Change Management

A subject bypasses logical or physical network segmentation controls (such as VLANs, ACLs, security groups, or subnets) in order to obtain unauthorized access to systems, services, or data across trust boundaries. This preparation technique commonly manifests through deliberate configuration changes (e.g., modifying ACLs or VLAN assignments), covert tunneling (e.g., SSH, HTTPS reverse tunnels), rogue device introduction (e.g., unmanaged switches or dual-homed devices), or misuse of trusted services (e.g., remote access platforms or admin automation tools that bridge zones).

Such actions are often observable via first-time or anomalous cross-segment flows, management plane configuration logs, 802.1X/NAC anomalies, or long-lived encrypted outbound sessions. These techniques typically exploit privileged access, weak change control, or poor posture enforcement.

This behaviour may be motivated by a subject’s attempt to escalate access, stage data for exfiltration, evade oversight, or maintain persistence across environments. It is especially critical in environments with sensitive zoning, such as production-to-dev separations, cloud VPC peerings, or physically segmented OT/ICS networks.

Investigators should prioritize telemetry correlation across NetFlow/IP Flow Information Export (IPFIX), EDR, DHCP, and identity systems to attribute cross-zone traffic to known assets and subjects. Preserve infrastructure configuration snapshots and identify whether segmentation was circumvented by direct administrative action, covert bridging, or software-level tunnelling.

The subject deliberately interferes with operational systems in ways that degrade, interrupt, or misroute services relied upon by customers, without relying on file deletion or malware. This includes misconfigurations, service disabling, authentication interference, or intentional introduction of latency, instability, or incorrect outputs. The result is operational degradation that directly or indirectly affects service delivery, availability, or trust.

Unlike File or Data Deletion, this infringement does not depend on erasing data, and unlike Destructive Malware Deployment, it does not rely on malicious payloads or automated damage. The disruption instead stems from direct manipulation of infrastructure, configurations, service states, or user access.

Examples include:

• Intentionally disabling authentication or API endpoints
• Modifying DNS, firewall, or routing rules to block legitimate traffic
• Tampering with load balancers or HA/failover logic
• Altering service configurations to break dependency chains (e.g. pointing production systems to empty dev databases)
• Injecting false flags into monitoring or orchestration tools to trigger auto-scaling failures or mis-alerts
• Enabling excessive logging or computation to induce service latency or memory exhaustion
• Locking critical service accounts, API keys, or secrets in vault systems

These actions may be motivated by retaliation, concealment, sabotage, or insider coercion, and often occur in environments where the subject has legitimate system access but uses it to destabilize service delivery covertly.

The subject intentionally weakens or bypasses network security controls for a third party, such as providing credentials or disabling security controls.

A subject provisions cloud-based resources without prior authorization or a documented business justification. This unauthorized activity may circumvent established governance, security, or cost-management controls, potentially exposing the organization to operational, financial, or regulatory risk.

A subject deliberately or negligently deletes cloud-based resources, leading to the disruption, degradation, or complete interruption of organizational operations. Deletion of critical resources may result in the permanent loss of data, service outages, impaired system performance, or the failure of customer-facing applications. Such actions often violate organizational policies governing change management, data retention, disaster recovery, and access control, and may expose the firm to significant operational, financial, legal, and reputational risks.

• 
  Characteristics:
  May involve deletion of compute instances, storage buckets, databases, networking components, IAM configurations, or application services.
  Can be motivated by malice (e.g., retaliation, sabotage) or negligence (e.g., misunderstanding scope of permissions, error during unsanctioned activities).
  Deletions may occur directly via administrative consoles, APIs, or CLI tools, often outside of approved change management processes.
  Recovery may be delayed or impossible if backup, replication, or retention mechanisms are improperly configured or bypassed.
  Associated activity often correlates with other early indicators, such as privilege escalation, unauthorized access attempts, or policy circumvention behaviors.

Example Scenario:
A subject with elevated cloud access privileges, dissatisfied with an impending termination, manually deletes production virtual machines and storage buckets without authorization. This leads to an extended outage of the organization’s primary customer platform, resulting in contractual penalties, regulatory reporting obligations, and long-term reputational damage. Post-incident investigation reveals inadequate enforcement of least privilege policies and incomplete backup coverage for critical resources.

The subject deletes IT resources resulting in harm to the organization. Examples include virtual machines, virtual disk images, user accounts, and DNS records.

The subject makes unauthorized changes to access controls resulting in harm. Examples include resetting/changing passwords, locking accounts, or deleting accounts.

The subject creates, deletes, or edits DNS records resulting in harm. Examples include altering MX records to affect the availability of email communication, removing A records to affect the availability of web resources, or altering A records to redirect traffic to an unintended location.

A subject makes an unauthorized change to the rule table of a network-based firewall, resulting in impaired security, impacted availability or to bypass network segmentation.