SoK: Anatomy of Data Breaches

Hamza Saleem 1  and Muhammad Naveed 2
  • 1 University of Southern California,
  • 2 University of Southern California,

Abstract

We systematize the knowledge on data breaches into concise step-by-step breach workflows and use them to describe the breach methods. We present the most plausible workflows for 10 famous data breaches. We use information from a variety of sources to develop our breach workflows, however, we emphasize that for many data breaches, information about crucial steps was absent. We researched such steps to develop complete breach workflows; as such, our workflows provide descriptions of data breaches that were previously unavailable. For generalizability, we present a general workflow of 50 data breaches from 2015. Based on our data breach analysis, we develop requirements that organizations need to meet to thwart data breaches. We describe what requirements are met by existing security technologies and propose future research directions to thwart data breaches.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] W. contributors, “Ashley madison data breach — Wikipedia, the free encyclopedia,” Mar. 2020.

  • [2] C. Baraniuk, “Ashley madison: ‘suicides’ over website hack,” Aug. 2015.

  • [3] T. Lamont, “Life after the ashley madison affair,” Feb. 2016.

  • [4] J. Pagliery, “The ashley madison hack ruined my life,” Aug. 2015.

  • [5] K. Zetter, “Hackers finally post stolen ashley madison data,” 08 2015.

  • [6] C. at Microsoft, “Anatomy of a breach - how hackers break in and how you can fight back,” tech. rep., Microsoft, Nov. 2017.

  • [7] C. at MWR InfoSecurity, “Detecting and deterring data exfiltration - guide for implementers,” tech. rep., MWR InfoSecurity, Feb. 2014.

  • [8] C. at Symantec, “Anatomy of a data breach - why breaches happen and what to do about it,” tech. rep., Symantec.

  • [9] A. Rashid, R. Ramdhany, M. Edwards, S. M. Kibirige, A. Babar, D. Hutchison, and R. Chitchyan, “Detecting and preventing data exfiltration,” April 2014.

  • [10] C. Bielinski, “Trustwave global security report 2018,” tech. rep., Trustwave, 2018.

  • [11] Y. Liu, A. Sarabi, J. Zhang, P. Naghizadeh, M. Karir, M. Bailey, and M. Liu, “Cloudy with a chance of breach: Forecasting cyber security incidents,” in USENIX Security 15, 2015.

  • [12] L. Bilge, Y. Han, and M. Dell’Amico, “Riskteller: Predicting the risk of cyber incidents,” 10 2017.

  • [13] K. M. Gatzlaff and K. A. McCullough, “The effect of data breaches on shareholder wealth,” RMIR, pp. 61–83, 2010.

  • [14] P. Institute, “Cost of a data breach report 2019,” tech. rep., Ponemon Institute, 2019.

  • [15] J. Winter, “Nsa played key role linking north korea to sony hack,” Jan. 2015.

  • [16] G. Keizer, “Sony hackers targeted employees with fake apple id emails,” April 2015.

  • [17] J. Cox, “Yahoo ‘aware’ hacker is advertising 200 million supposed accounts on dark web,” Aug. 2016.

  • [18] B. Krebs, “Cards stolen in target breach flood underground markets,” Dec. 2013.

  • [19] C. U. Libraries, “Evaluating online sources.”

  • [20] M. Zimdars, “False, misleading, clickbait-y, and/or satirical “news” sources,” 2016.

  • [21] U. Libraries, “Finding reliable sources: What is a reliable source?,” Oct. 2019.

  • [22] U. Libraries, “Evaluating internet resources.”

  • [23] O. Celestino, “Watering hole 101,” Feb. 2013.

  • [24] Novetta, “Operation blockbuster. unraveling the long thread of the sony attack.,” tech. rep., Novetta, 2016.

  • [25] RBA, “A breakdown and analysis of the december, 2014 sony hack,” 2014.

  • [26] “Wikileaks sony breach archives,” April 2015.

  • [27] A. DeSimone, “Sony’s nightmare before christmas,” tech. rep., The Johns Hopkins University Applied Physics Laboratory, April 2018.

  • [28] G. Sanchez, “Case study: Critical controls that sony should have implemented,” tech. rep., SANS Intitute, June 2015.

