Information Security – The Hacker Methodology

In general terms hackers are classed in one of two categories:  White Hats; hackers who attempt to identify weaknesses and recommend how to plug security gaps; and Black Hats; the people who try to steal stuff.  However, having said that, there is an entire spectrum of other coloured hats who in one way or another fall into either or both camps.  For example, Grey Hats can operate in either mode.

If we ignore White Hats, for now, the FBI believe that there are several different Black Hat hacking profiles:

1. The Joyrider or Mischief Maker: Someone who wants to just cause mischief by hacking into a site, perhaps only changing the web landing page.
2. The Vandal: Someone who hacks into a corporate network and simply destroys. They mangle databases, trash systems and websites, and generally try to cause as much damage as possible.
3. The Thief: This category has subtypes, including:
   1. They want to steal financial information that they can resell or use to steal money.
   2. Intellectual Property. This could be a competitor trying to find out progress on the development of a competing product, stealing a copy of the response to tender a company is putting forward, or general strategic information about a businesses objectives.

It should be noted that Black Hat hacking is not confined to the private sector. There have been serious allegations that many governments are using hacking as a form of espionage or economic warfare. It has been alleged that there was interference in both the Presidential Election that brought President Biden to power and the 2016 Brexit Referendum in the UK.

As with all attacks, it typically follows about 5 recognisable stages:

Simply put, this is finding out about the proposed target, gaining sufficient intelligence to decide whether mounting a full-on attack is achievable and worthwhile. The hacker can carry it out or perform it through an intermediary.

In other circles, burglars tend to ignore homes with good defences. If they find one, they move on until they find one that has poor defences.

It must be the aim of the IT Security team to convince the hacker after they have reconnoitred the site that the returns they will receive on attacking them is not worth the effort, and they should look elsewhere for an easier target.

Having decided to mount an attack, the hacker now needs to identify the best way to do so. They use technical tools to gather more intelligence on the target network and systems, for example, vulnerability scanners. They also assess employees.

The IT security team must:

1. Have approved policies and procedures around information security, not just in IT terms, but in general business aspects as well. For example, the use of flash drives and Cloud storage like DropBox must be stopped.
2. Put a programme of continuing staff education about malware from induction onwards.
3. Actively monitor the network to look for probes and other information gathering exploits; and
4. Make sure all security systems are up to date with the latest software and anti-malware signature information.

This involves taking control of network devices to either draw information or act as a platform for other attacks elsewhere in the network.

They may use phishing exploits to see if they can plant malware in the target network to provide a back door. There are cases where they have phoned a user of the target network, and by posing as someone from IT support, have been able to gain remote access to the network.

A final threat is ex-employees. There is often a time lag between someone resigning or being fired and having their IT privileges removed. The ex-employee can sell their credentials to a hacker or steal information themselves. If the ex-employee has remote access credentials, perfect for the hacker.

This is where vigilance by the IT Security team is essential. They must monitor unusual activity on the network and take appropriate remedial or preventative measures.

This phase is where the bulk of the damage is done. The hacker must remain connected to the target network for long enough to steal what they want to steal or cause sufficient damage. Obviously, they need to stay under the radar while doing this.

The IT Security team again needs to be vigilant for any unusual activity on the network, for example, sensitive data uploading to Cloud hosting services like DropBox.

The final stage in the process is completing the task. It may be that the hacker doesn’t want the target to know they have been hacked, for example, if they have stolen credit card information. They need enough time to steal money before the card owners cancel their cards.

They need to revert any system changes they have made back to the prior settings and close any loopholes they opened.

Obviously, sometimes there is no need to cover their tracks. They are quite happy to leave rubble and mayhem in their wake.

At this point, there is little IT Security can do, other than work out how the exploit was carried out and take actions to prevent a recurrence. If the exploit is business-threatening or has external implications, then further action may be needed by senior staff in the business and their communications teams.

In summary, Information Security is more than just IT. The FBI believe that most problems start between the keyboard and the chairback. In addition to the IT anti-malware and anti-hacking software and eternal vigilance by IT Security, the company needs to take a close look at employee training and education, and their policies and procedures. These current working from home and increased remote access environment bring new and different security issues and malware vectors, so these must be included in any review.