The document discusses over 3000 breaches, highlighting five attack vectors and the evolving tactics of attackers, particularly through web applications. Ransomware incidents have surged, with attackers leveraging stolen credentials, phishing, and vulnerabilities to gain initial access and install backdoors. It stresses the importance of continuous security assessments, improving visibility on misconfigurations, and adapting defense strategies to combat the complexity and unpredictability of modern cyber threats.

1. 5 attack vectors behind
3000+ breaches.
How do attackers navigate to your valuable
assets and what can you do about it?

2. Fundamental Shift is taking place….

3. Key Insights from Modern Science
1 Wave Particle Duality…
Attacks can penetrate Fixed Walls and Structures….
2. Heisenberg Uncertainty Principle…
Defending and Catching Attackers not possible….
3. Space & Time Wrap, Speed of Light
Fundamental Limit on Defending anything

4. A Fundamental Shift…
Solid Dependable
Orderly Structured
Predictable Cause Effect
Chaos Complexity
Unpredictable Uncertain
Nothing Real Hyper-Connected
Simple Rules ⇔ Complex Behavior
Firewalls Segmentations
Vulnerability Patching
IOCs Alert Rules
Trust Nothing
Shift Left
Assume Breachability
And many new emerging patterns…

5. Taxonomy of the attacks
System Intrusion
Basic Web
Application
Attacks
Social
Engineering
Misconfiguration/
Errors
Hacking Malware Phishing Error Misuse
Partners
Supply
Chain
Web
Applicatio
n
External
Network
…
SQLi
Use
Stolen
Creds
Exploit
Vuln
Attack
Patterns
Action
Categories
Attack
Vectors
Attack
Varieties
Complex
Atomic

6. System Intrusion: JMX Remote Code Execution
Domain
[demobank.co
m]
Subdomain
Discovery
[telesales.demo
bank.com]
Web App Endpoint
Discovery
[https://telesales.demoban
k.com:8080/index.html]
Technology
Detection
[Jboss 3.x]
Active Scanning
specific to
Jboss
JMX Console
[/jmx_console]
Default
Credentials
+
JMX
Console
Admin
Access
Remote
Code
Execution

7. Multi Stage Attack: Mobile Portal Access
Domain
[demobank.co
m]
Mobile App
Discovery
[ozone app]
API Endpoints
[https://services.demoban
k.com/AdStringO/info]
Directory
Traversal
Vulnerability
Log Files
Discovery
High Entropy
Strings
Detection
Plaintext
Credentials
Internal Web
Application
Endpoint
[mobile.demoba
nk.com]
+
Internal Web
Application
Admin Access

8. Multi Stage Attack: AWS Admin Access
Domain
[demobank.co
m]
Subdomain
Discovery
[telesales.demo
bank.com]
S3 Bucket Discovery
[https://telesales-prod.s3.a
mazonaws.com]
S3 Content
Download &
Analysis
Dev Mobile APK
Discovery
[dev-telesales.a
pk]
Web App
Endpoint
Discovery
[https://profile.d
emobank.com]
SSRF
Vulnerability
Detection [ Url
Param]
Low Privilege
AWS Keys
AWS Resources
Discovery
Internal S3
Bucket
Discovery
[internal-demob
ank]
S3 Content
Download &
Analysis
Remote
Code
Execution

9. Attack Patterns contributing to breaches over
period of time?
90% of
the
breaches

10. Ransomware are on the rise - doubled from the
last year - contribute 20% of the breaches

11. Attack Sales Funnel
One of the typical automation, without any
human intervention is following
● Scan for targets on mass scale
● Profile the targets using custom
crawlers or fingerprinting techniques
● Detect CVEs based on technology, or
banner
● Attempt exploitation
● Attempt persistence

12. How do Ransomwares get initial foothold?
Ransomwares are the on the rise
increased above 20% of the all major
breaches. Ransomware generally
intrude and gain access to the network
using various attack vectors as follows:
● Use Stolen credentials
○ Desktop sharing softwares such as
RDP, VPN, Anyconnect etc,
● Phishing via email
○ Install ransomware code
● Exploit vulnerabilities
○ Web applications

13. What are the other ways to get initial foothold
into an org?
● Misuse Partner Access using stolen credentials or other means such as
phishing
● Supply chain attack by compromising devops pipeline, system
management tools such as Solarwind etc.
● Target desktop sharing software
○ Use stolen credentials
○ Exploit a vulnerability
● Phishing
● Target a Web Application vulnerability
Once the initial foothold is attained, generally a backdoor / c2 agent /
ransomware is installed to carry out pivoting

14. How attackers are leveraging Web applications in
breaches?
● Web applications are the
most exposed assets on
the internet.
● Attackers use stolen
credentials to perform
attacks such as Credential
Stuffing or brute force
attacks
● Exploiting a vulnerability,
● Misconfiguration such as
exposed admin panels etc.

15. What is the contribution of
Misconfigurations/Error in breaches?
The rise of the Misconfiguration error began
in 2018 and was largely driven by cloud data
store implementations that were stood up
without appropriate access controls.
The data tends to be from customers, and it
is also the customers who are notifying the
breached organizations in a high number of
cases. However, Security researchers are still
the stars of this Discovery show (although
their percentage is down from last year).

16. Q/A

17. Taxonomy of the attacks
Taxonomy consists of multiple concepts such as attack patterns, attack
vectors and attack varieties etc.
● Attack Patterns are the complex form of attacks such as system intrusion.
An example of system intrusion is multi stage attacks from outside to
inside the network
○ System Intrusion - Multi Stage attacks to gain access to systems via one or more
attack vectors to install backdoors and ransomware.
○ Basic Web App Attacks - such as Web vulnerabilities, Credential Stuffing using
stolen credentials
○ Social Engineering - Phishing to lure users to submit sensitive information or
download and install malicious code
○ Misconfiguration - Exposed Panels, Exposed Keys, Public Cloud Buckets etc.
● Attack categories are the group of attack Actions/Varieties such as

18. A time for action items ….

19. 2 Broad Suggestions
Improve Visibility
Continuous Assessment
of Security Posture

20. Suggested Action Items
● Continuously Discover Misconfigurations’
○ Admin Panels, Hidden directories, exposed databases
○ Misconfigured DNS, Email servers etc.
● Continuously Assess your Web Applications
○ Better visibility
■ APIs, Login Pages, Web App Types (VPN, Admin panels etc.)
○ Attacks
■ Credential Stuffing (Stolen credentials)
■ SQLi, SSRF, and more injection attacks
■ Validate Security Control
● SSL, CSP, WAF/Cloudflare, Captcha etc.
● Perform Social Engineering
○ More depth including installing malware and backdoors

21. Suggested Action Items
● Continuously Assess your Desktop Sharing Applications
○ VPN, Anyconnect, RDP, etc.
● Continuous Credential Stuffing attacks
○ Org specific credentials
● Malwares are the second most common action category in breaches.
Perform Assumed Breached Scenarios
○ Install agent/malware on users workstation
○ Exposed Cloud Secret Keys
● Build playbooks to emulate supply chain attacks

22. Q/A