A preview of this full-text is provided by IGI Global.
Content available from International Journal of Cyber Warfare and Terrorism
This content is subject to copyright. Terms and conditions apply.
DOI: 10.4018/IJCWT.315651
Volume 12 • Issue 1
Copyright © 2022, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
*Corresponding Author
1
Glorin Sebastian, Georgia Institute of Technology, USA*
https://orcid.org/0000-0003-2543-9127
Data breaches are a major concern for both US and global corporations. With more companies
allowing their employees to be working remote, providing them a secure work environment has been
a priority for employers. The Interpol 2020 report on cyber breaches mentions that the number of
cyber-attacks has multiplied in the last year. The IBM Data Breach Report of 2021 notes that data
breach costs rose from USD 3.86 million to USD 4.24 million, while the average cost was USD 1.07
Mil higher in breaches where remote work was a factor in causing the breach. Given this environment
of increased cyber breaches, it is important to learn from previous major data breaches to understand
the root cause which led to the compromise of information security and the steps which could have
effectively prevented the same. This paper evaluates five major data breaches in US history using
Lockheed’s Cyber Kill Chain Analysis, since the details of these breaches have never been documented
for research and also proposes an eight-step cyber-attack prevention plan.
Cyber Attack Prevention, Cyber Kill Chain Analysis, Data Breach
The risk of Data breach is becoming one of the major concerns of the US and global corporations,
especially with the remote work environment. With more companies allowing the employees to
work from home, ensuring data privacy is much tougher given the employees could be working
from public spaces such as coffee shops using public Wi-Fi networks that often do not follow the
prescribed encryption standards and other security controls, thereby posing a greater threat for data
breaches. A report by Interpol Interpol (refer Figure 1 for details) in 2020 reported an alarming rate
of cyberattacks especially during the Covid-19 pandemic. Key findings highlighted by the Interpol
assessment of the cybercrime landscape noted the three main types of cyber-attacks that has been on
the rise, during the last few years are Malicious domain, malware and phishing frauds. (Interpol, 2020).
Volume 12 • Issue 1
2
1.Online Scams and Phishing - Threat actors use phishing emails for online scams to entice victims
into providing their personal data or downloading malicious content.
2. Disruptive Malware (Ransomware and DDoS) - Cybercriminals are increasingly using
disruptive malware against critical infrastructure mainly for financial benefit. The deployment
of data harvesting malware such as Remote Access Trojan, information stealers, spyware,
and banking Trojans by cybercriminals is on the rise. These Malware can be used as both
Ransomware and DDoS (distributed denial of service) attacks.
3. Malicious domains: Attackers are also trying to mislead online users to malicious domains
which usually host data harvesting malware or are designed to extract personal information
from the end-users.
The IBM Data breach report notes that (IBM, 2021):
• Data breach costs rose from USD 3.86 million to USD 4.24 million
• The average cost was USD 1.07 Mil higher in breaches where remote work was a factor in
causing the breach
• The most common initial attack vector, compromised credentials, was responsible for 20% of
breaches at an average cost of USD 4.37 million.
This paper compares five of the major breaches in US history Equifax, Desert Sands, Target,
Yahoo, and City of Atlanta & Not Petya Case Study Reports using the Cyber Kill Chain analysis
approach of Lockheed Martin (2022). Based on this analysis the paper discusses the common lessons
learned and also proposes a cyber-attack mitigation plan/checklist based on the learnings from these
attacks as well as industry best practices
The common adversaries and attack vectors as well as the Network and Endpoint defenses are listed
below (refer to Table 1). The adversaries could be nation-states, with motives mainly being strategic
or for attaining economic advantage. The adversaries could also be Criminal organizations that
include a network of criminal actors who work together to share tools, techniques, and access to
Figure 1. Main Cyber-attacks as per Interpol report
Volume 12 • Issue 1
3
compromised systems and data in their enterprises. The perpetrators could be Hacktivists who want
to make a political statement or could be Insiders who are disgruntled and malicious or incompetent
with access to sensitive information.
The most common attack vector used in Social Engineering is Phishing, where an attacker tries
to entice the user to click on malicious sites. Other common attacks include Brute force attacks
and software vulnerability threats. A popular example of a software vulnerability is the Heartbleed
bug, which was a vulnerability in the OpenSSL cryptography library, that is widely used in the
implementation of the Transport Layer Security (TLS) protocol. This resulted in improper input
validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension,
which allows the attacker to exploit the encryption library that many web servers rely on and allow
them to monitor network traffic unencrypted (Cyberroam,2014).
