An Inside Look at How Hackers Operate

We’ve all seen shows where a character like The Flash, for instance, needs eyes on a situation to fight the bad guy, and a computer nerd, like Felicity, breaks into Central City’s camera network to help save the day. Movies like WarGames, Hackers and more recently, shows like Mr. Robot show us all sorts of Hollywood-hyped excitement. These shows play up the glamorous side of what is more often a seedy business. However, if we don’t understand the MO of hackers and attackers, we’ll set ourselves up for bad things.

Over the past couple of months, we’ve seen quite a few nasty breaches with wide-reaching effects. As a security craftsman, I always get asked how these attacks went down.

What I find interesting is that these attacks generally follow the same methodology. A few years back, I recall learning about something known as the cyber kill chain. A kill chain concept is rooted in the military as a strategic attack plan. Lockheed Martin used this concept to create the cyber kill chain, which became all the rage across the information security industry.

In my talks, most people are more interested in how attacks happen, from a hacker’s perspective, and not how corporate America protects our company’s assets. That probably explains why none of the movies or shows I mentioned follow some guy out of the midwest working as a security analyst! To help me better explain how a hack happens, I will pull from a framework outlined on one of my favorite sites, Hackers-Arise.

We’re going to go over the hacker methodology. It is similar to the cyber kill chain, but it takes an offensive viewpoint similar to what attackers use to take down a target. By understanding how the mind of a hacker works, you’ll have a much better ability to protect yourself!

Hackers Follow an Age-Old Pattern

Since the beginning of time, even before the digital age, attackers of every sort follow a standard pattern. If you look at Ragnar pillaging a castle in the show Vikings, you’ll see attacks on kingdoms and computers are similar.  There are six basic steps:

  1. Reconnaissance
  2. Exploitation
  3. Privilege Escalation
  4. Leave a Backdoor
  5. Data Extraction
  6. Cover Your Tracks

When performing an attack, sophisticated tools are an essential piece of a hacker’s arsenal and, many times, they are free to obtain. However, never underestimate the power of humans to be the weak link and fall victim to some good old fashioned social engineering. A big, wooden Trojan horse may look suspicious, but a simple email or phone call can be even more dangerous.

Reconnaissance

During recon, a hacker may spend weeks or even months gathering intel on their target. They collect information; learning about the company, people, locations, networks, applications, operating systems and general weaknesses in defense. What’s important to them is not getting caught. Passive reconnaissance uses non-intrusive measures, like researching LinkedIn and Facebook and gathering info from web servers using tools like Netcraft. Active Reconnaissance digs deeper with tools like Nmap or Nexpose that are used to find actionable intel. This phase becomes riskier, as the attacker’s IP address could be left to potentially alert the victim of their presence.

Exploitation

 

Now that they have the lay of the land, our hacker is looking to gain access and start the exploitation phase. Having done proper recon, they know what apps, services and ports to go after. The attack can be done from within the building or remotely. Metasploit is a popular tool known in the underworld uses to bypass security controls.

Privilege Escalation

 

The hacker has made their way in and found a vulnerability to exploit. However, the compromise likely starts with a computer or low-value server. Imagine breaking into a bank; you’ve made it into the lobby. Not much of a heist if you walk out with hard candies, pens and deposit slips, though. The hacker needs to escalate their privileges and gain permissions necessary for greater access across the network. Privilege escalation is how hackers get to high-value servers and data stores.

Mimikatz is a tool used to grab a leftover admin credential stored in a computer’s memory under the Local Security Authority Subsystem Service process know as the LSASS. The LSASS is a running process in the task manager of all Windows computers and holds all sorts of credentials used to log in across a network.

Leave a Backdoor

hackers VNC

The attack is in process, and the attacker is moving across the network. They will establish persistence so they can have access for as long as possible until they are discovered. Persistence is maintained by creating their own “legit” account or installing technology like VNC for remote access to use later, if needed.

Data Extraction

Now, it’s game over, man. The attacker is stealing the files they want, encrypting laptops, accessing credit cards, monitoring video feeds, shutting down industrial controls or whatever the end goal is. They are making their exit with a bag full of loot.

Cover Your Tracks

hackers Event viewer

I have no idea what the criminal code of ethics is. However, I do know that criminals don’t like to get caught, as it is bad for their business. With the attack accomplished, they’ll take a tool like Meterpreter, run a clearev command to clear Windows event logs, and become a ghost.

While this is an oversimplification, it’s generally how hackers take down their targets. When the next breach hits the news cycles, wait a few weeks for researchers to do their analysis. Google how the attack happened, and I guarantee you’ll see it follows this general pattern.

Avatar photo

Brian Krause

Brian leads CyberArk’s Strategic Partners Team. He spends his time working with IT leaders and technology partners to build identity practices, to serve the complex needs of a rapidly transforming business environment.

brian-krause has 2 posts and counting.See all posts by brian-krause