ArticlePDF Available

Cyber Kill Chain Analysis of Five Major US Data Breaches: Lessons Learnt and Prevention Plan

IGI Global
International Journal of Cyber Warfare and Terrorism
Authors:

Abstract

Data breaches are a major concern for both US and global corporations. With more companies allowing their employees to be working remote, providing them a secure work environment has been a priority for employers. The Interpol 2020 report on cyber breaches mentions that the number of cyber-attacks has multiplied in the last year. The IBM Data Breach Report of 2021 notes that data breach costs rose from USD 3.86 million to USD 4.24 million, while the average cost was USD 1.07 Mil higher in breaches where remote work was a factor in causing the breach. Given this environment of increased cyber breaches, it is important to learn from previous major data breaches to understand the root cause which led to the compromise of information security and the steps which could have effectively prevented the same. This paper evaluates five major data breaches in US history using Lockheed's Cyber Kill Chain Analysis, since the details of these breaches have never been documented for research and also proposes an eight-step cyber-attack prevention plan.
DOI: 10.4018/IJCWT.315651

Volume 12 • Issue 1
Copyright © 2022, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
*Corresponding Author
1



Glorin Sebastian, Georgia Institute of Technology, USA*
https://orcid.org/0000-0003-2543-9127

Data breaches are a major concern for both US and global corporations. With more companies
allowing their employees to be working remote, providing them a secure work environment has been
a priority for employers. The Interpol 2020 report on cyber breaches mentions that the number of
cyber-attacks has multiplied in the last year. The IBM Data Breach Report of 2021 notes that data
breach costs rose from USD 3.86 million to USD 4.24 million, while the average cost was USD 1.07
Mil higher in breaches where remote work was a factor in causing the breach. Given this environment
of increased cyber breaches, it is important to learn from previous major data breaches to understand
the root cause which led to the compromise of information security and the steps which could have
effectively prevented the same. This paper evaluates five major data breaches in US history using
Lockheed’s Cyber Kill Chain Analysis, since the details of these breaches have never been documented
for research and also proposes an eight-step cyber-attack prevention plan.

Cyber Attack Prevention, Cyber Kill Chain Analysis, Data Breach

The risk of Data breach is becoming one of the major concerns of the US and global corporations,
especially with the remote work environment. With more companies allowing the employees to
work from home, ensuring data privacy is much tougher given the employees could be working
from public spaces such as coffee shops using public Wi-Fi networks that often do not follow the
prescribed encryption standards and other security controls, thereby posing a greater threat for data
breaches. A report by Interpol Interpol (refer Figure 1 for details) in 2020 reported an alarming rate
of cyberattacks especially during the Covid-19 pandemic. Key findings highlighted by the Interpol
assessment of the cybercrime landscape noted the three main types of cyber-attacks that has been on
the rise, during the last few years are Malicious domain, malware and phishing frauds. (Interpol, 2020).

Volume 12 • Issue 1
2
1.Online Scams and Phishing - Threat actors use phishing emails for online scams to entice victims
into providing their personal data or downloading malicious content.
2. Disruptive Malware (Ransomware and DDoS) - Cybercriminals are increasingly using
disruptive malware against critical infrastructure mainly for financial benefit. The deployment
of data harvesting malware such as Remote Access Trojan, information stealers, spyware,
and banking Trojans by cybercriminals is on the rise. These Malware can be used as both
Ransomware and DDoS (distributed denial of service) attacks.
3. Malicious domains: Attackers are also trying to mislead online users to malicious domains
which usually host data harvesting malware or are designed to extract personal information
from the end-users.
The IBM Data breach report notes that (IBM, 2021):
Data breach costs rose from USD 3.86 million to USD 4.24 million
The average cost was USD 1.07 Mil higher in breaches where remote work was a factor in
causing the breach
The most common initial attack vector, compromised credentials, was responsible for 20% of
breaches at an average cost of USD 4.37 million.
This paper compares five of the major breaches in US history Equifax, Desert Sands, Target,
Yahoo, and City of Atlanta & Not Petya Case Study Reports using the Cyber Kill Chain analysis
approach of Lockheed Martin (2022). Based on this analysis the paper discusses the common lessons
learned and also proposes a cyber-attack mitigation plan/checklist based on the learnings from these
attacks as well as industry best practices

The common adversaries and attack vectors as well as the Network and Endpoint defenses are listed
below (refer to Table 1). The adversaries could be nation-states, with motives mainly being strategic
or for attaining economic advantage. The adversaries could also be Criminal organizations that
include a network of criminal actors who work together to share tools, techniques, and access to
Figure 1. Main Cyber-attacks as per Interpol report

Volume 12 • Issue 1
3
compromised systems and data in their enterprises. The perpetrators could be Hacktivists who want
to make a political statement or could be Insiders who are disgruntled and malicious or incompetent
with access to sensitive information.
The most common attack vector used in Social Engineering is Phishing, where an attacker tries
to entice the user to click on malicious sites. Other common attacks include Brute force attacks
and software vulnerability threats. A popular example of a software vulnerability is the Heartbleed
bug, which was a vulnerability in the OpenSSL cryptography library, that is widely used in the
implementation of the Transport Layer Security (TLS) protocol. This resulted in improper input
validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension,
which allows the attacker to exploit the encryption library that many web servers rely on and allow
them to monitor network traffic unencrypted (Cyberroam,2014).
Other attack vectors include brute force attacks, device theft, or even Denial of service (DoS), in
which the bad actors seek to make the user machine or network resources unavailable to its users by
temporarily or indefinitely disrupting the services of a host connected to the Internet. This is usually
accomplished by flooding the targeted machine with superfluous requests that prevent legitimate
requests from being fulfilled (US-CERT,2013). If the bad actor uses multiple hosts, then it is a
distributed Denial of Service attack (DDoS). Denial of Services can also be Ransomware, where
the organization is denied access to their systems and needs to decide if they must pay the ransom
or forever lose access to their data. Privileged access misuse is usually performed by insiders whose
access is compromised via vulnerabilities or disgruntled employee who uses their privileged access to
obtain confidential information. Eg: Edward Snowden was a government contractor hired to assist with
data migration on behalf of the department of defense, which he used to steal classified information.

