To prepare for security threats like the above, you need to understand how attackers create breaches. Typically, an attacker goes through a seven-step process to find a company's 'loophole' and achieve the final goal of data theft. Let's explore this process in detail using penetration through web service vulnerabilities as an example.

1) Initial Access

This is the first step of the attack. Penetration begins in various ways such as accessing exposed management pages, exploiting vulnerabilities that have a publicly available PoC (Proof of Concept), or exploiting web service vulnerabilities. At this stage, the attacker finds attack vectors in publicly exposed web services and gains a foothold in the system by uploading files (web shells) or executing remote commands.

• Example: The attacker exploits a vulnerability in the 1:1 consultation feature of the web service where file extension checks are insufficient, uploads a malicious file (web shell), and prepares to execute commands.

2) Privilege Escalation

After initial access, the attacker needs to expand control beyond the limited authority they initially acquire. Methods include searching for credential-related files and exploiting LPE (Local Privilege Escalation) vulnerabilities with publicly available PoCs. Even if privilege escalation is not immediately possible, the attacker can proceed to the next step.

• Example: By executing commands through the uploaded web shell, the attacker locates credential-related files like configuration files on the server and secures root access.

3) Malware Installation and Persistence

Next, the attacker sets up an environment to maintain access, even if existing vulnerabilities are patched or the system is rebooted. They accomplish this by creating new accounts, enabling SSH, generating auto-executing services for malware, or installing backdoors and rootkits to establish 'secret passages.'

• Example: With root access, the attacker creates a new admin account and configures remote access (SSH) so they can access the system at any time.

4) Internal Reconnaissance

After securing continuous access to the system, it's time to look internally. The attacker surveys internal assets (those not accessible externally) connected to the compromised assets by exploring accessible internal assets, conducting port scans, and searching for vulnerable services to identify the next penetration points.

• Example: The attacker identifies the internal IP range of the occupied assets, finds the reachable IPs, conducts port scans, and determines which services are running on those IPs.

5) Lateral Movement

Using the 'map' obtained from reconnaissance, the attacker attempts to penetrate other assets like the DMZ and internal network where key data might reside. Penetration methods include using acquired credentials for access, accessing exposed internal management pages, and exploiting vulnerabilities.

• Example: When accessing the asset running the web service, the internal server management panel is fully exposed, allowing the attacker easy access to the internal systems.

6) Privilege Escalation and Persistence (Replication)

In an effort to get closer to the final target (e.g., DB server, backup server), the attacker repeats the steps of privilege escalation and persistence on the compromised assets. This gradually increases their control over the system.

• Example: By accessing critical servers identified through the internal server management panel, the attacker escalates privileges and installs additional malware to recreate the persistence environment.

7) Goal Achievement

Finally, the attacker reaches the final objective and achieves their goal. At this stage, the company faces the most feared consequences, such as ransomware infections or theft of critical information.

• Example: The attacker successfully accesses the DB server and steals a large amount of sensitive personal information, such as patient data and medical records.