Know thy enemy by understanding how hackers plan their attack.
If you want to thwart a hack, you have to know how a hacker thinks, plans, and executes. Understanding what tactics hackers use and what information they find most valuable is useful to prioritize cybersecurity investment and effort. Here, we overview the five stages of a cyberattack, which provides insight into possible areas that you should assess and prioritize in your cybersecurity strategy.
The Value of a Hack
According to Gartner, the average cost of a data breach is between $3.86-$3.92M, depending on the source of your research. In regulated industries, like healthcare and finance/banking, the costs can be much higher. In finance, the cost can be $210 per record, and, in healthcare, it’s twice the cost at $429 per record with the average breach size at 25K.
Hack Phase One: Research and Reconnaissance
Research and reconnaissance, also known as footprinting, is a preparatory phase where the hacker begins researching their target to obtain as much information as possible. Their overall objective is to better understand who the target is, where are they located, what types of information does the target have that is worth stealing, how and when they will conduct the attack, and the types of defense mechanisms the target has in place.
Broadly speaking, the community categorizes the types of reconnaissance in two categories: passive and active.
Passive Reconnaissance
Passive reconnaissance collects open source information without engaging the target directly. Attackers use freely-available resources to answer the questions noted above. Useful information includes data about systems and applications your organization uses and names of employees.
Types of Open Source Information Useful to Hackers
- Public Records: Hackers use public records, like tax records, to learn more about the inner workings of their target organization. For example, publicly traded companies are required to complete a 10-K annual report, which offers a wealth of information like risk factors, strategic partnerships, acquisitions and mergers, and financial information. Press releases, company shareholder and annual reports are also useful.
- Job postings: Job postings provide basic information about the systems and applications the company uses.
- Email Harvesting: Email harvesting collects email addresses using a combination of collection methods, including illegal dark web purchases, web crawlers, directory attacks, or by taking advantage of commonly used email templates, (Jane.Doe[@]targetorganizationname). Large email lists are needed for phishing campaigns to be effective, and can also be used to crack login credentials.
- Search Engine Queries: Yahoo, Google, and Bing deploy powerful web crawlers to index the Internet. Hackers take advantage of these expansive web crawlers by using specific keyword terms, phrases, and punctuation to find pages with sensitive information like protected login screens, usernames, and password lists. Shodan is another search engine used to find devices that are part of the “Internet of Things.” These IoT devices could include cameras, refrigerators, servers, or webcams. Since IoT devices are inherently open, they provide another attack vector.
- Social Media: Facebook, Instagram, Twitter, and LinkedIn are sources for information on your employees, their roles, and gives clues to their daily habits.
- Domain Name Searches/WHOIS Lookups: Used to collect domain registration information and IP addresses.
Active Reconnaissance
Active reconnaissance is when an attacker engages with the target organization and its people or systems. Typically, this will take the form of port or network scanning to reveal the target’s network architecture, firewalls, intrusion detection programs, or other security mechanisms blocking entry. This direct approach can yield useful information for developing attack vectors, including the operating systems, applications, and specific configurations an organization has in place.
- Network Scan: Where an attacker typically starts. The objective is to reveal how data flows through the network by mapping the topology of the various hosts, servers, routers, and firewalls. The attacker attempts to identify active hosts (i.e. machines that responded to their requests) and tie them to an IP address. This process will help them narrow down which machines they will target for port scanning.
- Port Scan: Detects what services are available on the target’s host ports. There are many methods to achieve this, but the initial purpose of the scan is to determine if the port is open, closed, or unresponsive. If a port is open, the port’s response will include information that will help the attacker identify specific services hosted on the port – application name and version, operating system name, and version. System name and configuration versioning will give an attacker the information they need to research specific exploits or develop new ones. Nmap is the one of the most well-known tools used in network discovery. Its versatility for network and port scans allows it to identify hosts on a network; the services (application name and version); operating system version; and type of packet, filters, and firewalls in use. Typically, a hacker would launch scans against a system or the IP range owned by their target.
Hack Phase Two: Weaponization
Once the reconnaissance effort is complete, the threat actor will develop techniques to penetrate their target’s defenses, giving the hacker access to their desired information. Methods to carry this out vary greatly. Their choice depends largely on the hacker’s skill and what information they uncovered during the reconnaissance phase. Now is the time that phishing emails are drafted, fake websites (aka watering holes) are created and posted, and malware is developed or acquired. Software or hardware exploits are researched and readied, and the attack begins.
Hack Phase Three: Gaining Access
Entry points into a network can vary. Possible weak points include employees who fall for a phishing email by clicking on the attachment and downloading malware. Other vulnerabilities include when employees are convinced to share pertinent data like login credentials or one of your systems was not configured or patched properly and the attacker used known vulnerabilities to circumvent your company’s defenses. Possibly, the attacker found a login page on the open web via an advanced search engine query and leveraged information gathered from social media, as well as password cracking software, to guess the username and password. They are now inside your network.
Hack Phase Four: Exploitation
Once an attacker has access to a system, his or her two objectives are to escalate privileges and maintain access. Escalated privileges give the hacker the ability to implement changes onto the system that are normally blocked for the typical user or application (like install malware). Hackers use a multitude of methods to escalate privileges once they have access to a system, including:
- Use Valid Accounts: If, during the reconnaissance phase, an attacker successfully compromised login credentials for your employees, they could leverage that information to access administrative accounts. Individuals tend to reuse passwords or have easy-to-guess passwords and usernames that follow a predictable formula.
- Manipulate Access Tokens: This is how a Windows machine governs and enforces access control over individual processes. A malicious actor uses a variety of methods to create, duplicate, or misuse existing tokens, allowing restricted actions like downloading software.
- Leverage Windows UAC System: Window’s User Account Control (UAC) system governs access to individual software systems via a set of default privileges. Additional access must be requested and granted by an authorized administrator account. This system has security gaps and there are occurrences where applications can elevate privileges, or execute commands at an elevated privilege, bypassing the UAC control system. Hackers take advantage of this vulnerability to run exploits and perform file operations, even in protected directories.
Once the hacker has access to the environment, they will attempt to maintain access to the system(s) he or she has infiltrated. The ability to run privileged commands allows hackers to maintain their presence using a variety of methods, including creating new user accounts, editing firewall settings, turning on remote desktop access, or installing a backdoor via rootkits or other malicious files.
Hack Phase Five: Exfiltration
A skilled hacker covers their tracks once they’ve achieved their objective – called Exfiltration. This is important because detection will make future efforts more difficult and will, likely, involve law enforcement. Typically, a hacker starts by uninstalling the programs used during the attack and deleting any created folders. Then, the attacker may modify, edit, corrupt, or delete audit logs that captured any activity.
Which Cybersecurity Vulnerabilities Are Your Priority Now?
These five phases highlight the lengths that hackers will go to in the pursuit for your valuable data. CyLumena partners with organizations to provide end-to-end assessment, strategy, tactics, and support to mature your organizational security barriers to attack. Our unique approach is called CyberLean.