This paper uses the Cyber kill chain analysis methodology that was developed by Lockheed martin
for review, identification and prevention of cyber intrusions activity, Lockheed Martin (2022) Yadav,
T., & Rao, A. M. (2015). Refer Table 2 and Figure 2 for details of the stages within the Lockheed
Martin Cyber Kill Chain analysis. This model is useful for cyber defenders to understand their IT
environment and detect weaknesses which allow an attacker to compromise their systems. The model
identifies the adversary motive in each step. It is to be noted that stopping adversaries at any stage of
the attack, breaks the chain of intrusion. The stages within the Cyber kill chain include:
i) Reconnaissance: This is the first step an attacker takes which consists of investigating their target
using the available sources of information. This includes Research, identification, and selection
of targets. The research is usually using publicly available information such as press releases,
Table 1. Common Adversaries, attack vectors and defenses
Adversaries Common Attack Vectors Defenses
Nation States
Criminal Organizations
Individual threat actors
Hacktivists
Insiders
Social Engineering
Brute Force Attacks
Software Vulnerability
Device theft
Denial of Service
Privileged access misuse
Network
Intrusion Detection/ Prevention
Network Malware Prevention
Proxies and Firewall
Endpoint Protection
Application whitelisting
Sandboxing, Data backup
Patch Management
Vulnerability management

Volume 12 • Issue 1
4
employee social media, discovering internet-facing servers, etc. This step is to learn as much as
possible about the intended target, in order to find potential avenues of attack.
ii) Weaponization: This occurs when a vulnerable pathway is found into a target organization or
system. The purpose of this step is to identify an exploit or malware that should work given the
information gained in the reconnaissance step. This step includes pairing remote access malware or
exploit into deliverable payload (such as Microsoft Office files). Examples of the Weaponization
step include selecting a backdoor implant and appropriate command and control infrastructure
for operation.
iii) Delivery: Transmission of weapon to the target (eg: via email attachments, physical devices such
as USB drives, “watering hole” compromised websites).
iv) Exploitation: The weapons code is triggered, exploiting vulnerable applications or systems.
Execution of the weapon and taking control over the system mostly admin or root access. Lesser
access could be used for data movement or exfiltration. The vulnerability could be a software,
hardware or human vulnerability. Some of the victim-triggered exploits include the user clicking
on malicious email attachments or links which leads to compromised websites.
v) Installation: The weapon installs a backdoor on a target system allowing persistent access. i.e.
even if the system owners remove the malware the malicious user still tries to maintain root
access or Admin access to the system. It also includes creating a point of persistence by adding
services, AutoRun keys, etc.
vi) Command & Control: The Outside server communicates with the weapons providing “hands-
on keyboard access” to the attackers inside the target’s network. This remote connection is how
the attacker interacts with the compromised system.
Table 2. Stages of the Lockheed Martin Cyber Kill Chain analysis
Stage Stage Name Stage Description
1. Reconnaissance Harvesting email addresses, conference information, etc.
2. Weaponization Coupling exploit with backdoor into deliverable payload
3. Delivery Delivering weaponized bundle to the victim via email, web, USB, etc.
4. Exploitation Exploiting a vulnerability to execute code on victim’s system
5. Installation Installing malware on the asset
6. Command & Control Command channel for remote manipulation of victim
7. Actions on Objectives With ‘Hands on Keyboard’ access, intruders accomplish their original goals
Figure 2. Cyber Kill Chain, Lockheed Martin. (2022)

Volume 12 • Issue 1
5
vii) Actions on Objective: The attacker works to achieve the objective of the intrusion which can
include exfiltration, destruction of data, or intrusion of another target. The actions could include
a collection of user credentials, privilege escalation, sabotaging systems, corrupting data, internal
reconnaissance etc.


The Data Breach happened between May 13 - July 30, 2017. The breach was targeted at a known
vulnerability on Apache Struts – the software they were running on their application server. Apache
Foundation released a patch for a vulnerability (CVE 2017-5638), (Wang, P., & Johnson, C. (2018).
This patch was required to be installed. The Department of Homeland Security sent an email to
key stakeholders like Equifax to make sure this patch was installed; however, the vulnerability
scanners could not find any server that needed the patch, which was later found to be an issue with the
configuration of the vulnerability scanners. Private records of 147.9 million Americans, along with
15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach.
In February 2020, the United States government indicted members of China’s People’s Liberation
Army for hacking into Equifax and plundering sensitive data tough the Chinese Communist party
has denied these claims, ZDNet. (2017).
Below is the timeline for the Equifax breach:
February 14, 2017 – The Apache Software Foundation received the first report of a vulnerability.
March 7, 2017The Apache Struts Project Management Committee (PMC) publicly disclosed
Apache Struts vulnerability. National Vulnerability Database: CVE-2017-5638
March 8, 2017 – The Department of Homeland Security; U.S Computer Emergency Readiness
Team (US-CET) sent Equifax a vulnerability notice.
March 9, 2017 – Equifax Security performed an open-source component scan to identify any
systems with a vulnerable version of Apache Struts.
March 10, 2017 – First evidence of the Apache Structs vulnerability being exploited at Equifax.
Attackers ran the ‘whoami’ command.
March 15, 2017 Equifax received a new signature rule to detect vulnerable versions of Apache
Structs from McAfee. The McAfee Vulnerability Manager tool is used to scan externally facing
systems with a new signature run twice – with no results returned.
3.1.1 Cyber Kill Chain Analysis: The Summary for Equifax Attack is Below
i) Reconnaissance: The Nation-State attackers scan the web for vulnerable servers with the Apache
Struts vulnerability.
ii) Weaponize: based on the reconnaissance, the attackers are able to find a vulnerability within
the Equifax dispute portal servers. Attacker’s compromise ACIS system (Automated Consumer
Interview System) – built for consumers to dispute different inquiries on their credit).
iii) Deliver: The attack began to deploy web shell malware on the ACIS application servers allowing
remote session via http session to the vulnerable server. The attackers were able to leverage this
system as the jumping point to attack other systems within the Equifax environment. ACIS was
developed in the 1970s, a system that was digitized to handle the credit dispute process. Attackers
locate additional servers and login credentials.