Other attack vectors include brute force attacks, device theft, or even Denial of service (DoS), in
which the bad actors seek to make the user machine or network resources unavailable to its users by
temporarily or indefinitely disrupting the services of a host connected to the Internet. This is usually
accomplished by flooding the targeted machine with superfluous requests that prevent legitimate
requests from being fulfilled (US-CERT,2013). If the bad actor uses multiple hosts, then it is a
distributed Denial of Service attack (DDoS). Denial of Services can also be Ransomware, where
the organization is denied access to their systems and needs to decide if they must pay the ransom
or forever lose access to their data. Privileged access misuse is usually performed by insiders whose
access is compromised via vulnerabilities or disgruntled employee who uses their privileged access to
obtain confidential information. Eg: Edward Snowden was a government contractor hired to assist with
data migration on behalf of the department of defense, which he used to steal classified information.
This paper uses the Cyber kill chain analysis methodology that was developed by Lockheed martin
for review, identification and prevention of cyber intrusions activity, Lockheed Martin (2022) Yadav,
T., & Rao, A. M. (2015). Refer Table 2 and Figure 2 for details of the stages within the Lockheed
Martin Cyber Kill Chain analysis. This model is useful for cyber defenders to understand their IT
environment and detect weaknesses which allow an attacker to compromise their systems. The model
identifies the adversary motive in each step. It is to be noted that stopping adversaries at any stage of
the attack, breaks the chain of intrusion. The stages within the Cyber kill chain include:
i) Reconnaissance: This is the first step an attacker takes which consists of investigating their target
using the available sources of information. This includes Research, identification, and selection
of targets. The research is usually using publicly available information such as press releases,
Table 1. Common Adversaries, attack vectors and defenses
Adversaries Common Attack Vectors Defenses
Nation States
Criminal Organizations
Individual threat actors
Hacktivists
Insiders
Social Engineering
Brute Force Attacks
Software Vulnerability
Device theft
Denial of Service
Privileged access misuse
Network
Intrusion Detection/ Prevention
Network Malware Prevention
Proxies and Firewall
Endpoint Protection
Application whitelisting
Sandboxing, Data backup
Patch Management
Vulnerability management
Volume 12 • Issue 1
4
employee social media, discovering internet-facing servers, etc. This step is to learn as much as
possible about the intended target, in order to find potential avenues of attack.
ii) Weaponization: This occurs when a vulnerable pathway is found into a target organization or
system. The purpose of this step is to identify an exploit or malware that should work given the
information gained in the reconnaissance step. This step includes pairing remote access malware or
exploit into deliverable payload (such as Microsoft Office files). Examples of the Weaponization
step include selecting a backdoor implant and appropriate command and control infrastructure
for operation.
iii) Delivery: Transmission of weapon to the target (eg: via email attachments, physical devices such
as USB drives, “watering hole” compromised websites).
iv) Exploitation: The weapons code is triggered, exploiting vulnerable applications or systems.
Execution of the weapon and taking control over the system mostly admin or root access. Lesser
access could be used for data movement or exfiltration. The vulnerability could be a software,
hardware or human vulnerability. Some of the victim-triggered exploits include the user clicking
on malicious email attachments or links which leads to compromised websites.
v) Installation: The weapon installs a backdoor on a target system allowing persistent access. i.e.
even if the system owners remove the malware the malicious user still tries to maintain root
access or Admin access to the system. It also includes creating a point of persistence by adding
services, AutoRun keys, etc.
vi) Command & Control: The Outside server communicates with the weapons providing “hands-
on keyboard access” to the attackers inside the target’s network. This remote connection is how
the attacker interacts with the compromised system.
Table 2. Stages of the Lockheed Martin Cyber Kill Chain analysis
Stage Stage Name Stage Description
1. Reconnaissance Harvesting email addresses, conference information, etc.
2. Weaponization Coupling exploit with backdoor into deliverable payload
3. Delivery Delivering weaponized bundle to the victim via email, web, USB, etc.
4. Exploitation Exploiting a vulnerability to execute code on victim’s system
5. Installation Installing malware on the asset
6. Command & Control Command channel for remote manipulation of victim
7. Actions on Objectives With ‘Hands on Keyboard’ access, intruders accomplish their original goals
Figure 2. Cyber Kill Chain, Lockheed Martin. (2022)
Volume 12 • Issue 1
5
vii) Actions on Objective: The attacker works to achieve the objective of the intrusion which can
include exfiltration, destruction of data, or intrusion of another target. The actions could include
a collection of user credentials, privilege escalation, sabotaging systems, corrupting data, internal
reconnaissance etc.
The Data Breach happened between May 13 - July 30, 2017. The breach was targeted at a known
vulnerability on Apache Struts – the software they were running on their application server. Apache
Foundation released a patch for a vulnerability (CVE 2017-5638), (Wang, P., & Johnson, C. (2018).
