The Five Phase Approach of Malicious Hackers

Hackers typically approach an attack using five common phases. It is important to understand these phases of hacking attacks in order to better defend against them. Here we’ll discuss the five hacker phases to better understand them and how they relate to each other. This information is useful for network administrators, and essential for network security consultants.

  • Network & Business Reconnaissance – Before hacking your Online business or corporate infrastructure, hackers first perform routine and detailed reconnaissance. Hackers must gather as much information about your business and networks as possible. Anything they discover about their target (you) can be valuabe during their attack phases. Strategies for hacking rely on a foundation of knowledge and understanding, arising initially from whatever the hacker can learn about you and your business. Methods of reconnaissance include Dumpster Diving, Social Engineering, Google Searching & Google Hacking, and work their way up to more insidious methods such as infiltrating your employees environments from coffee shops to simply walking in and setting up in a  cubicle and asking a lot of questions. Whatever methods are used to perform reconnaissance, hackers will usually collect a large amount of information varying from trivial to sensitive, all of which may be useful during their attacks.
  • Network & System Scanning – Probing your network can reveal vulnerabilities that create a hit list, or triage list, for hackers to work through. Hackers may be either general hackers or specialized hackers, such as phreakers, but their intent is majorily the same… to access information and services that they should not gain access to. Much of the information gather during the hacker’s reconnaissance phase now come into play. In many ways, this phase of network scanning is an extension of the reconnaissance phase. Hackers want to learn more about your network mapping, phone system structure, and internal informational architecture. Learning what routers, firewalls, IDS systems, and other network components exist can lead hackers to beneficial hacking information by researching known vulnerabilities of known network devices. Typically, hackers perform port scans and port mapping, while attempting to discover what services and versions of services are actively available on any open or available ports. Regardless of how secure a network may feel to the business operator and network administrator, there is great value in remaining paranoid and to maintain continual logging and analysis, always looking for potential intrusion. Once complacency makes its way into your business operations, it’s only a matter of time before a vulnerability becomes an exploit.
  • Gaining Access to Networks, Applications & Businesses – Open ports can lead to a hacker gaining direct access to services and possibly to internal network connections. This pahse of attack is the most important and the most dangerous. Although some hack attacks don’t need direct network access to damage your business, such as Denial of Services (DoS), simple methods of attack are available to network-connected hackers including session hijacking, stack-based buffer overflow, and similar security exploits. Smurf attacks try to get network users to respond and the hacker uses their real IP Addresses to flood them with problems. Whether the hacker is successful attacking an internal system has much to do with how vulnerable the specific system is, which is related to system configurations and architecture. Even if only one of one hundred network users has a vulnerability, it could lead to an exponential increase in network exploit through distributed Zombie software and internal denial of service attacks. The degree and scope of attack depends much on the level of access the hacker gains and their skill level.
  • Maintaining Access – Hackers may choose to continue attacking and exploiting the target system, or to explore deeper into the target network and look for more systems and services. Not all attackers remain connected to the exploited network, but from a defensive strategy it must be expected. Hackers may deploy programs to maintain access by launching VNC clients from within your network, providing access to external systems, opening Telnet sessions and similarly serious services like FTP and SSH, or upload rootkits and Trojans to infiltrate and exploit your network and systems to the point where they have complete root level control. Hackers can continue to sniff your network looking for more information to use against you. Trojans can export sensitive information to hackers, such as credit card records, usernames and passwords. Efficiently maintained access to your network and systems can last years without detection. Maintained access allows hackers the benefits of time to collect the information they need for the purpose of their attack. Although some hackers simply seek fame, other seek fortune. Those that seek the latter will likely leverage sensitive information into direct theft, resale of internal information, using interna information to improve their profitability, or even leveraging your company into paying them directly. Intrusion detection Systems (IDS), Honeypots/Honeynets, and professional ethical security consultation can be employed to detect and defend against hackers and their exploits.
  • Cover Their Tracks – Most hackers will attempt to cover their footprints and tracks as carefully as possible. Although not always the case, remove proof of a hacker’s attacks is their best defense against legal and punitive action. It is most likely that low-end hackers and newbie hackers will get caught at a much higher rate than expert level hackers who know how to remain hidden and anonymous. Gaining root level access and administrative access is a big part of covering one’s tracks as the hacker can remove log entries and do so as a privileged administrator as opposed to an unknown hacker. Placing programs inside your network to continually send sensitive information out to anonymous drop-off points allows hackers to cover their tracks while maintaining access. Steganography allows hackers to hide information inside objects that are not obvious, such as image headers and meta tags. Tunneling allows hackers to perform their insidious work through one service that is carried over another service, to increase the difficulty of finding them.

These five phases of a hacker’s attack loop back to the beginning. A successful attack with maintained access often results in continuing reconnaissance. The more the hacker learns about your internal operations means the more likely he will be back to intrude and exploit more networks, systems, internal services, and your business resources. As scary as all of these phases and attacks sound, there are tools and methods available to detect, track, expunge, and defend against future attacks for network security professionals. Knowing what tools are available and which to use in the appropriate situations are simply one small aspect of network security consultation. There is a difference between Operating System Hacks, Application-Level Hacks, Shrink Wrap Code Hacks and Attacks on Misconfigured Systems. These we’ll expound upon shortly.

Leave a Reply