- Written by Dakota Murphey
In 2015, a team of experienced criminals looted 73 deposit boxes in London’s Hatton Garden commercial area to steal £14m in jewellery, diamonds and other valuables. They posed as telecoms engineers while disabling the security system several days before the big job, and had to drill through several metres of concrete surroundings to access the vault.
They worked to a strict timetable throughout the long Easter weekend, ensuring no one would be there to see them. With meticulous planning, remarkable execution and numerous larger than life characters, the “Hatton Garden Job” felt like a heist movie come to life – and it was later adapted for the big screen. It fascinated the British public for weeks and its details were examined closely by the media.
Heists like the Hatton Garden job are an extremely rare occurrence, but there are numerous parallels with data breaches that are far more common. In fact, several of the main elements of a heist movie are actually a surprisingly useful reference for how organised cybercriminal gangs operate. They too are in search of a big score, they must case the joint, they may have an inside man, and they certainly have a getaway plan.
These formulaic elements of a heist often resemble the “kill chain” of cyber-attacks. Businesses would be wise to consider these steps when planning how to defend their own ‘crown jewels’, while also understanding that cybersecurity is far more complex than even the most remarkable real-life robberies. Hackers have taken old heist tactics and modernised them to a remarkable extent. They continually change their tactics to evade the latest security controls – but that doesn’t mean they can’t be stopped.
First and foremost, it’s important to consider what the prize might be. Just as every heist has a goal, every business needs to understand what its most prized assets are. This will be different for every company. For some, it will be customer data or financial information. For others, it will be sensitive files, information or other assets that can be sold for profit or used for cyber extortion.
RELATED: BSI marks Data Protection Day with advice for remote workers
It is not possible to dedicate the same security resources and attention to every part of a business, so it’s essential to understand which parts are most valuable and most at risk of compromise.
Casing the joint is a hacker’s first step in forming a plan on how to compromise the environment. They will try to learn all they can about a business’ network, its data and people as they look to map their route to the ‘crown jewels’. They are looking for vulnerabilities to exploit and people to target, and this reconnaissance phase is often the longest and most important phase in an attack. Hackers can be incredibly patient and may wait months before putting their plans into action.
Just as the Hatton Garden job ringleader disguised himself as a BT engineer in order to access the security systems, hackers will often move through the supply chain to reach their target. When US retail chain, Target, was breached in 2013, the hacker gained access to the company’s network via its air conditioning supplier.
Unlike the Hatton Garden job, cybercriminals do not need to drill through concrete walls or cut glass to reach their target. Instead, they are seeking to gain access to a business’ network. They may send a phishing email in order to get an individual to click a malicious link or reveal their credentials. Hackers will also try using details leaked in other breaches.
RELATED: How to deal with escalating phishing threats
It’s incredibly common for employees to reuse passwords for personal and work accounts, which is a problem if they were involved in a breach elsewhere. Hackers may simply “brute force” their way in, trying common passwords and using computer power to try thousands of combinations until they hit the right one.
A bank robber may try to identify the bank manager with the code to the safe and threaten them until they show them the vault and hand over the combination. Similarly, once an attacker has gained entry to an organisation’s network, they will move through the network, attempting to gain access to new systems. Hackers will attempt to compromise users on the network with greater privileges like sysadmins or accounting – all depending on what they want to steal and who might have access to it.
While businesses used to be able to lock down their computer networks relatively easily with firewalls and antivirus on every machine, the network perimeter has all but disappeared in 2020. Many employees now work remotely, use their own devices, and cloud apps often have a lot of crossover between personal and professional life.
This makes them much harder to secure. A lot of businesses have weak permission policies or monitoring, as well as lacking a robust programme for tracking joiners, movers and leavers. This means that ex-employees or hackers using their credentials can access valuable files and programs that should have been locked down.
Unlike criminals in heist movies that aim to rob a joint in a short space of time once they are on the premises, today’s hackers are increasingly patient and persistent once they are on a business’ network. They will conduct attacks over weeks, even months, to achieve their goal and evade detection.
Cybercriminals take the idea of wearing a disguise to new extremes. They can seamlessly and continuously change their appearance on the network and, via the use of polymorphic malware, which constantly changes its digital signature, ensure that any tools they deploy are undetected by security systems.
RELATED: Phishing revealed as number one organisation cyber attack, says BSI
Hiding in plain site is another way that hackers seek to avoid detection while on a job. They will likely ‘live off the land’ for a while and remain undetected until they are ready to strike. They may create start-up folders and email mailbox rules so that malware runs when a device is booted up, or ensures the emails they send posing as an employee are automatically deleted – activity that is not overtly malicious to most automated security systems. Hackers may also disable security rules or programs before they launch their attack, like a bank robber taking out security cameras.
The endgame for attackers is total network access. They want knowledge of the entire network, persistent and undetected access to systems and privileged accounts that will give them what they desire. Only at this point do they strike, stealing the files they want, then accessing them or selling them to the highest bidder.
Like any good heist movie, the victim doesn’t know they’re hit until it’s too late. The traditional approach for hackers is to retreat stealthily and leave no evidence they were there. They may also leave a low impact backdoor, some way to return to the scene of the crime and repeat the job another time for more money/files/data. It’s an increasingly common tactic for criminals to deploy ransomware to use as additional leverage, threatening to sell, encrypt or publicly leak data unless paid to cease.
RELATED: Free Police CyberAlarm tool to help protect SMEs from cyber attacks
Unlike the Hatton Garden Job perpetrators, who were subsequently caught and arrested, it can be extremely difficult to catch the culprits of cybercrime and bring them to justice.
In addition to understanding what their crown jewels actually are, there are several steps that businesses must take to ensure their most valuable assets remain under lock and key. First and foremost, minimising time for detection and response is essential to reducing the risk that attackers can complete all of the steps outlined above – ideally businesses want to catch attackers while they are still only ‘casing the joint’.
This can only be achieved with 24/7 monitoring of the environment, including cloud apps and remote workers.
Businesses also need to reduce false alerts, since security systems can throw up millions of alarms per day. Organisations also need to have a plan in place for response, being able to lock down machines and users at the click of the button, or automatically if the system detects unusual activity. Think of it like a vault going into lockdown if a robber trips a laser beam.
RELATED: A third of UK adults feel more vulnerable to cyber-attack since lockdown began
Businesses can use a behavioural approach to continually improve their defences based on previous activity, and the latest adversarial tactics, techniques and procedures discovered by the security community.
Businesses should also conduct risk and vulnerability assessments to ensure that security systems are sufficiently hardened. One way to do this is through pentesting, which is essentially employing ethical hackers to try to break into the system, and is the best way to discover and address any potential weak points.
As evidenced by the Hatton Garden job, TV and movie heist tactics can be remarkably effective when deployed by experienced professionals. This is also true of cybercrime, with hackers devising ingenious tools and techniques to achieve their goals. However, this doesn’t mean they can’t be thwarted (just as the Hatton Garden criminals were eventually caught).
By knowing how hackers think, assigning resources to high priority/high value parts of the business, and monitoring them closely, hackers may look for easier targets instead. Likewise, if the worst does happen and a business is breached, it’s possible to catch it early, stop it in its tracks and avoid the most negative outcomes.
Dakota Murphey has a wealth of experience in business management and has previously worked as a business growth consultant for over 10 years. She now enjoys sharing her knowledge through her writing and connecting with other like-minded professionals. Find out what else she's been up to on Twitter: @Dakota_Murphey