This patch was required to be installed. The Department of Homeland Security sent an email to
key stakeholders – like Equifax to make sure this patch was installed; however, the vulnerability
scanners could not find any server that needed the patch, which was later found to be an issue with the
configuration of the vulnerability scanners. Private records of 147.9 million Americans, along with
15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach.
In February 2020, the United States government indicted members of China’s People’s Liberation
Army for hacking into Equifax and plundering sensitive data tough the Chinese Communist party
has denied these claims, ZDNet. (2017).
Below is the timeline for the Equifax breach:
• February 14, 2017 – The Apache Software Foundation received the first report of a vulnerability.
• March 7, 2017 – The Apache Struts Project Management Committee (PMC) publicly disclosed
Apache Struts vulnerability. National Vulnerability Database: CVE-2017-5638
• March 8, 2017 – The Department of Homeland Security; U.S Computer Emergency Readiness
Team (US-CET) sent Equifax a vulnerability notice.
• March 9, 2017 – Equifax Security performed an open-source component scan to identify any
systems with a vulnerable version of Apache Struts.
• March 10, 2017 – First evidence of the Apache Structs vulnerability being exploited at Equifax.
Attackers ran the ‘whoami’ command.
• March 15, 2017 – Equifax received a new signature rule to detect vulnerable versions of Apache
Structs from McAfee. The McAfee Vulnerability Manager tool is used to scan externally facing
systems with a new signature run twice – with no results returned.
3.1.1 Cyber Kill Chain Analysis: The Summary for Equifax Attack is Below
i) Reconnaissance: The Nation-State attackers scan the web for vulnerable servers with the Apache
Struts vulnerability.
ii) Weaponize: based on the reconnaissance, the attackers are able to find a vulnerability within
the Equifax dispute portal servers. Attacker’s compromise ACIS system (Automated Consumer
Interview System) – built for consumers to dispute different inquiries on their credit).
iii) Deliver: The attack began to deploy web shell malware on the ACIS application servers allowing
remote session via http session to the vulnerable server. The attackers were able to leverage this
system as the jumping point to attack other systems within the Equifax environment. ACIS was
developed in the 1970s, a system that was digitized to handle the credit dispute process. Attackers
locate additional servers and login credentials.
Volume 12 • Issue 1
6
iv) Exploitation: Attackers leverage Apache structs vulnerability to access file share mounted
on ACIS application servers and identified unencrypted application credentials stored in
configuration file.
v) Installation: Attackers install malicious code to create backdoor access and were able to access
48 databases from ACIS application servers and leverage stolen application credentials to access
databases.
vi) Command & Control: Over the span of 76 days, they ran – undetected – 9,000 different queries
to these web servers.
vii) Action: The attackers uncovered 148 million records of personally identifiable information (PII)
data and the web shell was used to exfiltrate that data (The WSJ, 2020).
3.1.2 Attack Detection
The attack was detected by network intrusion detection tool, which earlier did not have their stored
SSL certificates updated in a timely manner. This meant that the tools could not inspect encrypted
traffic and ultimately could not inspect data breach traffic at the time. On July 29, 2017, the certificates
required were updated within the SSL key management systems and the security tools began inspecting
SSL traffic. Around July 29-30, 2017, it was found that suspicious traffic from IP address in a foreign
Asian country was trying to make connections to the ACIS system. After security analysis, it was
found that ACIS was running the vulnerable version of Struts. The Equifax global CIO and CEO
are notified of the breach as well as the FBI. Equifax hired a third-party contractor (Mandiant) to
perform an analysis and determines the list of 149 million consumers whose PII was stolen. Equifax
was obligated by law to notify all the individuals affected via an individual website and a call center.
Equifax also notified authorities of all 50 states. The call centers and the website were overwhelmed
with the call volume and failed to successfully enroll consumers in protection services.
3.1.3 Lessons Learned
From the attack details, it can be concluded that there were processes in place including IT and
Cybersecurity audits that should have identified the vulnerable Struts software, so that it could be
patched in a timely manner. Regular and effective IT and Security audits, not just evaluating the
effectiveness of the control execution but regular review of the design of controls itself should be in
place. Some of the Security controls that were either not properly designed or were not being executed
correctly and needed further improvement included:
• Better Incident response: The incident response team was not able to detect the hackers querying
the 48 databases and exporting the results. Also, the IT and Security audits which review the
incident management controls should not just review the effective execution of the control but
also the proper design and regular updates to the scanning software with the latest signature rules.
• Vulnerability/Patch management existed at Equifax that failed to detect and fix the issue.
Misconfiguration of the scanner could be the root cause.
• Certificate management: The Equifax security response policy and security controls were
inadequate. This is clear from the fact that “Equifax allowed over 300 security certificates to
expire, including 79 certificates for monitoring business-critical domains. This left Equifax
without visibility on exfiltration of data during the time of the cyberattack”, Whittaker, Z. (2018).
