Hacker 101 – How to Execute the Perfect Cyber Attack
By: Chris Stoneff, VP of Technical Management at Lieberman Software
All networks are vulnerable to cyber attack, every single one of them. Industry research has shown that on average advanced attacks nest inside organisations for 200 days before discovery. That’s a long time for an attacker to stealthily gather private data, monitor communications and map the network.
So in order to at the very least, shorten the amount of time it takes to detect an attack, or mitigate it entirely, it is important for organisations to see the attack from the hacker’s point of view.
For a successful cyber attack to take place there are seven steps and attacker must perform:
- Reconnaissance
Before launching an attack, hackers first identify a vulnerable target and explore the best ways to exploit it – what is the organisational structure, is the weakest link employees, the company website or perhaps a third party? The initial target can be anyone in or connected to an organisation, whether an executive or an admin or a third party supplier. All the criminals need is a single point of entrance. Targeted phishing emails are a common method used in active reconnaissance as a way to see who might take the bait.
- Scanning
Once the target is identified, the next step is to identify a weak point that allows the attackers to gain access. This is usually accomplished by scanning an organisation’s network with tools easily found on the Internet to find entry points. This step of the process usually goes slowly, sometimes lasting months, as the attackers search for vulnerabilities.
- Access and Escalation
Now that weaknesses in the target network are identified, the next step in the cyber attack is to gain access and then escalate to moving through the network undetected. In almost all such cases, privileged access is needed because it allows the attackers to move freely within the environment. Rainbow Tables and similar tools help intruders steal credentials, escalate privileges to admin; and then get into any system on the network that’s accessible via the administrator account. Once the attackers gain elevated privileges, the network is effectively taken over and “owned” by the intruders.
- Exfiltration
With the freedom to move around the network, the attackers can now access systems with an organisation’s most sensitive data – and extract it at will. But stealing private data is not the only action intruders can take at this time. They can also change or erase files on compromised systems.
- Sustainment
The attackers have now gained unrestricted access throughout the target network. Next is sustainment, or staying in place quietly. To accomplish this, the hackers may secretly install malicious programs like root kits that allow them to return as frequently as they want. And with the elevated privileges that were acquired earlier, dependence on a single access point is no longer necessary. The attackers can come and go as they please.
- Assault
Fortunately this step is not taken in every cyber attack, because the assault is the stage of an attack when things become particularly nasty. This is when the hackers might alter the functionality of the victim’s hardware, or disable the hardware entirely. The Stuxnet attack on Iran’s critical infrastructure is a classic example. During the assault phase, the attack ceases to be stealth. However, the attackers have already effectively taken control of the environment, so it’s generally too late for the breached organization to defend itself.
- Obfuscation
Usually the attackers want to hide their tracks, but this is not universally the case – especially if the hackers want to leave a “calling card” behind to boast about their exploits. The purpose of trail obfuscation is to confuse, disorientate and divert the forensic examination process. Trail obfuscation covers a variety of techniques and tools including log cleaners, spoofing, misinformation, backbone hopping, zombied accounts, trojan commands and more.
Regaining Power
A whopping 97 percent of organizations have already been breached at least once according to Mandiant. And perimeter security tools, like next generation firewalls, offer little real protection against advanced, targeted attacks. The key to blocking a cyber attack is controlling privileged access. Each step beyond number three in the process described above requires privileged credentials to succeed. And in each successful cyber attack, privileged access is gained despite companies spending money on what they clearly think are adequate security solutions.
Privileged identity management can automatically discover privileged accounts throughout the network, bring those accounts under management, and audit access to them. Each privileged credential is updated continuously. This negates the damage inflicted by advanced cyber attacks, because even if an intruder compromises a credential, it cannot be leveraged to leapfrog between systems and extract data. If you have the ability to control privileged access, a cyber attack can be significantly mitigated.
Successful attackers are great at going under the radar for as long as necessary to gather all the information they need and then pouncing at the chosen moment by abusing illegitimately gained privileged access rights. Therefore companies should concentrate on getting the security around privileged access tight in order to stop attackers from gaining a crucial foothold within a target to rob and exploit organisations.
www.liebsoft.com