  • [29] D. E. Sangar, “The world once laughed at north korean cyberpower. no more.,” 2017.

  • [30] C. Osborne, “Sony hires fireeye’s mandiant following internal security breach,” Dec. 2014.

  • [31] “Targeted destructive malware,” Dec. 2014.

  • [32] C. at Microsoft, “Ms-smb: Server message block (smb) protocol,” tech. rep., Microsoft, July 2013.

  • [33] W. contributors, “Server message block — wikipedia - the free encyclopedia,” 2019.

  • [34] W. contributors, “Lan manager — wikipedia - the free encyclopedia,” 2018.

  • [35] W. contributors, “Nt lan manager — Wikipedia, the free encyclopedia,” 2019.

  • [36] C. at Microsoft, “Microsoft kerberos,” tech. rep., Microsoft, May 2018.

  • [37] C. Sanders, “How i cracked your windows password (part 1),” Jan. 2010.

  • [38] Spiceworks, “The future of network and endpoint security,” tech. rep., June 2019.

  • [39] J. MULLIGAN, “Protecting personal consumer information from cyber attacks and data breaches,” March 2014.

  • [40] E. A. Haris, “For target, the breach numbers grow,” Jan. 2014.

  • [41] “Cyxtera - easy solutions.”

  • [42] J. Finkle, “Target cyber breach hits 40 million payment cards at holiday peak,” Dec. 2013.

  • [43] A. Labs, “The untold story of the target attack step by step,” tech. rep., Aorato Labs, August 2014.

  • [44] K. Jarvis, “Inside a targeted point-of-sale data breach,” tech. rep., Dell, Jan. 2014.

  • [45] ThreatScape, “Kaptoxa point-of-sale compromise,” tech. rep., ThreatScape, Jan. 2014.

  • [46] B. Krebs, “Inside target corp., days after 2013 breach,” Sep. 2015.

  • [47] B. Krebs, “New clues in the target breach,” Jan. 2014.

  • [48] B. Krebs, “A first look at the target intrusion, malware,” Jan. 2014.

  • [49] Semantic, “Trojan.zbot,” Jan. 2010.

  • [50] J. Segura, “Citadel: a cyber-criminal’s ultimate weapon?,” Nov. 2012.

  • [51] P. Trivedi, “File inclusion attacks,” Dec. 2014.

  • [52] M. Kumar, “23-year-old russian hacker confessed to be original author of blackpos malware,” Jan. 2014.

  • [53] C. Poulin, “What retailers need to learn from the target breach to protect against similar attacks,” Jan. 2014.

  • [54] C. at Microsoft, “Active directory domain services overview,” May 2017.

  • [55] B. Ewaida, “Pass-the-hash attacks: Tools and mitigation,” tech. rep., SANS Institute, 2010.

  • [56] “Microsoft ntlm,” 2018.

  • [57] “mimikatz.”

  • [58] M. Russinovich, “Psexec v2.2,” June 2016.

  • [59] N. Perlroth, “Yahoo says hackers stole data on 500 million users in 2014,” Sept. 2016.

  • [60] U. S. D. C. N. D. O. California, “Indictment,” Feb. 2017.

  • [61] V. Goel, “Russian agents were behind yahoo hack, u.s. says,” March 2017.

  • [62] M. Williams, “Inside the russian hack of yahoo: How they did it,” Oct. 2017.

  • [63] S. GALLAGHER and D. KRAVETS, “How did yahoo get breached? employee got spear phished, fbi suggests,” Mar. 2017.

  • [64] J. Goldman, “Russian fsb officers charged with involvement in yahoo breach,” March 2017.

  • [65] A. Mitre, “Privilege escalation.”

  • [66] B. Oliveira, “My 5 top ways to escalate privileges,” Dec. 2012.

  • [67] N. Provos and D. Mazières, “A future-adaptive password scheme,” in Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC ’99, pp. 32–32, USENIX Association, 1999.

  • [68] A. Mitre, “Deep panda.”

  • [69] “Multistate targeted market conduct and financial examination,” tech. rep., Dec. 2016.

