What does the payoff in the Finale look like?
The seventh stage is the crowning glory of the attack kill chain and depending on the motive the attacker is usually keen to get to the data theft stage. In general, the previous stages help the attacker reach their objective. Attackers are known to go to great lengths to cover their tracks in order to reach this stage. In some cases, attackers have been known to lurk in the network for months or years before exfiltrating large quantities of data. Attackers are definitely getting craftier and more sophisticated. Also, when it comes to insider threats, the first six stages of the attack kill chain could be optional because the privileged malicious insider already has some level of access in the environment.
Data theft can be for purposes of blackmail, espionage, economic gain, and more. The data that is stolen can be financial data (such as credit card numbers, bank account credentials), personal data that can further be used for profit (SSN, DOB, etc.), credentials, private keys and passwords, medical records, intellectual property (source code, trade secrets, etc.), the list goes on. Each data breach is different because the motives of the attackers vary. In general, unless the attacker failed at their objective or the objective is pure destruction, it is safe to say that some form of data theft can be assumed in a breach.
An interesting question is, where does all this stolen data end up? It could remain with the attacker perpetually, as would likely be the case with nation state attackers and other sophisticated attackers. However, vast amounts of data end up in the underground community for sale, or sometimes even in the public domain as an example of the loot.
The following example showcases a recent dump of personally identifiable information (PII) that includes names, addresses, phone numbers, dates of birth, and credit card numbers, along with their CVV and expiration dates.
Remember the Sony Pictures Entertainment hack from last year? The attackers dumped hundreds of gigabytes of confidential data in the public domain, resulting in a great deal of financial and reputation loss. In addition, they also stole private keys . Private keys are highly sensitive and used in SSL / TLS, SSH, and other encrypted connections used for secure communication. There are different kinds of private keys, for example PuTTY .ppk keys and PKCS #12 files.
An excerpt from the list of files stolen from Sony Pictures Entertainment in the November 2014 hack, showing the .ppk private key files
If that's not scary enough, credentials are always valuable to an intruder either to gain additional access or for financial gain. In Linux, the basic files that store that information are the "passwd" and "shadow" files. Their equivalent in Windows is the SAM DB. All three files store usernames and hashed passwords in different but specific formats that allow a data security system to identify them as such using a regular expression.
Example of a Security Account Manager (SAM) database file in a Windows systems that stores users' passwords in a hashed format, either as a LM hash or as an NTLM hash
Once the hackers obtain hashed passwords, they can crack them using brute force or wordlists. Password cracking tools are available free online, in addition to tools such as "John the Ripper" and "RainbowCrack," which generates rainbow tables.
The above example shows the output of a SAM file run through “John the Ripper”. The simple passwords such as “ROOT” and “1234” were broken in seconds. The administrator’s password was only partially broken because the run was stopped manually very quickly.
Many other sensitive files that are not directly covered by regulations such as HIPAA or PCI are accessed and stolen by hackers. Configuration files and Process Information can also be very valuable to an attacker. Hence, being compliant does not mean that breaches will not occur. Rather, compliance is only a part of the risk mitigation process.
Primary contributor: Amit Nitzan