Volume 12 • Issue 1
6
iv) Exploitation: Attackers leverage Apache structs vulnerability to access file share mounted
on ACIS application servers and identified unencrypted application credentials stored in
configuration file.
v) Installation: Attackers install malicious code to create backdoor access and were able to access
48 databases from ACIS application servers and leverage stolen application credentials to access
databases.
vi) Command & Control: Over the span of 76 days, they ran undetected – 9,000 different queries
to these web servers.
vii) Action: The attackers uncovered 148 million records of personally identifiable information (PII)
data and the web shell was used to exfiltrate that data (The WSJ, 2020).
3.1.2 Attack Detection
The attack was detected by network intrusion detection tool, which earlier did not have their stored
SSL certificates updated in a timely manner. This meant that the tools could not inspect encrypted
traffic and ultimately could not inspect data breach traffic at the time. On July 29, 2017, the certificates
required were updated within the SSL key management systems and the security tools began inspecting
SSL traffic. Around July 29-30, 2017, it was found that suspicious traffic from IP address in a foreign
Asian country was trying to make connections to the ACIS system. After security analysis, it was
found that ACIS was running the vulnerable version of Struts. The Equifax global CIO and CEO
are notified of the breach as well as the FBI. Equifax hired a third-party contractor (Mandiant) to
perform an analysis and determines the list of 149 million consumers whose PII was stolen. Equifax
was obligated by law to notify all the individuals affected via an individual website and a call center.
Equifax also notified authorities of all 50 states. The call centers and the website were overwhelmed
with the call volume and failed to successfully enroll consumers in protection services.
3.1.3 Lessons Learned
From the attack details, it can be concluded that there were processes in place including IT and
Cybersecurity audits that should have identified the vulnerable Struts software, so that it could be
patched in a timely manner. Regular and effective IT and Security audits, not just evaluating the
effectiveness of the control execution but regular review of the design of controls itself should be in
place. Some of the Security controls that were either not properly designed or were not being executed
correctly and needed further improvement included:
Better Incident response: The incident response team was not able to detect the hackers querying
the 48 databases and exporting the results. Also, the IT and Security audits which review the
incident management controls should not just review the effective execution of the control but
also the proper design and regular updates to the scanning software with the latest signature rules.
Vulnerability/Patch management existed at Equifax that failed to detect and fix the issue.
Misconfiguration of the scanner could be the root cause.
Certificate management: The Equifax security response policy and security controls were
inadequate. This is clear from the fact that “Equifax allowed over 300 security certificates to
expire, including 79 certificates for monitoring business-critical domains. This left Equifax
without visibility on exfiltration of data during the time of the cyberattack”, Whittaker, Z. (2018).
Network segmentation with well managed Firewall rules would have prevented attackers from
reaching the 48 Databases with the User PII.
File integrity monitoring keeps check on if files are being added or if files are altered. If yes,
then alerts should be configured to be sent to the Admins and Cyber team.
Data minimization: Security principle that states that any sensitive data collected should be
relevant to accomplish the required purposes should be implemented.

Volume 12 • Issue 1
7
In the U.S. House of Representatives oversight report, there is a good discussion on the reporting
relationship of the Chief Information Security Officer. At the time of the incident, the CISO reported
to the Chief Legal Counsel. In the report, it is stated repeatedly that a better structure would be to have
the CISO report to the Chief Information Officer. The Equifax CISO now reports to the CEO. In most
companies, the CISO reports to the Compliance officer or the CFO, Bragdon, B. (2014, June 20).

The Target Data breach occurred in November 2013, as per the forensic analysis that happened
after the attack. The attacker had used the card POS (Point of Sale) swipe terminals located in the
store and exploited them to steal credit card information. Over a time of approximately a month, the
attacker was able to steal credit card information of roughly over 110 million customers. Thereafter
the attackers were able to monetize the stolen cards (PIN numbers and data stored on the stripe of
the card) on the black market which was detected by a security researcher and alerted Target, (Yahoo
Finance, 2015), Shu et. Al (2017).
3.2.1 Cyber Kill Chain Analysis: The Summary for Target Attack is Below
The attackers did a Supply chain attack, which includes attacking smaller contractors, i.e. companies
that do business with the Target Corporation. In Target’s case: Fazio.
i) Reconnaissance: Attackers target websites and were able to identify the website that listed the
contractors and vendors with which Target does business, which included an HVAC company
called Fazio.
ii) Weaponization: Attackers craft phishing messages with malware payloads targeting Fazio
employees.
iii) Delivery: Attackers send phishing messages with malicious payloads and infect Fazio systems.
Once compromised, the malware was able to obtain access to the Fazio systems. Leveraging
access gained to Fazio systems, the attackers use stolen credentials to access target systems.
iv) Exploit: The attackers using the admin access to the target system were able to understand the
division of networks and scope out the POS (Point of Sale) Systems.
v) Install: Attacker directly uploaded malware onto the POS systems. The RAM scraping malware
is installed.
vi) Command & Control: The RAM Scraping malware connected to the external command and
control environment owned by the attackers
vii) Action: FTP (File transfer protocol) used to send the credit card information to the Command-
and-Control environment owned by the attackers
3.2.2 Lessons Learned
Effective Third-Party Risk Management: It is critical that apart from having well-established
security controls within the organization, the organization also needs to make sure that the
contractor organizations need to have effective security and data security controls in place by
contractual obligation.
Regular Audit on third-party controls: The compliance to the requirement of effective Security
controls can be verified by reviewing the SOC-2 (System and Organization Controls) reports.
While SOC-2 provides a summary of the effectiveness of Security and Data Protection controls,
SOC-1 is mainly for ICFR (Internal Controls over Financial reporting).

