Decoding the Top Trends and Intruder Actions in Data Breaches

The frequently used vector to gain initial access is phishing attack and deployment of the malware - observed in nearly 43% of cases that SISA investigated. Most often, the phishing emails originate from a trusted ID, making the tactic highly successful.
Top Trends and Intruder Actions in Data Breaches

The constantly evolving threat landscape along with growing complexity of data breaches are twin challenges that cyber security professionals world over are battling with. The evolution is not just code-driven but born out of the increasing inter-connectedness and perimeter-less environments. The resulting consequence is a rise in the multitude of techniques and methods used for carrying out cyber attacks, specifically data breaches. Besides, intruders are weaponizing emerging technology and AI/ML tools to exploit vulnerabilities across IT infrastructure, leaving even the most sophisticated cyber defenses useless. SISA has seen a noticeable rise in targeted phishing attacks, exploits via third party networks and use of custom malware and genuine tools for performing malicious activity over the past few years. Importantly, the methods used by intruders are vividly different across the different phases of the attack lifecycle and rapidly evolving, requiring agile security practices.

The top trends across the data breach cycle observed during our forensic investigations are summarized below:

Every breach can be divided into three parts based on intruder tactics – Ingress Point, Lateral Movement, and Action on Objective. The Ingress Point covers the tactics used by the intruder to gain a persistent foothold within the network. The Lateral Movement covers various tactics deployed to gain access to the systems of interest and penetrate into the critical environment. The Action on Objective deals with the exfiltration and impact tactics that intruders use to realize the end outcome.

Ingress Trends

The initial access to system zero of the compromised environment can take place using many methods. The frequently used vector is phishing attack and deployment of the malware – observed in nearly 43% of cases that SISA investigated. Phishing emails are, in most cases sent from a trusted email ID, typically from colleagues or third parties present in the user’s contacts. The other major ingress point is via web application exploits. The vulnerabilities that the intruders mainly exploit for deploying a web shell are the SQL injection vulnerability, malicious file upload vulnerability, exploitation of vulnerable libraries, and OS injection vulnerability.
In 11% of the investigations where web shell was identified, SISA found that the compromise was through a vulnerability present in the API used by the clients. Interestingly, all the exploits observed were on applications hosted either in the UAT environment or in the non-critical VLANs – implying the importance of securing non-critical environment. Further, a host of security lapses ranging from absence of AV in the targeted system and exposing APIs without Web Application Firewall (WAF) to infrequent patching, that led to the initial ingress underscore the imminent need to strengthen controls.

Lateral Movement Trends

Once the intruders gain access to the network and create persistence within the network, they mainly look to escalate the privilege, gain credential access, try defence evasion techniques, and perform a lateral movement to discover the systems of interest. Among the various techniques that intruders use for credential access, OS credential dumping is the most common. This usually involves the use of a credential harvester tool such as Mimikatz. Though MimiKatz is an old malware, there are increasing instances of various variants of the malware being used by the intruder. Exploit of unsecured credentials is another popular technique used in lateral movement. By accessing the files containing the credentials to various user accounts like the common user account, service account, DBA, etc. stored on local systems, intruders have been able to access critical systems.
Another vulnerability that intruders exploit is the storage of the database connection string containing the DB credentials in the web configuration file of the webserver. These trends make it clear that the classic ‘castle with a moat’ cyber security model wouldn’t be effective to prevent lateral movement. Instead, organizations must enforce strong password management, MFA, context-based access control, robust segmentation and a zero-trust policy to keep the attackers at bay. Additionally, deploying a proactive threat hunting solution can help detect anomalies and Indicators of Compromise (IoCs) early on.

Action on Objective Trends

The final stage in the data breach is Action on Objective, where the attacker finally extracts the data from the compromised system. Typically, the objective of data exfiltration involves gathering, encrypting, and extracting confidential information from the organization’s environment. And to meet these objectives, intruders choose to ransom it, destroy it, monetize it by selling data on dark web or simply make it public. Synchronized ransomware attack has been the most common action on objective over the past couple of years. This is not the attack of encrypting one or two critical servers; instead, it’s a synchronized attack where the entire data centre and DR site are taken down with a ransomware attack.

Social engineering attack on the end customer is another popular action on objective wherein the intruder, through impersonation and by sharing recent transaction details, scams the customer into performing actions such as sharing the OTP, installing a malicious application etc. A similar trend is also observed with respect to compromise of credentials to SaaS applications (like CRM) containing the end customer details. Since the complete customer details are available in these SaaS applications, the intruder uses these data for scamming the end customer – a trend prevalent in both financial and non-financial institutions.


Each stage of the breach demonstrates a specific goal along the attacker’s path which makes it vital for organizations to have a layered approach to cyber defence. Designing threat monitoring and incident response plan around each stage is an effective approach as it focuses on how actual attacks happen. Use of data-loss prevention solutions can also help organizations check exfiltration. Additionally, digital forensics can help in the evaluation and reconstruction of the attack, thereby helping organizations improve preparedness and prevent relapses.

For a detailed understanding on top trends in data breaches and intruder exploits, download the latest SISA Top 5 Forensic Driven Learnings 2022-2023 report or sign-up for a free consultative Forensics Learning Session.

SISA’s Latest
close slider