• Network segmentation with well managed Firewall rules would have prevented attackers from
reaching the 48 Databases with the User PII.
• File integrity monitoring keeps check on if files are being added or if files are altered. If yes,
then alerts should be configured to be sent to the Admins and Cyber team.
• Data minimization: Security principle that states that any sensitive data collected should be
relevant to accomplish the required purposes should be implemented.
Volume 12 • Issue 1
7
In the U.S. House of Representatives oversight report, there is a good discussion on the reporting
relationship of the Chief Information Security Officer. At the time of the incident, the CISO reported
to the Chief Legal Counsel. In the report, it is stated repeatedly that a better structure would be to have
the CISO report to the Chief Information Officer. The Equifax CISO now reports to the CEO. In most
companies, the CISO reports to the Compliance officer or the CFO, Bragdon, B. (2014, June 20).
The Target Data breach occurred in November 2013, as per the forensic analysis that happened
after the attack. The attacker had used the card POS (Point of Sale) swipe terminals located in the
store and exploited them to steal credit card information. Over a time of approximately a month, the
attacker was able to steal credit card information of roughly over 110 million customers. Thereafter
the attackers were able to monetize the stolen cards (PIN numbers and data stored on the stripe of
the card) on the black market which was detected by a security researcher and alerted Target, (Yahoo
Finance, 2015), Shu et. Al (2017).
3.2.1 Cyber Kill Chain Analysis: The Summary for Target Attack is Below
The attackers did a Supply chain attack, which includes attacking smaller contractors, i.e. companies
that do business with the Target Corporation. In Target’s case: Fazio.
i) Reconnaissance: Attackers target websites and were able to identify the website that listed the
contractors and vendors with which Target does business, which included an HVAC company
called Fazio.
ii) Weaponization: Attackers craft phishing messages with malware payloads targeting Fazio
employees.
iii) Delivery: Attackers send phishing messages with malicious payloads and infect Fazio systems.
Once compromised, the malware was able to obtain access to the Fazio systems. Leveraging
access gained to Fazio systems, the attackers use stolen credentials to access target systems.
iv) Exploit: The attackers using the admin access to the target system were able to understand the
division of networks and scope out the POS (Point of Sale) Systems.
v) Install: Attacker directly uploaded malware onto the POS systems. The RAM scraping malware
is installed.
vi) Command & Control: The RAM Scraping malware connected to the external command and
control environment owned by the attackers
vii) Action: FTP (File transfer protocol) used to send the credit card information to the Command-
and-Control environment owned by the attackers
3.2.2 Lessons Learned
• Effective Third-Party Risk Management: It is critical that apart from having well-established
security controls within the organization, the organization also needs to make sure that the
contractor organizations need to have effective security and data security controls in place by
contractual obligation.
• Regular Audit on third-party controls: The compliance to the requirement of effective Security
controls can be verified by reviewing the SOC-2 (System and Organization Controls) reports.
While SOC-2 provides a summary of the effectiveness of Security and Data Protection controls,
SOC-1 is mainly for ICFR (Internal Controls over Financial reporting).
Volume 12 • Issue 1
8
In February 2014, there was a hacking attack against the Sands Casino in Bethlehem, PA. The
earlier Attempted brute force against the Casino VPN had failed. However, the attackers later got
in through the test instance version of the Casino website that was open to the world and had an
unpatched vulnerability. As of 2012, Sands only had five employees in their Incident Response and
Cybersecurity team protecting 25,000 computers. Although a 2013 upgrade and expansion was
underway, it was on an 18-month rollout plan, and no match for coordinated cyber actors, they were
able to launch the malware, known as a wiper attack, that took down the entire network and erased
sensitive data (Bennett, Cory, 2014). This was a politically motivated attack by the Nation-state of
Iran based on some political comments made by Sheldon Adelson, the Sands Casino Owner, (Efrony,
D., & Shany, Y. (2018)).
3.3.1 Cyber Kill Chain Analysis: The Summary for Desert
Sands Attack is Below, Bloomberg (2014)
i) Reconnaissance: The attackers scanned public information including open systems.
ii) Weaponization: The attackers find an open test instance version of the Casino website with an
unpatched vulnerability.
iii) Delivery: Once in, the attackers installed Mimikatz which allowed them to gather active domain
credentials from memory and move to other systems within Sands Bethlehem.
iv) Exploit: They then used these credentials to move laterally to other systems. They eventually,
obtained the credentials to the account for Sands Vegas employee which allowed migration of
this attack to Las Vegas Casino.
v) Install: Used re-used credentials to extend the attack from Bethlehem to Las Vegas.
vi) Command & Control: The attackers established themselves within the system with elevated
stolen credentials.
vii) Action: Once the attackers obtained credentials to the Vegas systems, they continually moved
across systems, this time destroying them as they went.
