There is a concept in risk analysis known as the Swiss cheese model, based on those such as Emmental which is famous for its holes. When considering each layer of defence around a system there may be flaws, or holes, in each layer, but if the holes do not all line up then there is no direct path through the layers and the whole defence has no hole.
Sometimes, however, the attacker is able to weave around, using a small hole in each layer, and still get through, such as in the recent LastPass breach which is a perfect example of how poor vulnerability management and loose access controls to the production environment are a perfect match for attackers.
In this case an initial breach of the development environment obtained a few internal secrets, including documentation and internally used passwords and certificates, including encrypted credentials for the production environment but not the decryption key. The investigation into the attack was unable to determine the attack vector as logs had been overwritten by the attacker. The attacker was also able to disable the Endpoint Detection & Response agent on the development laptop.
A later attack used the information from the first incident to target one of four developers who had access to the corporate production secrets vault. They were using a home laptop to conduct some of their work, which also had a service running on it which was internet visible and contained a known vulnerable service. This was exploited to enable installing a keylogger which captured the developer’s master password, and after the developer had authenticated using MFA for their own purposes, the attacker also now had access to their password vault and was able to obtain documentation and access credentials for the production environment, together with the decryption key for the encrypted information stolen in the first breach. The attacker was now able to obtain the encrypted contents of LastPass customer vaults. LastPass does not store any decryption key for these – the customer master password is the only credential needed.
So what holes were traversed? An unknown initial hole gave access to the development environment. Security logs were not exported to secure storage. Alerting tools could be disabled by end device users. Information from the development environment pointed to where to try to gain access to the production environment. A BYOD style laptop, probably without corporate level security controls, had an unpatched vulnerability and internet visible access but was still allowed to access all corporate areas through the VPN connection. DevOps style operations give developers access to the production environment. No alerts were raised by the bulk export of cloud-held information. The only remaining layer of security on the stolen vaults is the user-supplied master password, and users are well known for the likely strength of that.