  • [70] J. DiMaggio, “The black vine cyberespionage group,” tech. rep., Symantec, Aug. 2015.

  • [71] “Sakula.”

  • [72] “Sakula,” 2017.

  • [73] D. Stama, “Backdoor.mivast,” Feb. 2015.

  • [74] A. Mitre, “Credential dumping.”

  • [75] A. Mitre, “Bypass user account control.”

  • [76] “The opm data breach: How the government jeopardized our national security for more than a generation,” tech. rep., Oversight and Government Reform, Sep. 2016.

  • [77] B. Koerner, “Inside the cyberattack that shocked the us government,” 2016.

  • [78] “Plugx,” 2017.

  • [79] A. Sternstein and J. Moore, “Timeline: What we know about the opm breach (updated),” June 2015.

  • [80] Symantec, “The waterbug attack group,” Jan. 2016.

  • [81] GovCERT.ch, “Technical report about the espionage case at ruag,” tech. rep., GovCERT, May 2016.

  • [82] “Process injection.”

  • [83] E. Snowden, Permanent Record. Metropolitan Books, 09 2019.

  • [84] “Review of the unauthorized disclosures of former national security agency contractor edward snowden,” tech. rep., House Permanent Select Committee on Intelligence, 9 2016.

  • [85] ICO, “Carphone warehouse monetary penalty notice,” Jan. 2018.

  • [86] J. Leyden, “Hackers hid carphone warehouse breach with ddos smokescreen – report,” Aug. 2015.

  • [87] M. J. Schwartz, “Carphone warehouse breach: ‘striking’ failures trigger fine,” Jan. 2018.

  • [88] “Nikto web scanner.”

  • [89] “Meet wordpress.”

  • [90] GAO, “Actions taken by equifax and federal agencies in response to the 2017 breach,” tech. rep., United States Government Accountability Office, Aug. 2018.

  • [91] “CVE-2017-5638.” National Vulnerability Database, Mar. 2017.

  • [92] S. Sahu, “Cve-2017-5638: Apache struts 2 vulnerability leads to remote code execution.”

  • [93] G. Patidar, “Security notice,” May 2017.

  • [94] G. Patidar, “Security notice update,” May 2017.

  • [95] D. Goyal, “Security update – what really happened? and what next?,” May 2017.

  • [96] L. Franceschi-Bicchierai, “Crowdfunding site patreon gets hacked,” Oct. 2015.

  • [97] M. McGee, “Fraud case centers on alleged stolen pediatric clinic data,” Sep. 2016.

  • [98] ICO, “Talktalk cyber attack – how the ico’s investigation unfolded,” Oct. 2015.

  • [99] C. at DataBreaches.net, “Mx: Vivanuncios user data stolen by hacker (nah – scraped by competitor),” Mar. 2015.

  • [100] H. Journal, “North east medical services hipaa breach reported: 69,246 affected,” Aug 2015.

  • [101] A. Greenberg, “Oakland family services notifies 16k clients of information breach,” Sep. 2015.

  • [102] BreachLevelIndex, “Data breach database.”

  • [103] E. Bursztein, B. Benko, D. Margolis, and T. Pietraszek, “Handcrafted fraud and extortion: Manual account hijacking in the wild,” in IMC ’14, 2014.

  • [104] M. Golla, M. Wei, J. Hainline, L. Filipe, M. Dürmuth, E. Redmiles, and B. Ur, ““what was that site doing with my facebook password?”: Designing password-reuse notifications,” CCS ’18, 2018.

  • [105] S. Axelsson, “The base-rate fallacy and the difficulty of intrusion detection,” Aug. 2000.

  • [106] K. Krol, M. Moroz, and M. A. Sasse, “Don’t work. can’t work? why it’s time to rethink security warnings,” in 2012 CRiSIS, pp. 1–8, Oct 2012.

  • [107] H. Cavusoglu, H. Cavusoglu, and J. Zhang, “Security patch management: Share the burden or share the damage?,” 2008.

  • [108] Microsoft, “Microsoft security intelligence report,” tech. rep., Dec. 2013.