3.3.2 Lessons Learned
• Effective access controls: Though most companies provide the topmost security for their
production system environments; they often neglect the development environment. The main
vulnerability, in this case, was the development/test environment being open to the world. It needs
to be ensured that the company systems should only be able to be accessed by the company staff
and employees after proper access authentication and authorization. Security is as good as the
weakest link. If the malevolent actors can access credentials in a lower environment which can
then be reused to access higher environments, it is a major security flaw.
• Ensure to use of test data in Development and Quality systems: Most companies strive to
make their Development and Test Environments are close to the Production Environment as
possible, by copying the configuration as well as the data including sensitive PII to the Quality
and test environments. This is a privacy concern as companies do not always have the same level
effective of security controls around these systems as they do in the production system, which
makes it an easier target.
Yahoo confirmed in September 2016 that at least 500 million user accounts have been exposed. In
what quite possibly could be one of the largest data breaches to date, Information is stolen in late 2014
Volume 12 • Issue 1
9
by what Yahoo calls a state-sponsored actor’ that “may have included names, email addresses, phone
numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security
questions and answers,” according to a Yahoo statement (Trautman, L. J., & Ormerod, P. C. (2016).
“The stolen information did not include unprotected passwords, payment card data, or bank account
information, payment card data, and bank account information, which were not stored in the system
that was found to be affected. The user information was first compromised in 2014. The company
notified only 26 users, also they did not announce this in any of the SEC filings but only during due
diligence phase of Verizon’s purchase of Yahoo (LifeLock,2016).
3.4.1 Cyber Kill Chain Analysis: The Summary for Yahoo Data Breach is Below
i) Reconnaissance: Attackers scout for US internet service companies
ii) Weaponization: The attackers target a ‘semi-privileged’ Yahoo employee and not top executives.
(USA, justice.gov, 2017)
iii) Delivery: social engineering or spear phishing ‘was the likely avenue of infiltration used to gain
the credentials of an ‘unsuspecting employee’ at Yahoo”, (Gallagher, S., Kravets, D. (2017)).
iv) Exploit: Once inside Yahoo systems, attackers accessed the UDB (centralized User account Database).
v) Install: Log cleaner installed that removes traces of network activity. Attackers also Installed
cookie minting software, which was used to create forged cookies, that the attackers used to
bypass the authentication controls.
vi) Command & Control: FTP used to exfiltrate data and accessed account management tool
(AMT) on Yahoo network for persistent unauthorized access
vii) Action: Copy of UDB stolen- 500 million Yahoo accounts compromised.
3.4.2 Lessons Learned
• Employee Training: The main security control that could have prevented the Yahoo Data breach
is employee training. Making sure employees are aware of cyber best practices and promoting a
culture of cyber security there is no security faux pas during phishing or social engineering attack.
• Cybersecurity culture: Cybersecurity was not a priority earlier, which was the root cause of this
data breach, however, Yahoo has partnered with the Cybersecurity at MIT Sloan research group
(CAMS) to build and promote the cybersecurity culture at the firm (Harvard Business Review, 2021).
This cyber-attack was important since Atlanta is one of the most important transportation and economic
hub. Hence this cyber-attack was greatly publicized. The city recognized the attack on Thursday,
March 22, 2018, and publicly acknowledged it was a ransomware attack, Kraszewski, K. (2019, May).
The virus used in the attack was the SamSam Ransomware, which utilizes a brute-force attack to
guess weak passwords until a match is found. The systems ranged from utility bill pay applications
to the police department’s records system to the public Wi-Fi at the airport, CBS Interactive. (2018).
Grand jury indicted two Iranian hackers, for the attack. Department of Justice alleged that they are
part of the SamSam group.
3.5.1 Cyber Kill Chain Analysis: Summary for Atlanta & Not Petya Data
Breach, Perlroth, N; Benner, K (2018), Kraszewski, K. (2019, May)
i) Reconnaissance: Attackers scout for publicly available information
ii) Weaponization: SamSam Ransomware tries to gain access via brute force
Volume 12 • Issue 1
10
iii) Delivery: Attackers gain access to the IT systems via brute force
iv) Exploit: Attackers are able to exploit the vulnerable systems once in
v) Install: The Ransomware is installed which encrypts data
vi) Command & Control: Attackers are able to disrupt the City’s IT infrastructure
vii) Action: City was asked to pay Ransom in Bitcoins
3.5.2 Lessons Learned
• Timely vulnerability detection and mitigation: The Atlanta government was criticized for
a lack of spending on upgrading its IT infrastructure, leaving multiple vulnerabilities open to
attack. In fact, a January 2018 audit found 1,500 to 2,000 vulnerabilities in the city’s systems and
suggested that the number of vulnerabilities had grown so large that workers grew complacent.