Volume 12 • Issue 1
8

In February 2014, there was a hacking attack against the Sands Casino in Bethlehem, PA. The
earlier Attempted brute force against the Casino VPN had failed. However, the attackers later got
in through the test instance version of the Casino website that was open to the world and had an
unpatched vulnerability. As of 2012, Sands only had five employees in their Incident Response and
Cybersecurity team protecting 25,000 computers. Although a 2013 upgrade and expansion was
underway, it was on an 18-month rollout plan, and no match for coordinated cyber actors, they were
able to launch the malware, known as a wiper attack, that took down the entire network and erased
sensitive data (Bennett, Cory, 2014). This was a politically motivated attack by the Nation-state of
Iran based on some political comments made by Sheldon Adelson, the Sands Casino Owner, (Efrony,
D., & Shany, Y. (2018)).
3.3.1 Cyber Kill Chain Analysis: The Summary for Desert
Sands Attack is Below, Bloomberg (2014)
i) Reconnaissance: The attackers scanned public information including open systems.
ii) Weaponization: The attackers find an open test instance version of the Casino website with an
unpatched vulnerability.
iii) Delivery: Once in, the attackers installed Mimikatz which allowed them to gather active domain
credentials from memory and move to other systems within Sands Bethlehem.
iv) Exploit: They then used these credentials to move laterally to other systems. They eventually,
obtained the credentials to the account for Sands Vegas employee which allowed migration of
this attack to Las Vegas Casino.
v) Install: Used re-used credentials to extend the attack from Bethlehem to Las Vegas.
vi) Command & Control: The attackers established themselves within the system with elevated
stolen credentials.
vii) Action: Once the attackers obtained credentials to the Vegas systems, they continually moved
across systems, this time destroying them as they went.
3.3.2 Lessons Learned
Effective access controls: Though most companies provide the topmost security for their
production system environments; they often neglect the development environment. The main
vulnerability, in this case, was the development/test environment being open to the world. It needs
to be ensured that the company systems should only be able to be accessed by the company staff
and employees after proper access authentication and authorization. Security is as good as the
weakest link. If the malevolent actors can access credentials in a lower environment which can
then be reused to access higher environments, it is a major security flaw.
Ensure to use of test data in Development and Quality systems: Most companies strive to
make their Development and Test Environments are close to the Production Environment as
possible, by copying the configuration as well as the data including sensitive PII to the Quality
and test environments. This is a privacy concern as companies do not always have the same level
effective of security controls around these systems as they do in the production system, which
makes it an easier target.

Yahoo confirmed in September 2016 that at least 500 million user accounts have been exposed. In
what quite possibly could be one of the largest data breaches to date, Information is stolen in late 2014

Volume 12 • Issue 1
9
by what Yahoo calls a state-sponsored actor’ that “may have included names, email addresses, phone
numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security
questions and answers,” according to a Yahoo statement (Trautman, L. J., & Ormerod, P. C. (2016).
“The stolen information did not include unprotected passwords, payment card data, or bank account
information, payment card data, and bank account information, which were not stored in the system
that was found to be affected. The user information was first compromised in 2014. The company
notified only 26 users, also they did not announce this in any of the SEC filings but only during due
diligence phase of Verizon’s purchase of Yahoo (LifeLock,2016).
3.4.1 Cyber Kill Chain Analysis: The Summary for Yahoo Data Breach is Below
i) Reconnaissance: Attackers scout for US internet service companies
ii) Weaponization: The attackers target a ‘semi-privileged’ Yahoo employee and not top executives.
(USA, justice.gov, 2017)
iii) Delivery: social engineering or spear phishing ‘was the likely avenue of infiltration used to gain
the credentials of an ‘unsuspecting employee’ at Yahoo”, (Gallagher, S., Kravets, D. (2017)).
iv) Exploit: Once inside Yahoo systems, attackers accessed the UDB (centralized User account Database).
v) Install: Log cleaner installed that removes traces of network activity. Attackers also Installed
cookie minting software, which was used to create forged cookies, that the attackers used to
bypass the authentication controls.
vi) Command & Control: FTP used to exfiltrate data and accessed account management tool
(AMT) on Yahoo network for persistent unauthorized access
vii) Action: Copy of UDB stolen- 500 million Yahoo accounts compromised.
3.4.2 Lessons Learned
Employee Training: The main security control that could have prevented the Yahoo Data breach
is employee training. Making sure employees are aware of cyber best practices and promoting a
culture of cyber security there is no security faux pas during phishing or social engineering attack.
Cybersecurity culture: Cybersecurity was not a priority earlier, which was the root cause of this
data breach, however, Yahoo has partnered with the Cybersecurity at MIT Sloan research group
(CAMS) to build and promote the cybersecurity culture at the firm (Harvard Business Review, 2021).

This cyber-attack was important since Atlanta is one of the most important transportation and economic
hub. Hence this cyber-attack was greatly publicized. The city recognized the attack on Thursday,
March 22, 2018, and publicly acknowledged it was a ransomware attack, Kraszewski, K. (2019, May).
The virus used in the attack was the SamSam Ransomware, which utilizes a brute-force attack to
guess weak passwords until a match is found. The systems ranged from utility bill pay applications
to the police department’s records system to the public Wi-Fi at the airport, CBS Interactive. (2018).
Grand jury indicted two Iranian hackers, for the attack. Department of Justice alleged that they are
part of the SamSam group.
3.5.1 Cyber Kill Chain Analysis: Summary for Atlanta & Not Petya Data
Breach, Perlroth, N; Benner, K (2018), Kraszewski, K. (2019, May)
i) Reconnaissance: Attackers scout for publicly available information
ii) Weaponization: SamSam Ransomware tries to gain access via brute force

Volume 12 • Issue 1
10
iii) Delivery: Attackers gain access to the IT systems via brute force
iv) Exploit: Attackers are able to exploit the vulnerable systems once in
v) Install: The Ransomware is installed which encrypts data
vi) Command & Control: Attackers are able to disrupt the City’s IT infrastructure
vii) Action: City was asked to pay Ransom in Bitcoins
3.5.2 Lessons Learned
Timely vulnerability detection and mitigation: The Atlanta government was criticized for
a lack of spending on upgrading its IT infrastructure, leaving multiple vulnerabilities open to
attack. In fact, a January 2018 audit found 1,500 to 2,000 vulnerabilities in the city’s systems and
suggested that the number of vulnerabilities had grown so large that workers grew complacent.
Timely vulnerability detection and mitigation are crucial (City Auditor’s Office. 2018).
Security Controls: Effective security controls is very crucial to defend against the bad actors.

