Post-Breach Analysis: Sophistication and Visibility

Security experts at F5 recently had an opportunity to observe a particularly interesting attack happening in real time against a customer. None of the tactics, techniques and procedures (TTPs) that the attacker employed were new, and few of them required extraordinary technical skill to execute in isolation. However, the way that the attacker brought these TTPs together into a focused attack against a high-value target showed a remarkable degree of sophistication and higher-level capability. Given that truly sophisticated attacks are comparatively rare and difficult to observe, this is a fantastic opportunity to analyze a sophisticated attack and gain a sense of what makes it different from baseline cybercrime.

This article starts with a rundown of the attack methods: initial access, escalation of privilege, persistence, lateral movement, defense evasion, collection, exfiltration, and more. With the facts established, we turn to what it is that makes these kinds of threat actors a more significant threat. The attack also offers lessons about APIs and architectural risk, alert fatigue, and the growing threat to multifactor authentication. Read on to get the details:

Updated Nov 10, 2022
Version 2.0

Was this article helpful?

No CommentsBe the first to comment