  • [109] R. Shay, I. Ion, R. W. Reeder, and S. Consolvo, ““my religious aunt asked why i was trying to sell her viagra”: Experiences with account hijacking,” in SIGCHI CHI ’14, 2014.

  • [110] Dissent, “Update: Sterlingbackcheck breach impacted 100,000,” Aug. 2015.

  • [111] P. Institute, “Measuring and managing the cyber risks to business operations,” tech. rep., Ponemon Institute, 2019.

  • [112] P. Institute, “Data risk in the third-party ecosystem,” tech. rep., Ponemon Institute LLC, November 2018.

  • [113] J. Finkle, “Millions of t-mobile customers exposed in experian breach,” Oct. 2015.

  • [114] S. Alneyadi, E. Sithirasenan, and V. Muthukkumarasamy, “A survey on data leakage prevention systems,” NCA, 2016.

  • [115] M. Alvarez, “Are you digging deep? when antivirus is not enough,” Oct. 2014.

  • [116] J. Reynolds, T. Smith, K. Reese, L. Dickinson, S. Ruoti, and K. Seamons, “A tale of two studies: The best and worst of yubikey usability,” 05 2018.

  • [117] K. Krol, E. Philippou, E. D. Cristofaro, and M. A. Sasse, ““they brought in the horrible key ring thing!” analysing the usability of two-factor authentication in uk online banking,” ArXiv, 2015.

  • [118] D. D. Strouble, M. Alan, and S. Alsop, “Productivity and usability effects of using a two-factor security system,” 01 2009.

  • [119] K. Zetter, “How ram scrapers work: The sneaky tools behind the latest credit card hacks,” Sep. 2014.

  • [120] G. Bruneau, “Scanning for apache struts vulnerability cve-2017-5638,” Mar. 2018.

  • [121] J. Beekman, J. Manferdelli, and D. Wagner, “Attestation transparency: Building secure internet services for legacy clients,” 05 2016.

  • [122] B. Fisch, D. Vinayagamurthy, D. Boneh, and S. Gorbunov, “Iron: Functional encryption using intel sgx,” in 2017 ACM SIGSAC, 2017.

  • [123] A. Gribov, D. Vinayagamurthy, and S. Gorbunov, “Stealthdb: a scalable encrypted database with full sql query support,” PoPETs, 11 2017.

  • [124] C. che Tsai, D. E. Porter, and M. Vij, “Graphene-sgx: A practical library OS for unmodified applications on SGX,” in (USENIX ATC 17), July 2017.

  • [125] S. Eskandarian, J. Cogan, S. Birnbaum, and Brandon, “Fidelius: Protecting user secrets from compromised browsers,” 09 2018.

  • [126] J. C. Lee and D. S. McCrickard, “Towards extreme(ly) usable software: Exploring tensions between usability and agile software development,” in AGILE 2007, 2007.

  • [127] R. Wash, E. Rader, K. Vaniea, and M. Rizor, “Out of the loop: How automated software updates cause unintended security consequences,” in SOUPS 2014), July 2014.

  • [128] K. Vaniea and Y. Rashidi, “Tales of software updates: The process of updating software,” 05 2016.

  • [129] M. MAILONLINE, “‘i was sent a video of my wife having sex’,” Aug. 2016.

  • [130] “Pass the ticket.”

  • [131] “Snopes is the internet’s definitive fact-checking resource.”

  • [132] “Latest email and social media hoaxes - current internet scams - hoax-slayer.”

  • [133] “Politi fact, the poynter institute.”

  • [134] “Factcheck.org a project of the annenberg public policy center.”

  • [135] “Media bias/fact check the most comprehensive media bias resource.”

  • [136] “Muck rack for journalists.”

  • [137] H. Williams, “Ex-talk talk ceo shares lessons from massive 2015 data breach,” June 2018.

  • [138] S. Khandelwal, “Two talktalk hackers jailed for 2015 data breach that cost it £77 million,” Nov. 2018.

  • [139] M. J. Schwartz, “Talktalk slammed with record fine over breach,” Oct. 2016.

  • [140] Z. Rodionova, “Talktalk given record fine over data breach that led to data theft of nearly 157,000 customers,” Oct. 2016.

OPEN ACCESS

Journal + Issues

Search