Timely vulnerability detection and mitigation are crucial (City Auditor’s Office. 2018).
• Security Controls: Effective security controls is very crucial to defend against the bad actors.
The IBM Data breach report (IBM,2021) mentions that IT modernization, zero-trust approach,
and automation of security reduced the risk for data breaches. Based on the Cyber Kill Chain
analysis of the five major US Data breaches and industry best practices, listed below in Table 3
is the summary of steps that would have effectively prevented all these attacks. This is not meant
to be an exhaustive list, but to provide enough assurance to ensure protection against the most
common data breaches.
i) Automation and security AI (Artificial Intelligence): Security automation is the machine-based
execution of security actions to detect, investigate and mitigate cyber threats with minimal human
involvement using tools such as Splunk. This provides cost-effective cyber risk mitigation and
better effectiveness for the Security response process.
ii) Implement the Zero trust approach: Rooted in the principle of “never trust, always verify,” Zero
Trust is designed to protect modern digital environments by leveraging network segmentation,
preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-
access control, paloaltonetworks,(2021). The average cost of a breach was USD 1.76 million less
at organizations with a mature zero-trust approach.
Table 3. Proposed 8 Step Cyber Attack Prevention Plan
S. No. Cyber attack prevention
1. Zero trust Approach
2. IT Modernization
3. Automation and Security AI
4. Implement Security controls
5. End point Defense
6. Network Defense tools
7. Vendor Security Controls
8. User training
Volume 12 • Issue 1
11
iii) IT Modernization: Organizations further along in their cloud modernization strategy contained
the breach on average 77 days faster than those in the early stage of their modernization journey
(IBM,2021). Using modern IT tools with better cyber monitoring features would be effective in
containing cyber incidents.
iv) Implementing and periodically auditing Security controls to ensure they are properly designed
and being executed effectively. The organization can select a Common Framework example such
as ISO27000, NIST Framework, CIS Critical Security Controls, and COBIT which would be best
suited to achieve its organizational goals and build these controls and test them periodically for
proper design and operating effectiveness. Most important Security Controls include Incident
response, appropriate access controls as well as creating a disaster recovery plan which includes
backups and BIA (Business impact assessment) to set precedence for effective communication,
mitigation, and recovery in case of critical cyberattacks.
v) Having proper Network defense tools: The below are the most commonly used network
defenses. Network defenses are control points that are placed within an organization intended
to detect and or prevent malicious activities at the network layer.
◦Intrusion Detection System/IDS: Is a network device or software application that monitors
malicious activities or policy violations. This generates an alert that is delivered to the
cybersecurity team for review and action. The intrusion prevention system in addition to
detecting of the malicious activities will also prevent the attack by taking action on cyber
incidents eg: and dropping malicious packets.
◦Network Malware prevention tools: monitors network traffic to identify malware
executables. When identified they run these in a safe environment to identify their behavior.
◦Proxy server: These act as intermediaries between the internal hosts and the internet.
They can be used to limit where hosts are allowed to travel on the internet. For example, A
company could use the proxy server to limit or stop the employees from accessing websites
that donot have any legitimate business purpose.
◦Firewall: Network filters that limit network traffic between internal hosts and external servers
by limiting traffic based on approved IP addresses and ports for inbound and outbound traffic.
Thus the company could whitelist a group of IP addresses and ports using the Firewall to
ensure traffic is routed only between approved IP address destinations.
◦WAF (Web Application Firewall): Software layer controls that intercept web traffic
communications for web applications. WAF analyzes this traffic and looks for common
web-based attacks such as SQL injection.
◦Remote Monitoring: Installing network scanning techniques including firewalls that restrict
network traffic, DoS protection service that detects and filters out abnormal traffic. Active
monitoring is one of the best detective controls to prevent Cyber-attacks.
vi) Implementing Endpoint defenses are control points that are placed within an organization
system and are intended to detect and potentially prevent malicious activity on a system. Some
of the endpoint defenses include:
◦Application allowlist: prevents download and execution of all applications except the ones
in the organization’s application allowlist.
◦Sandboxing: a technique used to run potentially malicious files inside a system to identify
if the file is truly malicious.
◦Patch Management: Making sure the critical patches are identified and applied timely
◦Vulnerability management: here the cyber team reviews and performs a review of the
systems to ensure vulnerabilities are timely mitigated.
◦Security alerts and log management system: These systems review the various security
alerts and logs to understand if there has been any compromise.
vii) Vendor security controls: Given a lot of critical Business processes and Data are outsourced
to vendors, it is important to ensure that the Security controls on the Vendor side are effective.
