The Five Stages of “Hacked”
(Originally published on my blog)
While doing some work around the SolarWinds hacks, I realized that there’s just no simple triage scale that we in the industry can use to simply and succinctly characterize the severity of hacks.
This is my proposal for a simple scale to enable simple but meaningful comparisons of the severity of hacks.
Since the most important thing in hacks is the spread and severity, the cancer staging system gives a good model for measuring these kinds of things so this is adapted from that.
- Stage 0: The attackers have found or made an entry point to systems or the network but haven’t used it or took no action.
- Stage I: Attackers have control of a system but haven’t moved beyond the system to the broader network.
- Stage II: Attackers have moved to the broader network and are in “read-only” mode meaning they can read and steal data but not alter it.
- Stage III: Attackers have moved to the broader network and have “write” access to the network meaning they can alter data as well as read and steal it.
- Stage IV: Attackers have administrative control of the broader network meaning they can create accounts and new means of entry to the network as well as alter, read and steal data.