The IBM Data breach report (IBM,2021) mentions that IT modernization, zero-trust approach,
and automation of security reduced the risk for data breaches. Based on the Cyber Kill Chain
analysis of the five major US Data breaches and industry best practices, listed below in Table 3
is the summary of steps that would have effectively prevented all these attacks. This is not meant
to be an exhaustive list, but to provide enough assurance to ensure protection against the most
common data breaches.
i) Automation and security AI (Artificial Intelligence): Security automation is the machine-based
execution of security actions to detect, investigate and mitigate cyber threats with minimal human
involvement using tools such as Splunk. This provides cost-effective cyber risk mitigation and
better effectiveness for the Security response process.
ii) Implement the Zero trust approach: Rooted in the principle of “never trust, always verify,” Zero
Trust is designed to protect modern digital environments by leveraging network segmentation,
preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-
access control, paloaltonetworks,(2021). The average cost of a breach was USD 1.76 million less
at organizations with a mature zero-trust approach.
Table 3. Proposed 8 Step Cyber Attack Prevention Plan
S. No. Cyber attack prevention
1. Zero trust Approach
2. IT Modernization
3. Automation and Security AI
4. Implement Security controls
5. End point Defense
6. Network Defense tools
7. Vendor Security Controls
8. User training

Volume 12 • Issue 1
11
iii) IT Modernization: Organizations further along in their cloud modernization strategy contained
the breach on average 77 days faster than those in the early stage of their modernization journey
(IBM,2021). Using modern IT tools with better cyber monitoring features would be effective in
containing cyber incidents.
iv) Implementing and periodically auditing Security controls to ensure they are properly designed
and being executed effectively. The organization can select a Common Framework example such
as ISO27000, NIST Framework, CIS Critical Security Controls, and COBIT which would be best
suited to achieve its organizational goals and build these controls and test them periodically for
proper design and operating effectiveness. Most important Security Controls include Incident
response, appropriate access controls as well as creating a disaster recovery plan which includes
backups and BIA (Business impact assessment) to set precedence for effective communication,
mitigation, and recovery in case of critical cyberattacks.
v) Having proper Network defense tools: The below are the most commonly used network
defenses. Network defenses are control points that are placed within an organization intended
to detect and or prevent malicious activities at the network layer.
Intrusion Detection System/IDS: Is a network device or software application that monitors
malicious activities or policy violations. This generates an alert that is delivered to the
cybersecurity team for review and action. The intrusion prevention system in addition to
detecting of the malicious activities will also prevent the attack by taking action on cyber
incidents eg: and dropping malicious packets.
Network Malware prevention tools: monitors network traffic to identify malware
executables. When identified they run these in a safe environment to identify their behavior.
Proxy server: These act as intermediaries between the internal hosts and the internet.
They can be used to limit where hosts are allowed to travel on the internet. For example, A
company could use the proxy server to limit or stop the employees from accessing websites
that donot have any legitimate business purpose.
Firewall: Network filters that limit network traffic between internal hosts and external servers
by limiting traffic based on approved IP addresses and ports for inbound and outbound traffic.
Thus the company could whitelist a group of IP addresses and ports using the Firewall to
ensure traffic is routed only between approved IP address destinations.
WAF (Web Application Firewall): Software layer controls that intercept web traffic
communications for web applications. WAF analyzes this traffic and looks for common
web-based attacks such as SQL injection.
Remote Monitoring: Installing network scanning techniques including firewalls that restrict
network traffic, DoS protection service that detects and filters out abnormal traffic. Active
monitoring is one of the best detective controls to prevent Cyber-attacks.
vi) Implementing Endpoint defenses are control points that are placed within an organization
system and are intended to detect and potentially prevent malicious activity on a system. Some
of the endpoint defenses include:
Application allowlist: prevents download and execution of all applications except the ones
in the organization’s application allowlist.
Sandboxing: a technique used to run potentially malicious files inside a system to identify
if the file is truly malicious.
Patch Management: Making sure the critical patches are identified and applied timely
Vulnerability management: here the cyber team reviews and performs a review of the
systems to ensure vulnerabilities are timely mitigated.
Security alerts and log management system: These systems review the various security
alerts and logs to understand if there has been any compromise.
vii) Vendor security controls: Given a lot of critical Business processes and Data are outsourced
to vendors, it is important to ensure that the Security controls on the Vendor side are effective.

Volume 12 • Issue 1
12
This usually is ensured via contract terms, and regular SOC (System and Organization Controls)
audits. SOC-2 audit reports which include the audit details about the vendor’s Cyber and Data
protection controls in place and their effectiveness is to be reviewed periodically. SOC-2 reports
summarize how the company safeguards customer data and how well those internal controls are
operating (Markey, M, and Margaret M, 2020). There also needs to be effective controls and
procedures in place for vendor selection to ensure 3rd parties with good security practices are
selected.
viii) Employee training: Humans are the weakest links in every cyber environment, and hence it is
to be made sure that they are provided with appropriate training to ensure they are aware of the
various attacks that they could face in a corporate environment. It is not just sufficient to have
proper Employee security training, but there needs to be put in place a cyber-aware employee
culture at the workplace, and this awareness should be tested periodically with mock cyber-attack
simulations. Employee training can be made more effective by using data visualization, gaming
and other modern technologies which makes the training more interactive.

