What does a cyber breach look like?

There is a popular image of breaches of cyber security being caused almost exclusively by a bespectacled dweeb who hates the world, hunkered over a laptop in a basement owned by their mother.  Whilst in some situations this is no doubt true, cyber breaches are often much simpler and sometimes more complex affairs.

When looking at cyber breaches, there are generally four important questions to consider.   First, who is the actor?  Second, what is their goal?  Third, what is their target?  And fourth, what is their tool?

Who is the actor?

Actors do not always know what they are doing.  This is most pertinent when one thinks of accidental data loss, such as physical hard drives falling out the back of a truck or personal records being unintentionally available through Google searches.  According to the Ponemon 2015 report, 30% of all cyber breaches are the result of simple human error, and a further 26% because of a glitch in computer systems.  We are presently concerned with the other 44% of breaches.  These relate to malicious attacks, which are usually more costly than their unintentional cousins.

Most potential perpetrators can be grouped into three categories.

Firstly, there is the insider. The insider generally has some understanding of the system, and is often able to physically access at least some of the technology.  They tend to have some vendetta for whatever reason against the business, or otherwise just want to profit at the expense of someone else.  A good example of an insider is Edward Snowden or Chelsea Manning, who both acted for political reasons.

Secondly, there are general hackers.  They may work alone or be part of a larger group, such as Anonymous.  Their motivations may include profit, a desire to bring attention to a certain issue (these people are often called ‘hactivists’) or, in their language, causing damage for the ‘lols’ (i.e. for their own personal enjoyment).  Various examples of this exist, including the attacks on Kmart and David Jones last year (see our post here).

Thirdly, there are state-sponsored hackers.  These are employed by the state to obtain information, and have the best interests of their home nation at heart.  Although Chinese hackers have been prominent in the news recently, it should not be forgotten that the secret services of every government use this method to obtain information that would not otherwise be available.

What is the goal?

As with any crime, different attackers will often have different goals.  Although goals will almost always align with the attacker’s motivations, they are not the same.  Rather, they are the measurable effect of an attack.  For example, although the motivation may be profit, the goal may be obtaining personal records to be sold on the black market.

Goals usually take one of four forms.

Firstly, the goal may be related to causing damage or disruption.  This might involve deleting data, posting obscene content on its social media accounts or causing its website to ‘crash’.

Secondly, the goal might involve obtaining a profit.  This profit can be derived by either blackmailing the person who has been hacked, using a person’s information to commit a fraud or selling confidential information to a third party.

Third, the goal may be to send a message.  This is often the aim of hacktivists, and will usually take the form of taking control of a website or social media accounts.

Fourthly and finally, the goal may involve building to a bigger attack.  Hackers often use the computers of others to either protect their identity or as tools that allow them to attack large systems that they lack the infrastructure to take on.

What is the target?

This is mostly a question of “where”.  Once an attacker has determined what they want to achieve, as discussed above, they then need to determine what path should be taken to achieve that goal.  This involves determining what aspect of a business’s system should be targeted to achieve that goal.

There are a range of potential targets for an attack in any given business, including everything from an individual staff member’s office computer to the password for a company’s Twitter account.  These can either provide a gateway to useful information within a business’s network or provide access to a tool that can be used to serve the attacker’s purposes.

Nearly all technology exists so that it can be accessed, and all technology that can be accessed is vulnerable to being compromised.  Security is necessary at all levels to prevent successful attacks.

What is the tool?

For the average reader, this is usually the most complicated part as it is full of jargon.  Given this, it may be best to explain what a few of the terms out there mean.

Denial of Service refers to attacks which seek to make a computer or network unavailable.  The most common version of this is a ‘distributed denial of service’ or DDoS.  When using DDoS, an attacker will generally have access to various computers owned by members of the public (this is often done using a Trojan, see below).  The attacker will cause for all of these computers to try and access a network or website at the same time, causing what is known as traffic.  Whilst more traffic tends to mean more interest, which is a good thing for most websites, too much leads to a traffic jam.  This, in turn, causes the website or network to crash because it cannot keep up with all the interest, denying the service to other people.  It is generally used either to make a point or just for fun.

Malware is an umbrella term that refers to malicious software such as ransomware, Trojans and viruses, all of which are explained below.

Phishing.  You know those annoying ads saying that you’ve won a prize or that Nigerian prince who has passed away and named you in his will?  Attacks using these methods are known as ‘phishing’, as the attacker is attempting to lure you into giving them personal information that they can then sell, similar to a fisherman with a rod.  These can often be much more complicated, and masquerade as more legitimate organisations (this is known as ‘spear phishing’, as it is more targeted).  The ATO in particular has had some issues with this, and has a list of advice of how to detect a scam email.  The motive here is nearly always profit.

Ransomware is a type of Trojan that allows an external attacker to encode all of the data on your computer so that it is no longer accessible, and then hold it hostage and promise to delete it unless you pay the ransom, often a few thousand dollars.  It is used to make a profit off the person who has been attacked.

Trojans refer to the classical tale of the Trojan horse, where the Greeks infiltrated Troy inside a large wooden horse the Trojans believed was left as part of the Greek’s surrender.  These programs similarly disguise themselves as legitimate software to trick users into downloading and installing them onto their system.  Once installed, they allow an external party to use the compromised computer for their own purposes.  This could be to crash the system, observe and record what information you plug into a website when making an online purchase or using your computer’s processing power and internet connection to assist in a DDoS attack, as outlined above.  Motivations for using Trojans differ greatly, depending on the goal.

Viruses are the traditional tool that allows an attacker to breach cyber security.  Like human viruses that cause ill health, computer viruses replicate themselves across networks, infecting every computer they are able to.  Without proper antivirus software, they are usually difficult to detect until they have embedded themselves within the system.  Unlike Trojans, viruses do not habitually provide control of the computer to another person; rather, the virus will contain computer code that causes the computer to do something without being prompted.  This may be overt, like ads that pop up for no reason or sending spam from an email accessible through the system, or covert, like logging the keystrokes of the user, allowing the attacker to detect credit card numbers and the like.  Like Trojans, the motivations for using viruses substantially differ.


Although not exhaustive, the above provides at least an introduction to understanding where an attack could come from, and provides some guidance as to how they can be avoided.  As more devices are connected to the internet, and as more transactions are conducted online, the incentives for malicious attacks to obtain that data continue to grow.  A general understanding of where these attacks might come from is important is crucial to maintaining sufficient cyber security.


Mark Slaven Lawyer