSWORD

With none the wiser, I watch for further security weaknesses:

DEFENSE STRATEGY /
Quickly set up deployable software, keep deployment software in place, and upgrade or segregate out your legacy systems.
MICROSOFT SOLUTIONS /
Credential Guard

Prevent account information theft from memory attacks that could be used to access other systems through Credential Guard.


Advanced Threat Analytics

Learn of normal account usage and report anomalies through Advanced Threat Analytics.


Azure Rights Management

Control, monitor, and revoke access to critical data through Azure Rights Management.

Phase 4: The Long Con4

out_undo_partial_alloc:

    while (--i >= 0) {

        free_page((unsigned long)group_info->blocks[i]);

    }

    kfree(group_info);

    return NULL;

}



EXPORT_SYMBOL(groups_alloc);



void groups_free(struct group_info *group_info)

{

    if (group_info->blocks[0] != group_info->small_block) {

        int i;

        for (i = 0; i < group_info->nblocks; i


struct group_info *groups_alloc(int gidsetsize){

    struct group_info *group_info;

    int nblocks;

    int i;



    nblocks = (gidsetsize + NGROUPS_PER_BLOCK - 1) / NGROUPS_PER_BLOCK;

    /* Make sure we always allocate at least one indirect block pointer */

    nblocks = nblocks ? : 1;

    group_info = kmalloc(sizeof(*group_info) + nblocks*sizeof(gid_t *), ]

    if (!group_info)

        return NULL;

    group_info->ngroups = gidsetsize;

    group_info->nblocks = nblocks;
            

Thanks to deploying continuous, stealthy processes like remotely connecting to your network through a third party, my job only gets easier with time.

With a permanent backdoor or alternate mechanism installed for long-term access, I’m in your system for the long haul.

$1,570,000 Total 2015 average cost in lost business, up from $1.33M in 2014. 6 2015 Cost of a Data Breach Study: Global Analysis, Ponemon Institute, 2015

Lost business is an organization’s most potentially severe financial consequence.

Assume breach! My strategy’s greatest nemesis, this mindset shifts business leaders and CISOs from purely preventive security measures to detection, response, and recovery of security issues.

MICROSOFT SOLUTIONS /
Azure Security Center

Centrally monitor and offer remediation options to cloud assets through Microsoft’s Azure Security Center.


Operations Management Suite

Bring cloud monitoring to local datacenter assets through Microsoft’s Operations Management Suite.


Enterprise Mobility Suite

Manage devices, monitor access devices, and protect corporate data through Microsoft’s Enterprise Mobility Suite.


Cloud App Security

Identify and authorize data released to various cloud applications through Microsoft’s Cloud App Security.