Break the Attack Chain: Decisive Moves

Share with your network!

In our “Break the Attack Chain” blog series, we have looked at how threat actors compromise our defenses and move laterally within our networks to escalate privileges and prepare for their endgame. Now, we come to the final stage of the attack chain where it’s necessary to broaden our outlook a little.

While most external threat actors will follow the same playbook, they aren’t our only adversaries. The modern reality is that data often just walks out of the door because our employees take it with them. More than 40% of employees admit to taking data when they leave. At the same time, careless employees who make security mistakes are responsible for more than half of insider-led data loss incidents.

So, while it’s important to detect and deter cybercriminals who want to exfiltrate our data, we must also watch out for our users. Whether they are malicious or careless, our users are just as capable of exposing sensitive data. 

In this third and final installment, we discuss how companies tend to lose data—and how we can better protect it from all manner of risks. 

Understanding data loss

As with every stage in the attack chain, we must first understand threats before we can put protections in place. Let’s start with the case of a cybercriminal following the typical attack chain. While this may not sound like a traditional insider attack, it’s often aided by careless or reckless employees. 

Users expose data and open themselves and your business up to compromise in a multitude of ways, like using weak passwords, reusing credentials, forgoing security best practices and clicking on malicious links or attachments. Any of these risky moves give cybercriminals a way into your networks where they can embark on lateral movement and escalation.

Incidents like these are so common that careless or compromised users cause over 80% of insider-led data loss. Malicious insiders make up the remainder. Insider threats could be a disgruntled employee looking to cause disruption, a user compromised by cybercriminals, or, increasingly, an employee who will soon leave your organization. 

In most cases, data exfiltration follows a three-stage pattern: 

  • Access. Users, whether malicious or compromised, will attempt to take as much information as possible. This could mean excessive downloading or copying from corporate drives or exporting data from web interfaces or client apps.
  • Obfuscation. Both cybercriminals and malicious insiders will be aware of the kinds of activity likely to trigger alarms and will take steps to avoid them. Changing file names and extensions, deleting logs and browsing history, and encrypting files are typical strategies.
  • Exfiltration. With targets acquired and tracks covered, data exfiltration is then carried out by copying files to a personal cloud or removable storage device and sharing files with personal or burner email accounts. 

Defending from the inside out

As we explained in our webinar series, while the initial stage of the attack chain focuses on keeping malicious actors outside our organization, the final two stages are far more concerned with what’s happening inside it. 

Therefore, any effective defense must work from the inside out. It must detect and deter suspicious activity before data can slip past internal protections and be exposed to the outside world. Of course, data can do many things—but it cannot leave an organization on its own. 

Whether compromised, careless or malicious, a human is integral to any data loss incident. That’s why traditional data loss prevention (DLP) tools are not as effective as they used to be. By focusing on the content of an incident, they only address a third of the problem. 

Instead, a comprehensive defense against data loss must merge content classification with threat telemetry and user behavior. Proofpoint Information Protection is the only solution that uses all three across channels in a unified, cloud-native interface.

With this information, security teams can identify who is accessing and moving data—when, where and why. And by adding threat intelligence, Proofpoint Information Protection can link email threats to those that cross over to the cloud and other environments.

This level of visibility is crucial when defending against cyberthreats. The more you know about your data and the people who can access it, the better placed you are to break the attack chain. 

But Proofpoint Information Protection does more than just help you see suspicious activity. It actively detects and blocks data exploitation attempts. That’s why over 45% of the Fortune 100 trust it to:

  • Protect sensitive data and intellectual property
  • Prevent data from leaving with departing employees
  • Defend against malicious, negligent and compromised users

Learn more

Watch our webinar in full to discover how to deal with risks to your information from the inside out.

Find out more about Proofpoint Information Protection, the only solution that merges content classification, threat telemetry and user behavior across channels in a unified, cloud-native interface.