Volume 12 • Issue 1
12
This usually is ensured via contract terms, and regular SOC (System and Organization Controls)
audits. SOC-2 audit reports which include the audit details about the vendor’s Cyber and Data
protection controls in place and their effectiveness is to be reviewed periodically. SOC-2 reports
summarize how the company safeguards customer data and how well those internal controls are
operating (Markey, M, and Margaret M, 2020). There also needs to be effective controls and
procedures in place for vendor selection to ensure 3rd parties with good security practices are
selected.
viii) Employee training: Humans are the weakest links in every cyber environment, and hence it is
to be made sure that they are provided with appropriate training to ensure they are aware of the
various attacks that they could face in a corporate environment. It is not just sufficient to have
proper Employee security training, but there needs to be put in place a cyber-aware employee
culture at the workplace, and this awareness should be tested periodically with mock cyber-attack
simulations. Employee training can be made more effective by using data visualization, gaming
and other modern technologies which makes the training more interactive.
Based on the Cyber Kill chain analysis of the five major US data breaches (Refer Table-4) (Sebastian,
G. (2022)), our analysis is in line with Interpol’s report (Interpol,2020), with Malware, Malicious
domains, and social engineering being the main types of cyber-attacks. The bad actors in most
cases of these corporate breaches are nation-states, which makes these cyber breaches extremely
complicated, given the coordinated and advanced tools that these nation-states deploy for these
attacks. The proposed mitigation plan, along with industry best practices provides the best bet for
these corporations to be well-prepared to detect, investigate and remediate cyber threats. This also
helps to reiterate the importance of IT and Cyber Audit function within the organization and why it’s
critical for organizations to empower and include this team in IT-related projects, deployments, and
daily operations. The IT and Cyber Audit universe should comprise of all sections of Information
risks across the firm. For companies to get the real state of their cyber readiness against a potential
cyber threat, it is imperative to have regular and frequent IT and Cyber audits, not just to test and
verify the effective performance of Security controls but also to periodically verify the design of
these controls to ensure these procedures are regularly updated based on cyber best practices and
industry trends.
Table 4. Summary of Cyber-attacks, root cause, and primary defense
Affected
corporation
Target Equifax Desert Sands Yahoo! Atlanta & Not
Petya
Type of cyber
attack
Malware attack Malware attack
on unpatched
server
Access Breach
through test website
available to public
social
engineering or
spear phishing
SamSam
Malware
Bad Actor Hackers Nation State
Hacking Attack
Nation State
Hacking attack
Nation State
Hacking attack
International
hacking group
Primary cause Supply Chain Attack
(targeting contractors/
weakest links)
Vulnerability
on unpatched
server
Lack of access
controls to test/
development systems
End user /
Employee
ignorance
Improper design/
execution of
security controls
Security control
that could have
prevented the
attack
Ensuring contractors
have satisfactory
security controls via
contractual obligation
Timely patching
and change
management
controls
Access controls over
Test/ Development/
Production
User training Proper design
and execution of
security controls
Volume 12 • Issue 1
13
With remote work becoming the norm for multiple companies since the covid-19 pandemic started,
it is clear that cyber defense against data and privacy breach incidents is a major concern for most
corporations worldwide. This study did the analysis of the major US data breaches to understand the
root cause for it and also proposed cyber mitigation to provide reasonable assurance of ensuring the
safety of remote employees and the organizational data. From this study as well as the industry and
Interpol reports, it is clear that there is a pattern of main types of cyber incidents which are more
rampant, hence ensuring the adoption of a suitable cyber security controls framework and conducting
regular and frequent risk-based audits would greatly reduce the risk of any major cyber incident or
data breach for the firm. It is also to be noted that cybersecurity is a very quickly evolving field with
new vulnerabilities being discovered almost daily. Hence it is critical for corporations to regularly
update their risks and cybersecurity audit methodologies based on these dynamic cyber threats.
• Funding: This research did not receive any specific grant from funding agencies in the public,
commercial, or not-for-profit sectors.
• Consent for publication: The manuscript does not contain any individual person’s data in any
form.
• Ethics Approval and Consent to participate: The study-specific ethics committee approval
was not required for research since the research did not involve human participants.
• Competing interests: The authors declare that they have no competing interests
• Availability of Data and Material: Data sharing not applicable to this article as no datasets
were generated or analyzed during the current study
• Acknowledgement: Not Applicable
The author contributed to the study conception and design. Material preparation, data collection and
analysis were performed by Glorin Sebastian The first draft of the manuscript was written by Glorin
Sebastian and the author has read and approved the final manuscript.
