Hacker Attack Process for Laymen

Hacking is a buzzword in today's world, one that seems akin to magic for anyone not immersed in the cybersecurity or software development world. This article will cover a high level overview of how hackers steal confidential data, without getting eye-glazingly technical.

Yahoo, Target, eBay, Home Depot, Equifax, Marriott, Facebook, Quora, and Exactis all have one thing in common; proprietary private customer data was stolen and released. For each of these big name corporations, hundreds and thousands more companies have had confidential data stolen by malicious actors (commonly referred to as hackers). Sometimes the breached data has been leaked, sold, or given away, other times it has disappeared into the hands of private or national parties.

2018 saw 1,244 major breaches, exposing 446.52 million records. This is a 250% increase in individual records stolen from 2017. Chances are good that your data has been stolen sometime in the past year.

It has become a cybersecurity industry maxim “it's not if your data will be stolen, but when“. We hear the results of the big name corporations being hacked. Sometimes we even hear how it happens, usually because an update wasn't installed or they were using old hardware, or someone made a mistake.

What still remains a mystery to most of the population is how a malicious actor goes about gaining access and then stealing our private data that corporations should be protecting. This article aims to expose the methods of the hackers who cause these breaches on a daily basis.

The malicious actor attack process happens in four stages: Intelligence Gathering, Exploitation, Command and Control, and Data Exfiltration.

Malicious Actor Attack Process

Intelligence Gathering

There are many different attack vectors that allow a malicious actor to break into any given network, from phishing attacks, to brute forcing passwords, to exploiting out of date software and many more. Most organizations have one or more attack vectors that are not properly hardened, often with many different access points. This means that a malicious actor only needs to find the easiest method of attack, making the Intelligence Gathering phase crucial to any hack.

Organization Reconnaissance

It starts with Organization Reconnaissance, searching for publicly available information on the target. Information Gathering is necessary to accumulate as much information about the target as possible, without interacting with the target in any way. As soon as later stages of the attack process are started like scanning and exploitation, it can tip off the target that someone is trying to break in. In the information age, the more information a malicious actor can gather about the company prior to engagement, the easier it is to quickly identify attack vectors. This can include but is not limited to: information about employees, their role at the company, company partners and vendors, facility and hardware resources, and other information to provide context on the organizations operations and workflow.

Active and Passive Scanning of Information Systems

Next comes the Active and Passive Scanning of Information Systems. The goal here is to map out what the target's network infrastructure looks like. Imagine you are trying to break into a building, but it's completely dark out and you can't see anything at all. You have a sophisticated echolocation devices that will send sound waves towards the building and then bounce back to your device, allowing you to see on your device the section of the building you are facing. You start to walk around the building, pinging it every couple feet to add to your model of the building, taking note of doors, windows, locks, pin pads, and security cameras. Once you've built as complete a model as you can, then you go home and start looking for the best way to break in. This is essentially what a malicious actor will do, but using a computer to ping the target network to map it out and then identify the best way to break in.

The malicious actor uses tools, scripts, and manual inspection of any public facing websites or services to start to probe the edges of the target's network infrastructure. The goal is to identify the software and tools that comprise the target's network infrastructure. Information like what kind of firewalls are they running, what kind of operating systems are they using, what kind of database does the company use, what specific software do they use, what ports are open to communication with their servers, what edition software do they use for each of these, what kind of internet accessible hardware (printers, devices, computers) are being used etc.. Then they catalogue their findings, and start looking for access points in the system.


Once the malicious actor has identified potential vulnerabilities and scoped out the perimeter of the target network infrastructure, the next step is to identify their preferred attack method or methods. Bringing back the building metaphor: it has already been scoped out from the outside, and the next step is to actually enter the building. You pick a couple promising entrances, ones without security cameras or alarms. Then you have to try them, otherwise you'll never get into the building. You try a window, but it turns out there are bars on the other side and there's no way you'll get in the window. So you go to your second choice, a door on the other side of the building that looks like a work or service entrance. It turns out it's locked, which would keep most normal people from entering, but you've come prepared, you have lock-picks. At first the lock is stuck, so you change out your lock-picks with a different set, and then all of a sudden, the door opens. You've gained access to the building, and you can step inside. This is a rough metaphor for the Exploitation phase.

Attack methods can be as simple as a bruteforce attack, targeting employee emails and checking each against each password in one of many different common password lists. Often though, the malicious actor will look at currently existing vulnerabilities for each of the potential attack methods on one of many different databases online. If they are practiced enough, they'll be able to identify the vulnerability and how to exploit it on their own. Many organizations have similar vulnerabilities that get easy to recognize once a malicious actor has seen them several times. The malicious actor will evaluate the difficulty of the exploit and the potential impact or reward it would take. Because there are usually several potential points of attack, the ideal exploit is both easy to execute and high impact. Once the preferred attack method has been identified, then the malicious actor will go about the exploitation process.

As an aside, the Exploitation phase is where social engineering becomes a possibility. It is often one of the easiest ways to gain credentials to log into the target's system. Because humans are fallible, error prone, and willing to trust, it is often an easily exploitable attack method. Typically social engineering attacks use a technique called phishing. Phishing is it's own art form, the malicious actor will pretend to be someone they are not via email (or phone call), and try to convince someone to grant them access that they should not have by having the target click on a link and login to a cloned portal of whatever system they are trying to gain access to (Office 365 account or other proprietary workflow system).

