TIPS #7: Attack, Breach, Compromise: What’s often misunderstood about the ABC’s of Cybersecurity?

Issue: Attack, Breach, and Compromise are distinct cyber events but are often referred to interchangeably (and inaccurately). 

Attacks, Breaches, and Compromises are unique cyber events. However, these terms are often used interchangeably in cybersecurity, creating a knowledge gap across the industry. These “ABC’s” are building blocks that companies must understand to properly mitigate risk and respond to threats:  

• Attack: (A) Attacks are like when thieves test a door to your home to see if it’s locked, check if the lock can be picked easily, or when they ring the doorbell intending to force their way in after you answer. They are attempts to get access to your network, systems, or devices. Cyber Attacks happen all the time but very few succeed in getting inside. Common types of Attacks include phishing emails (which may attempt to steal corporate login credentials) and attack surface probes (designed to identify and exploit network service vulnerabilities).  
• Breach: (B) Breaches are like when someone successfully breaks into your home through a door or window by exploiting a weakness. This weakness may be a weak lock (weak configuration or encryption), a master key (a certificate or account takeover), or a lack of alarms (inadequate logging or XDR). For example, cybercriminals may crack a password via brute force or social engineering to access a user account, leverage vulnerable services on unsecured devices to gain access, or take advantage of a software vulnerability to access systems (like the recent MOVEit zero day).  
• Compromise: (C) Compromises are like when a criminal steals or destroys something after breaking into your home. Cyber criminals leverage their access to Breached systems to achieve their objectives- though most simply take what data and assets are readily accessible. For example, hackers might maintain persistent access to corporate systems to sell access to third parties. They may deploy ransomware to lock systems and demand a ransom payment (like the 2021 Colonial Pipelines ransomware incident). Industry competitors or nation-states may even spy on or manipulate systems or data, and deploy false trails, to serve their own interests.  

Attacks don’t necessarily imply that any systems are accessed (Breached) or that a victim environment or resources are manipulated (Compromised). Similarly, Breaches don’t always imply that all sensitive data or systems are Compromised.   

Impact: Misunderstanding how and why cyber events occur leads to ineffective cybersecurity measures. 

Companies often misinterpret the why, who, and how behind Attacks, Breaches, Compromises.  

Take malware as an example. Though it’s one of the most publicized cybersecurity risks, malware isn’t the most common Attack vector for attackers with specific Compromise objectives (they prefer to utilize tools and systems that IT departments rely upon). It’s true that malware is sometimes used for high-impact, quick (or specific) Compromise objectives; however, malware is more often used by earlier-stage actors who seek to create and maintain access to targeted networks, with an end goal to sell that access (and affiliated services that other malware facilitates) to subscribers (like the recently discovered Cyclops ransomware and infostealer threat). Their Compromise objective is to monetize access to Breached systems. Their subscribers then make use of the Breached access for their own Compromise objectives (spy, steal, subvert, sabotage, extort…). Adding to the confusion, criminals may even use malware after a Breach as misdirection to distract cybersecurity teams.  

When risk managers misunderstand the ABCs, they are prone to taking ineffective security measures and investing in the wrong security tools. Companies that misinterpret cyber events, who is targeted, and criminals’ Compromise goals can’t effectively protect themselves. 

Action: Ignore the noise and take a grounded risk management approach to ABC’s.  

1. When responding to threats, focus on detecting, responding to, and discerning Breaches and Compromises.  

Don’t sensationalize Attacks or jump to conclusions about Breached targets and Compromise impacts while information is still emerging. Focus on the known facts– who is impacted, how, and why they are targeted– and relate them to your business to implement effective functional-area defense measures.   

Detect and disrupt emerging Attack threats with Constella’s actionable intelligence and Digital Risk Protection platform. Increase Breach risk awareness by leveraging Huntress’ managed EDR and Lumu’s NDR solutions. Reduce Compromise risk by detecting, prioritizing, and responding to threats and vulnerabilities with Uptycs’ unified CNAPP and XDR platform. 

2. Design a security plan around the unique risks your company faces 

Plan around risks to your business that you know attackers are objectively interested in. This enhances your incident response and recovery capabilities, reduces business disruption and downtime, and lowers the impact from a Breach or Compromise.  

• If you are a law firm, protect your customers’ legal information.
• If you are an accounting firm, protect your customers’ financial accounts access & information  
• If you are an IT Services company, protect your client management access and controls 
• All companies should protect the resources they rely upon to perform the functions of the organization – that is where attackers’ goals are focused 

Create a comprehensive incident response plan and team with Surefire Cyber. Adopt effective cyber risk management and insure your company against costly Breaches and Compromises by working with Converge Insurance. Invest in observable active and passive functional defenses with SolCyber. 

Thanks for reading Forgepoint TIPS! Please subscribe and share with a peer. Have feedback or a cyber threat or trend you’d like us to address? Get in touch.