March 16, 2010, 11:01 AM — Cyber criminals are increasingly becoming more sophisticated in their methods of attack. Often we can equate this to the methods of data exfiltration as well. Exfiltration, or exportation, of data is usually accomplished by copying the data from the system via a network channel, although removable media or physical theft can also be utilized.
In 2009, the SpiderLabs team at Trustwave investigated over 200 data breaches in 24 different countries. While the methods used by cyber criminals to exfiltrate data from a compromised environment varied, the method of entry into an environment was often via the remote access application being utilized by the target organization. In the SpiderLabs investigations, 45 percent of compromises occurred by attackers gaining access to a system through a remote access application. These were not zero-day exploits or complex application flaws, and the attacks looked no different to the IT staff than, for example, the CEO connecting from London while on a business trip. The attackers also didn't need to brute-force the accounts they used. SpiderLabs found that 90% of these attacks were successful because of vendor-default or easily guessed passwords, like "temp:temp" or "admin:nimda."
Once a foothold is established, attackers often launch network enumeration tools. Network enumeration tools are often used by the attacker to discover additional targets within the environment and retrieve system information, such as usernames, group privileges, network shares, and available services. The noise generated by enumeration tools can indicate a preclude to an attack. Unfortunately, we've found that most entities are not properly monitoring their systems and therefore fail to observe these indicators.
It was these types of tools that led attackers to the systems of additional hotel properties through trusted private circuits. The internal connections were subsequently exploited, resulting in the breach of data from physically dispersed sites. Without the existence of these connections, breaches within the hospitality sector would likely have been contained to only a few properties.
Once attackers gained access to the target environment, they harvested data using either manual or automated methods. Using manual processes, potentially valuable databases and documents were located, and searches of the operating system were conducted using specific keywords to further identify data.