Initial Attack

The initial attack is often one of the easier parts, most exploits have been written already, and all the malicious actor needs to do is launch the script associated with the vulnerability they are trying to exploit. Alternatively, if the target vulnerability does not have an already existing exploit, the malicious actor can write their own script. This can also work if the malicious actor has a theory about how to exploit one of the parts of the target's network infrastructure but there isn't a publicly available script to take advantage of the vulnerability. This takes a lot longer, and will often fail if it is written poorly or there are mistakes.

Establish Foothold

After the initial exploitation script has been launched, the malicious actor has to make sure they will be able to stay inside the system.  Once the malicious actor has access to the target network infrastructure, the next step is to make sure that the malicious actor will not lose access through this method to the network. Typically they will bind communication to a port, and if that service shuts down or restarts, the malicious actor will lose that foothold. This means that they will need to establish a more permanent form of communication with the target host or server.

Enable Environment Access Persistence

Establishing a more permanent method of access is the critical next step, allowing the malicious actor to continue to interact with the target host or server. The goal is to get some kind of command and control payload onto the server that allows the malicious actor to get back in, even if the server or host is restarted. This can be done through a variety of methods, but installing a RAT (Remote Access Trojan) is one of the more common. Essentially a backdoor into the system, this ensures that they will not be locked out of the system unless they are noticed.

Command and Control

Once the malicious actor is in the system, there is still a lot of work to do, and it needs to be done without tipping off the security team or any intrusion detection system. To return to the building metaphor from earlier; you've scoped out the building, you've broken into one of the entrances, and you've made sure that you can re-use that entrance, now you need to start scoping out the inside of the building for the information you are trying to steal, but you need to do it without getting caught. It's very similar to the initial scanning of the building you did from the outside, but now you are inside, where people are walking around. Then when you have figured out their security and where they keep the target data, you need to steal or duplicate the necessary key cards and pin numbers in order to gain access to the rooms where that data is stored.

Enterprise Reconnaissance

The first step is Enterprise Reconnaissance; the malicious actor will start scoping out the internals of the network infrastructure, and the organization's workflows. Similar in goal to the initial scan of the network infrastructure, if not execution, the goal is to gain as much information as possible about the organization from the inside. The target information is different, the malicious actor is looking for what they are eventually going to steal. Information like where is data stored, who has access to that data, and what kind of data is it, are all critical questions that need to be answered before anything else can be done.

Move Laterally Through Organization Information Systems

Once the initial scoping out of the internal network and workflow, the malicious actor will begin to spread out inside the organization's information systems, gaining more access. They will start poking and prodding, trying already obtained login credentials on different software in the system. They can use the access they currently have to undertake more sophisticated social engineering in order to gain more or different access. The goal here is to get fingers in as many of the organization's different pies as possible.

Escalate Privilege Levels Across Information Systems

The next step is to escalate privilege levels as high as possible, preferably to administrator account privileges. The goal is to gain the necessary access and privilege to complete the hack. Whether through stealing more privileged user account credentials, creating new ones with necessary privileges, or many other techniques, this is the necessary first step after gaining access to the network and identifying where the target data lies.

Exfiltrate Sensitive Data

This is where malicious actor actually steals the target data. To return to the building metaphor, this is the actual theft and escape. All the work up until now has been to make this moment possible. If it was one document or a small handful of documents, you could carry it out without a problem, but because more information is better, the goal is to take as much potentially relevant data as possible. This means creating or finding an efficient method to carry off as much of it as possible.

Map and Inventory Sensitive Data Across the Environment

Having identified where the data is kept, in what format, and how to access it, the next step is to make sure that the sensitive data is actually what the malicious actor is trying to steal. This means checking to make sure that user names, passwords, email addresses, sensitive documents, general user information, etc. is in fact the correct target data.

Exfiltrate Sensitive Data

For amounts of data that are too large to screenshot or copy/paste out of the environment, the data needs to be exfiltrated in a more efficient way. This means copying the database, downloading documents or other sensitive information, and then sending it via one of many different methods to the malicious actor's computer, server or other host that they have control over.

Use Data for Profit

Once the data is in the hands of the malicious actor, then they get to choose what they want to do with it. This usually depends on why they undertook the project in the first place.

Maintain Dormant Access, Keep Collecting Data and Access

In 2018, it took 206 days on average to detect that a malicious actor was in an organizations system. This is an extremely long time, and over half of the detections were by someone outside the organization. Some malicious actors are able to lie dormant inside a system for years before being noticed. As long as they have not been identified, the malicious actor will maintain access because they will gain additional data as it is generated.

Importance of Penetration Testing

Penetration testing is a simulation of a malicious actor in order to identify vulnerabilities in an organization's system, without compromising data or the organization's internal resources. Companies that offer penetration testing are contracted to perform a rigorous test according to specifications, while using tools and techniques that real world malicious actors use. This is to discover where a system's weaknesses lie. Penetration tests demonstrate proof of concept, without altering data or company systems. The penetration test concludes with a fully detailed report on each vulnerability found, along with remediation recommendations. There are different types of penetration tests that reflect different levels of access, or different levels of realism in the malicious actor simulation, including Red Team, White Box, Black Box, and more.

If you feel like your business would benefit from one or more of these services, GoVanguard offers these and more. To learn more about the services we offer, head over to our website and check us out.

If you want to generate a quote for how much any of these services would cost, head over to our marketplace for an automated quote. If you have any questions or want to learn more, reach out to us at hello@gvit.com