Volume 12 • Issue 1
14
Bennett, C. (2014). Iranian Hackers Downed Adelson’s Casino Empire. The Hill. https://thehill.com/policy/
cybersecurity/226915-iranian-hackers-downed-us-casino-empire
Bloomberg. (2014). Retrieved June 11, 2022, from https://www.bloomberg.com/news/ articles/2014-12-11/
iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas
Bragdon, B. (2014, June 20). Maybe it really does matter who the CISO reports to. CSO Online. Retrieved
June 11, 2022, from https://www.csoonline .com/article/2365827/ maybe-it-really-does-matter-who-the-ciso-
reports-to.html
CBS Interactive. (2018, March 28). Atlanta was warned about vulnerabilities months before cyberattack,
audit shows. CBS News. Retrieved June 11, 2022, from https://www.cbsnews.com/news/atlanta-warned-cyber-
vulnerabilities-audit-shows/
City Auditor’s Office. (2018). ISO/IEC 27001 ISMS Precertification Audit. Author.
Cyberroam. (2014). Security Advisory – OpenSSL Heartbleed Vulnerability. Cyberoam.
Efrony, D., & Shany, Y. (2018). A rule book on the shelf? Tallinn manual 2.0 on cyberoperations and subsequent
state practice. The American Journal of International Law, 112(4), 583–657.
Four Members of China’s Military Indicted Over Massive Equifax Breach. (2020, Feb. 11). The Wall Street
Journal.
Gallagher, S., & Kravets, D. (2017, March 15). How did Yahoo get breached? Employee got spear phished, FBI
suggests. Retrieved from https://arstechnica.com/tech-policy/2017/03/fbi-hints-that-hack-of-semi-privileged-
yahooemployee-led-to-massive-breach/
How Yahoo Built a Culture of Cybersecurity. (2021, November). Harvard Business Review, 5. https://hbr.
org/2021/09/how-yahoo-built-a-culture-of-cybersecurity
IBM. (2021). Cost of Data Breach Report 2021. https://www.ibm.com/security/data-breach
Interpol. (2020). Cybercrime: COVID-19 impact. https://www.interpol.int/content/download/ 15526/file/
COVID-19%20Cybercrime%20Analysis%20Report-%20August%202020.pdf
justice.gov. (2017). https://www.justice.gov/opa/press-release/file/948201/download
Kraszewski, K. (2019, May). SamSam and the silent battle of Atlanta. In 2019 11th international conference
on cyber conflict (CyCon) (Vol. 900, pp. 1-16). IEEE.
LifeLock. (2016). Yahoo Announces 500 Million Users Impacted by Data Breach. https://www.lifelock.comlearn-
data-breaches-company-data-breach.html
Lockheed Martin. (2022). Cyber kill chain. Retrieved June 11, 2022, from https://www.lockheedmartin. com/
en-us/capabilities/cyber/cyber-kill-chain.html
Markey, M., & Marchak, M. (2020). Security Considerations in Technology Contracting. Implementing
Information Security in Healthcare. HIMSS Publishing, 2020, 163–182.
paloaltonetworks. (2021). What is a Zero Trust Architecture. https://www.paloaltonetworks.com/cyberpedia/
what-is-a-zero-trust-architecture
Perlroth, N., & Benner, K. (2018). Iranians Accused in Cyberattacks, Including One That Hobbled Atlanta.
Academic Press.
Sebastian, G. (2022). Could incorporating cybersecurity reporting into SOX have prevented most data breaches
at US publicly traded companies? An exploratory study. International Cybersecurity Law Review, 1-17.
Shu, X., Tian, K., Ciambrone, A., & Yao, D. (2017). Breaking the target: An analysis of target data breach and
lessons learned. arXiv preprint arXiv:1701.04940.
Trautman, L. J., & Ormerod, P. C. (2016). Corporate directors’ and officers’ cybersecurity standard of care: The
Yahoo data breach. Am. UL Rev., 66, 1231.
Volume 12 • Issue 1
15
US-CERT. (2013). Understanding Denial-of-Service Attacks. US-CERT.
Wang, P., & Johnson, C. (2018). Cybersecurity incident handling: A case study of the Equifax data breach.
Issues in Information Systems, 19(3).
Whittaker, Z. (2018). Equifax breach was ‘entirely preventable’ had it used basic security measures, says
House report. TechCrunch. Retrieved June 11, 2022, from https://techcrunch.com/2018/12/10/equifax-breach-
preventable-house-oversight-report/
Yadav, T., & Rao, A. M. (2015, August). Technical aspects of cyber kill chain. In International symposium on
security in computing and communication (pp. 438-452). Springer.
ZDNet. (2017). Equifax confirms Apache struts flaw it failed to patch was to blame for Data Breach. https://
www.zdnet.com/article/equifax-confirms-apache-struts-flaw-it-failed-to-patch-was-to-blame-for-data-breach/