Suppose a criminal group called CyberL33t developed a zero day vulnerability for a Microsoft SQL server. CyberL33t spent about 200 hours learning about exploit development, and studying SQL server itself. Time to go hack some businesses!

He now has to target the exploit…and the company he wants to target doesn't have SQL server directly on the internet (good!). He'll first need to get initial access to the network with either phishing or perhaps an initial access broker -- a third party that gains access to networks and resells it. This will take more time and money.

Ok, now he's on the internal network, ready to launch the zero day and…needs a malware payload? Can't use something out of the Kali linux because that will be detected. Can't pop up calc.exe like on the test system because that is risking a zero day -- oh yes, cyber attackers want to protect their IP too.

CyberL33t goes back to the lab and spend another 100 hours crafting custom malware with the features needed and AV evasion. Now he can launch the exploit, get on the SQL server, and…now what? Hopefully this server was important to the company so that you can demand a ransom and / or steal the data. Did CyberL33t do target research to figure that out first? Let's hope so or else their boss won't be happy with a negative ROI. So far, they've invested over 100 hours into this operation (some effort is reusable) and so they need a ransom payout of at least $30,000 to make the numbers work.

---

If you think this scenario sounds like a lot of work, it is. Realistically the tasks described would be divided up among several people (or even teams). Yes, such criminal organization are successful because we see new breaches daily. The question is what do YOU need to do in order to be secure?

#SecurityEnergy lets us define levels of attacks (e.g. Level 3 for the above) and then simplify risk management to determine what's the highest level attack your organization could face. This gives you a clear list of security practices to mitigate risk.

(Sidenote, vulnerabilities in externally-facing devices like Ivanti VPN appliances are so impactful because they are internet-facing by nature. Be aware of such devices and vigilant about patching them ASAP when vendor alerts come out!)

I've spent my career doing offensive security and simulating it to teach others. This experience shows me how much effort is involved all forms of cyberattacks. If you need help understanding what threats you will face, get in touch today!