Based on the Cyber Kill chain analysis of the five major US data breaches (Refer Table-4) (Sebastian,
G. (2022)), our analysis is in line with Interpol’s report (Interpol,2020), with Malware, Malicious
domains, and social engineering being the main types of cyber-attacks. The bad actors in most
cases of these corporate breaches are nation-states, which makes these cyber breaches extremely
complicated, given the coordinated and advanced tools that these nation-states deploy for these
attacks. The proposed mitigation plan, along with industry best practices provides the best bet for
these corporations to be well-prepared to detect, investigate and remediate cyber threats. This also
helps to reiterate the importance of IT and Cyber Audit function within the organization and why it’s
critical for organizations to empower and include this team in IT-related projects, deployments, and
daily operations. The IT and Cyber Audit universe should comprise of all sections of Information
risks across the firm. For companies to get the real state of their cyber readiness against a potential
cyber threat, it is imperative to have regular and frequent IT and Cyber audits, not just to test and
verify the effective performance of Security controls but also to periodically verify the design of
these controls to ensure these procedures are regularly updated based on cyber best practices and
industry trends.
Table 4. Summary of Cyber-attacks, root cause, and primary defense
Affected
corporation
Target Equifax Desert Sands Yahoo! Atlanta & Not
Petya
Type of cyber
attack
Malware attack Malware attack
on unpatched
server
Access Breach
through test website
available to public
social
engineering or
spear phishing
SamSam
Malware
Bad Actor Hackers Nation State
Hacking Attack
Nation State
Hacking attack
Nation State
Hacking attack
International
hacking group
Primary cause Supply Chain Attack
(targeting contractors/
weakest links)
Vulnerability
on unpatched
server
Lack of access
controls to test/
development systems
End user /
Employee
ignorance
Improper design/
execution of
security controls
Security control
that could have
prevented the
attack
Ensuring contractors
have satisfactory
security controls via
contractual obligation
Timely patching
and change
management
controls
Access controls over
Test/ Development/
Production
User training Proper design
and execution of
security controls

Volume 12 • Issue 1
13

With remote work becoming the norm for multiple companies since the covid-19 pandemic started,
it is clear that cyber defense against data and privacy breach incidents is a major concern for most
corporations worldwide. This study did the analysis of the major US data breaches to understand the
root cause for it and also proposed cyber mitigation to provide reasonable assurance of ensuring the
safety of remote employees and the organizational data. From this study as well as the industry and
Interpol reports, it is clear that there is a pattern of main types of cyber incidents which are more
rampant, hence ensuring the adoption of a suitable cyber security controls framework and conducting
regular and frequent risk-based audits would greatly reduce the risk of any major cyber incident or
data breach for the firm. It is also to be noted that cybersecurity is a very quickly evolving field with
new vulnerabilities being discovered almost daily. Hence it is critical for corporations to regularly
update their risks and cybersecurity audit methodologies based on these dynamic cyber threats.

Funding: This research did not receive any specific grant from funding agencies in the public,
commercial, or not-for-profit sectors.
Consent for publication: The manuscript does not contain any individual person’s data in any
form.
Ethics Approval and Consent to participate: The study-specific ethics committee approval
was not required for research since the research did not involve human participants.
Competing interests: The authors declare that they have no competing interests
Availability of Data and Material: Data sharing not applicable to this article as no datasets
were generated or analyzed during the current study
Acknowledgement: Not Applicable

The author contributed to the study conception and design. Material preparation, data collection and
analysis were performed by Glorin Sebastian The first draft of the manuscript was written by Glorin
Sebastian and the author has read and approved the final manuscript.

Volume 12 • Issue 1
14

Bennett, C. (2014). Iranian Hackers Downed Adelson’s Casino Empire. The Hill. https://thehill.com/policy/
cybersecurity/226915-iranian-hackers-downed-us-casino-empire
Bloomberg. (2014). Retrieved June 11, 2022, from https://www.bloomberg.com/news/ articles/2014-12-11/
iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas
Bragdon, B. (2014, June 20). Maybe it really does matter who the CISO reports to. CSO Online. Retrieved
June 11, 2022, from https://www.csoonline .com/article/2365827/ maybe-it-really-does-matter-who-the-ciso-
reports-to.html
CBS Interactive. (2018, March 28). Atlanta was warned about vulnerabilities months before cyberattack,
audit shows. CBS News. Retrieved June 11, 2022, from https://www.cbsnews.com/news/atlanta-warned-cyber-
vulnerabilities-audit-shows/
City Auditor’s Office. (2018). ISO/IEC 27001 ISMS Precertification Audit. Author.
Cyberroam. (2014). Security Advisory – OpenSSL Heartbleed Vulnerability. Cyberoam.
Efrony, D., & Shany, Y. (2018). A rule book on the shelf? Tallinn manual 2.0 on cyberoperations and subsequent
state practice. The American Journal of International Law, 112(4), 583–657.
Four Members of China’s Military Indicted Over Massive Equifax Breach. (2020, Feb. 11). The Wall Street
Journal.
Gallagher, S., & Kravets, D. (2017, March 15). How did Yahoo get breached? Employee got spear phished, FBI
suggests. Retrieved from https://arstechnica.com/tech-policy/2017/03/fbi-hints-that-hack-of-semi-privileged-
yahooemployee-led-to-massive-breach/
How Yahoo Built a Culture of Cybersecurity. (2021, November). Harvard Business Review, 5. https://hbr.
org/2021/09/how-yahoo-built-a-culture-of-cybersecurity
IBM. (2021). Cost of Data Breach Report 2021. https://www.ibm.com/security/data-breach
Interpol. (2020). Cybercrime: COVID-19 impact. https://www.interpol.int/content/download/ 15526/file/
COVID-19%20Cybercrime%20Analysis%20Report-%20August%202020.pdf
justice.gov. (2017). https://www.justice.gov/opa/press-release/file/948201/download
Kraszewski, K. (2019, May). SamSam and the silent battle of Atlanta. In 2019 11th international conference
on cyber conflict (CyCon) (Vol. 900, pp. 1-16). IEEE.
LifeLock. (2016). Yahoo Announces 500 Million Users Impacted by Data Breach. https://www.lifelock.comlearn-
data-breaches-company-data-breach.html
Lockheed Martin. (2022). Cyber kill chain. Retrieved June 11, 2022, from https://www.lockheedmartin. com/
en-us/capabilities/cyber/cyber-kill-chain.html
Markey, M., & Marchak, M. (2020). Security Considerations in Technology Contracting. Implementing
Information Security in Healthcare. HIMSS Publishing, 2020, 163–182.
paloaltonetworks. (2021). What is a Zero Trust Architecture. https://www.paloaltonetworks.com/cyberpedia/
what-is-a-zero-trust-architecture
Perlroth, N., & Benner, K. (2018). Iranians Accused in Cyberattacks, Including One That Hobbled Atlanta.
Academic Press.
Sebastian, G. (2022). Could incorporating cybersecurity reporting into SOX have prevented most data breaches
at US publicly traded companies? An exploratory study. International Cybersecurity Law Review, 1-17.
Shu, X., Tian, K., Ciambrone, A., & Yao, D. (2017). Breaking the target: An analysis of target data breach and
lessons learned. arXiv preprint arXiv:1701.04940.
Trautman, L. J., & Ormerod, P. C. (2016). Corporate directors’ and officers’ cybersecurity standard of care: The
Yahoo data breach. Am. UL Rev., 66, 1231.

