It all seemed so simple. Your network team had implemented a deperimeterisation plan. They had protected what they thought were their most valuable assets: the credit card database, the Active Directory server, and the accounting system. So why had their customers’ credit card details just been found on a Russian server?
The team did not secure the computer that maintained the network audit logs, and the credit card database box was programmed to trust the audit server. The hacker uploaded an attack script to get root on the audit log server, and then used that trusted relationship to launch another attack on the credit card database using the audit log machine’s elevated privileges. You never saw it coming, and never knew how it was done, because he changed the logs to delete the evidence.
The article continues at