Skip to content

Anatomy of a Cyberattack: Three Ways to Continuously Reduce Business Risk

Getting the basics right sounds simple enough, but it will demand a detailed focus

Tech Insights

Threat actors have plenty of tools at their disposal to compromise their victims. But there’s also plenty that network defenders can do to ensure these attacks are not successful. Whether it’s mitigating a ransomware breach or preventing cyber-espionage attempts, the key lies in getting the cyber hygiene basics right.

How organizations get breached

It can seem like an intimidating task for IT and security teams. After all, threat actors have the element of surprise, a large attack surface to aim at and plenty of dark web resources to help them. However, effective cyber risk management need not be overwhelming. First, consider the three main stages of most cyberattacks.

Initial access is most commonly achieved via the use of valid phished credentials or exploitation of known vulnerabilities. While many security bosses might fret over zero-day attacks, the truth is that it is the already disclosed bugs that arguably present the greatest risk. Some are easier to patch than others, as the Log4j vulnerabilities illustrated.

Lateral movement comes next, frequently enabled by poor privilege management. Too often, we see cases where an employee has had roles in different parts of the organization, but their privileges haven’t been updated to their current role. That’s exactly what a bad actor needs — the ability to use the same credentials to move all over the organization.

Data exfiltration is very often the end goal for attacks, possibly alongside the deployment of a ransomware payload. It could be customer data, trade secrets or IP. A company may not even realize all the sensitive data it’s holding until it’s too late. If that secret recipe or unique product design finds its way into the cybercrime underground, it could be the beginning of the end for some businesses.

What cyber hygiene means

Once we understand how threat actors operate, we can take steps to thwart them. Let’s break this down into three key areas:

Visibility and control

As the saying goes: you can’t protect what you can’t see. Visibility first requires asset management, which means not only knowing what endpoints exist in an organization, but what’s running on those endpoints. Visibility should penetrate right down to the individual open-source dependencies that might be lurking inside compressed files. Log4j taught us that we can leave no stone unturned. This kind of insight will help organizations to prioritize their assets from a risk perspective — which will help to optimize budget. And with visibility must come control — having the ability to take action on those endpoints to remediate whatever problem has been discovered.

To make visibility and control a reality, organizations will need to get as much accurate, up-to-date data in their configuration management database (CMDB) as possible, on a continuous basis. Alongside this, they should consider identity and access controls — to ensure only the right people are accessing the right applications. And on top of this, they should be running comprehensive vulnerability assessment and management programs.

Continuous safeguarding

Next up, it’s about measuring and tracking these programs. The key is not to set and forget. Organizations must stay primed and ready for incidents, via war gaming, tabletop exercises, and red and blue teaming. Automated patch management will also help to provide the continuous risk management organizations need. And always be looking to answer key questions like:

  • What are our security controls? Are we testing them, and are they effective?
  • Where does our data come from? Where is it stored, and how do we protect it?
  • Are our staff properly trained in security awareness, and does everyone in the organization understand the critical importance of managing cyber risk?

Detection and countermeasures

Once organizations understand what they own, are able to rapidly take control at scale to remediate any issues, and ensure only authorized users access applications and endpoints, they’ll have mitigated 80% of attacks. Now it’s about detecting and responding to the other 20%, which might have slipped past defenses.

It takes an estimated 277 days to identify and contain a data breach today. That’s way too long. But with enhanced endpoint visibility and control comes swifter detection and response, if organizations can automate the right processes. This starts with building an incident response plan and testing it regularly to ensure each individual understands their role and the right teams are communicating seamlessly with each other.

Where weaknesses are identified, processes should be improved. It should also mean looking critically at how many security tools are being used by the organization and consolidating on fewer vendors — minimizing point solutions in favor of platform-based approaches. This will help ensure multiple teams are all working from a single source of truth.

It’s worth remembering that perfect security is unachievable. It’s about being good enough to dissuade the majority of attacks, which are opportunistic — and having the processes in place to rapidly respond and contain anything more sophisticated.


To find out more about the anatomy of a cyberattack and how to prepare for it, check out our latest webinar with Zac Warren, Chief Security Advisor, EMEA, Tanium. Watch now.

Tanium Staff

Tanium’s village of experts co-writes as Tanium Staff, sharing their lens on security, IT operations, and other relevant topics across the business and cybersphere.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.

SUBSCRIBE NOW