Volume 12 • Issue 1
15
US-CERT. (2013). Understanding Denial-of-Service Attacks. US-CERT.
Wang, P., & Johnson, C. (2018). Cybersecurity incident handling: A case study of the Equifax data breach.
Issues in Information Systems, 19(3).
Whittaker, Z. (2018). Equifax breach was ‘entirely preventable’ had it used basic security measures, says
House report. TechCrunch. Retrieved June 11, 2022, from https://techcrunch.com/2018/12/10/equifax-breach-
preventable-house-oversight-report/
Yadav, T., & Rao, A. M. (2015, August). Technical aspects of cyber kill chain. In International symposium on
security in computing and communication (pp. 438-452). Springer.
ZDNet. (2017). Equifax confirms Apache struts flaw it failed to patch was to blame for Data Breach. https://
www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it-failed-to-patch-was-to-blame-for-data-breach/
... Traditional security approaches have shown limited success against the increasingly sophisticated cyber-attacks. This limited success is primarily due to the complexity of modern attacks and the availability of powerful tools that cybercriminals can leverage [5]. ...
... In response to these evolving threats, cybersecurity professionals have developed frameworks to better understand and combat cyber-attacks. One such framework is the cyber kill chain, originally developed by Lockheed Martin [5]. The cyber kill chain breaks down the stages of a cyber-attack into identifiable phases, Fig. 1, providing a systematic approach to detecting, responding to, and mitigating attacks [5]. ...
... One such framework is the cyber kill chain, originally developed by Lockheed Martin [5]. The cyber kill chain breaks down the stages of a cyber-attack into identifiable phases, Fig. 1, providing a systematic approach to detecting, responding to, and mitigating attacks [5]. By dissecting the sequence of actions an adversary undertakes, from reconnaissance to exfiltration, organizations can better anticipate and prevent potential attacks [6]. ...
Conference Paper
Full-text available
For a presentation video, see https://youtu.be/1pY6gwhudos. This study investigates cybersecurity threats in financial organizations by developing an adaptive network model to mitigate attacks. Two distinct scenarios are examined: one where the attacker learns more efficiently than the organization, and another where the organization outpaces the attacker in learning. Using the cyber kill chain framework, the simulations reveal the dynamics between attackers and defenders over time. In the first scenario, the attacker's rapid learning leads to successful attacks and data breaches. In the second scenario , the organization's superior learning results in effective defenses, with no data stolen. The findings underscore the importance of continuous learning and adaptive defense mechanisms in cybersecurity.
... Unlike conventional rule-based systems, AI leverages sophisticated machine learning algorithms to analyze real-time data streams, identifying anomalies and potential threats with unprecedented agility. This nimbleness plays a pivotal role in preempting data breaches and mitigating the cascading repercussions of cyber assaults [3][4]. ...
Article
Full-text available
In today's hyper-connected world, where digital technologies permeate every aspect of our lives, cybersecurity has risen to occupy a position of critical importance. The convenience and boundless opportunities brought about by our technological advancements come hand-in-hand with an ever evolving array of cyber threats. As societies and industries become progressively reliant on digital infrastructure, the need for robust cybersecurity measures becomes undeniable. This paper explores the transformative influence of Artificial Intelligence (AI) on the intricate dynamics of cybersecurity, examining the ways it reshapes both threats and defenses within the digital realm.
Article
Background Despite being a pandemic, the impact of the spread of COVID-19 extends beyond public health, influencing areas such as the economy, education, work style, and social relationships. Research studies that document public opinions and estimate the long-term potential impact after the pandemic can be of value to the field. Objective This study aims to uncover and track concerns in Japan throughout the COVID-19 pandemic by analyzing Japanese individuals’ self-disclosure of disruptions to their life plans on social media. This approach offers alternative evidence for identifying concerns that may require further attention for individuals living in Japan. Methods We extracted 300,778 tweets using the query phrase Corona-no-sei (“due to COVID-19,” “because of COVID-19,” or “considering COVID-19”), enabling us to identify the activities and life plans disrupted by the pandemic. The correlation between the number of tweets and COVID-19 cases was analyzed, along with an examination of frequently co-occurring words. Results The top 20 nouns, verbs, and noun plus verb pairs co-occurring with Corona no-sei were extracted. The top 5 keywords were graduation ceremony, cancel, school, work, and event. The top 5 verbs were disappear, go, rest, can go, and end. Our findings indicate that education emerged as the top concern when the Japanese government announced the first state of emergency. We also observed a sudden surge in anxiety about material shortages such as toilet paper. As the pandemic persisted and more states of emergency were declared, we noticed a shift toward long-term concerns, including careers, social relationships, and education. Conclusions Our study incorporated machine learning techniques for disease monitoring through the use of tweet data, allowing the identification of underlying concerns (eg, disrupted education and work conditions) throughout the 3 stages of Japanese government emergency announcements. The comparison with COVID-19 case numbers provides valuable insights into the short- and long-term societal impacts, emphasizing the importance of considering citizens’ perspectives in policy-making and supporting those affected by the pandemic, particularly in the context of Japanese government decision-making.
Article
Full-text available
Almost every living species has a motive to communicate electronically with one another and preserve data for immediate or future use. These data are becoming too large to be maintained on personal storage devices. Technological innovation has cleared the path for vast, remote storage known as the cloud. This innovation is being provided as a service to people and organizations due to the high cost of investment and the high-tech skills needed for its maintenance. Despite the many benefits of cloud computing, data privacy, integrity, and access control are issues that require immediate attention. Many studies have been conducted in order to find solutions to these challenges. In this review, the authors look at the numerous methods that have been proposed to address these security challenges. The research revealed that elliptic curve cryptography and the advance encryption system (AES) were the techniques that were most frequently used to address security issues in the digital world.
Article
Full-text available
Telephony over IP (ToIP) is a cost-saving communication technology based on voice over IP (VoIP) that enables enterprises to reduce communication fees. However, ToIP faces many security threats due to its IP-based nature. This work aims to improve ToIP security using cryptography and blockchain technology. The authors propose a secure approach to user registration, authentication, communication session establishment, and communication data storage. The proposed solution leverages blockchain technology to ensure the integrity, confidentiality, and availability of communication data. By implementing this solution, the researchers aim to enhance the security of ToIP networks and protect them from cyber threats. This approach provides a secure and reliable way to support ToIP services while preserving confidentiality and privacy.
Preprint
Full-text available
In recent years, chatbots, with their advanced natural language processing capabilities, have reshaped the human resources (HR) landscape by offering potential advancements in critical areas such as recruitment, employee engagement, training, and more. Among these chatbots, ChatGPT has emerged as a powerful conversational AI tool that provides organizations with exciting opportunities for HR transformation. One of the key strengths of ChatGPT lies in its ability to enhance the recruitment process. By integrating ChatGPT into the initial screening stage, organizations can automate the process of candidate evaluation, reducing the time and effort required by HR professionals. Additionally, ChatGPT can provide a personalized and interactive candidate experience by answering frequently asked questions, providing information about the company and job openings, and facilitating seamless communication throughout the recruitment journey. Furthermore, ChatGPT proves valuable in improving employee engagement and support. As a virtual HR assistant, it can handle routine inquiries related to benefits enrollment, time-off requests, and company policies. By providing quick and accurate responses, ChatGPT enhances employee satisfaction, frees up HR professionals' time, and enables them to focus on more strategic initiatives. While ChatGPT presents various strengths, it also has limitations that must be considered. Its ability to understand complex or context-specific queries may be a challenge, leading to potential misinterpretation or incomplete responses. This paper critically examines the effect of ChatGPT on the field of HR, aiming to analyze its strengths, weaknesses, and future implications.
Article
Full-text available
The Sarbanes–Oxley Act of 2002 (SOX) was legislated in response to widespread corporate accounting fraud and was aimed at improving public disclosure of controls over financial reporting. There have been no significant amendments to SOX since its passage. In 2018, the U.S. Securities and Exchange Commission (SEC) issued official guidance stating unequivocally that cybersecurity risk is material to a company’s financial condition and business operations. The Cybersecurity Systems and Risks Reporting Act (bill) introduced in the U.S. House of Representatives in April 2016 proposed to amend the Sarbanes–Oxley Act of 2002 to apply to cybersecurity systems and cybersecurity systems officers, mandating the same requirements regarding corporate responsibility for financial reports and management assessments of internal control structures and procedures for financial reporting as for public companies subject to oversight by the SEC. Presently, SOX enforces cyber disclosure requirements; however, the procedures around this are limited to auditor inquiry, and no further substantive procedures are performed. Previous research has shown that SOX has had a positive impact on cyber disclosures and that information sharing could reduce the tendency of firms to defer cybersecurity investments. Further research has also shown that managers have incentive to withhold negative information and that investors are unable to discover these attacks independently. Currently, there is a research gap in studying the impact of updating the cybersecurity reporting requirements in SOX as well as the impact of the proposed 2016 bill that did not pass. This study addresses this research gap and clearly articulates how cybersecurity reporting can be incorporated into SOX and the benefits that could result, including potentially saving millions of dollars yearly for U.S. public corporations.
Conference Paper
Full-text available
Recent trends in targeted cyber-attacks has increased the interest of research in the field of cyber security. Such attacks have massive disruptive effects on organizations, enterprises and governments. Cyber kill chain is a model to describe cyber-attacks so as to develop incident response and analysis capabilities. Cyber kill chain in simple terms is an attack chain, the path that an intruder takes to penetrate information systems over time to execute an attack on the target. This paper broadly categories the methodologies, techniques and tools involved in cyber-attacks. This paper intends to help a cyber security researcher to realize the options available to an attacker at every stage of a cyber-attack.
Article
This article evaluates acceptance of the Tallinn Rules by states on the basis of eleven case studies involving cyberoperations, all occurring after the first Tallinn Manual was published in 2013. Our principal findings are that (1) it is unclear whether states are ready to accept the Tallinn Rules; (2) states show uneven interest in promoting legal certainty in cyberspace; and (3) a growing need for coordinated response to cyberattacks may induce states to consider more favorably the Tallinn Rules.
Article
This paper investigates and examines the events leading up to the second most devastating data breach in history: the attack on the Target Corporation. It includes a thorough step-by-step analysis of this attack and a comprehensive anatomy of the malware named BlackPOS. Also, this paper provides insight into the legal aspect of cybercrimes, along with a prosecution and sentence example of the well-known TJX case. Furthermore, we point out an urgent need for improving security mechanisms in existing systems of merchants and propose three security guidelines and defenses. Credit card security is discussed at the end of the paper with several best practices given to customers to hide their card information in purchase transactions.
IranianHackersDownedAdelson'sCasinoEmpire.The Hill
  • C Bennett
Bennett,C.(2014).IranianHackersDownedAdelson'sCasinoEmpire.The Hill.https://thehill.com/policy/ cybersecurity/226915-iranian-hackers-downed-us-casino-empire
Atlanta was warned about vulnerabilities months before cyberattack, audit shows
  • B Bragdon
Bragdon,B.(2014,June20).Maybe it really does matter who the CISO reports to.CSOOnline.Retrieved June11,2022,fromhttps://www.csoonline.com/article/2365827/maybe-it-really-does-matter-who-the-cisoreports-to.html CBS Interactive. (2018, March 28). Atlanta was warned about vulnerabilities months before cyberattack, audit shows.CBSNews.RetrievedJune11,2022,fromhttps://www.cbsnews.com/news/atlanta-warned-cybervulnerabilities-audit-shows/
ISO/IEC 27001 ISMS Precertification Audit.Author
  • Cityauditor'soffice
CityAuditor'sOffice.(2018).ISO/IEC 27001 ISMS Precertification Audit.Author.