Inside the mind of a hacker

How an attack works

Users trust companies to store their data, and the onus is on you to keep it safe. But, how do you keep it safe? 

When designing your network, and system, focus on what the network appears like to a hacker. Each hacker will generally follow the following process when attempting to achieve to their target.
 

Depending on their goals, they will omit certain steps if they are not needed.

Once the hacker has obtained access to a system, they will quickly try to either obtain elevated privileges to the network or explore the network and try to find their way through the network to a server which contains data that they want. Common targets are databases and file servers. Then, once they have found the data they want to compromise, they will work out the best way to enact their attack.

The most common attacks are for attackers to try to exfiltrate data from your system, or to encrypt it and try to extort money for the key to decrypt it. Others include potential foreign actors trying to obtain intellectual property or R&D, or to cause service disruption by denial of service or to take down critical infrastructure.

Gaining Access

When trying to get initial access to your system, a hacker will look for a way in. Common ways they do this are through

• Phishing, such as sending email attachments loaded with malware,
• API hooks, where hackers will make use of any public facing APIs to gain access or insert malicious data
• Job portals, taking advantage of the job application process to send malicious documents in place of CVs 
• Domain typo squatting, using domain names similar to common sites, or your site to try and get users to give up their credentials. 

APIs

APIs are another access point to your system. These can be attacked through insufficient authentication and authorisation control and through vulnerabilities exposed in system design. Stories include APIs which are intended for internal use, which have insufficient authentication and authorisation being accidentally exposed publicly. APIs are often designed using IDs as key identifiers in data access, and naming endpoints using patterns and names them as describing what they do or act on. This can be exploited by hackers to try and explore the data which can be found at the endpoint, or by trying to update data. Equally, knowing this, you can look for these patterns in the logs to identify malicious behaviour.

Phishing

Phishing and using your staff are the most common ways malicious actors will use to get into your system, 95% of attacks use phishing. So, we will dedicate this section to it.

Emailing attachments which are affected by malware which executes when the attachment is open is common. Often the malicious actor will attempt to convince the user to open the attachment by disguising it as an invoice with email content and a filename indicating as such, but other ways can include through your job portal, where candidate resumes can be sent through as Word documents, which can contain malicious macros and content to infiltrate your system.

So, how can you combat this?

There are many different controls which can be used to make a hacker's attempts to access your system more difficult.

Educating your staff on phishing and what to look out for is the best investment you can make. Not only will it help you keep your company data safe, it will help your employees personally as well. Things to educate them on include not clicking links in emails, always checking who an email comes from by checking the email address of the sender. 

Some of the common controls which can be implemented are below. 

• Disabling Macros in Office documents is a good control to prevent any malicious code from being embedded in documents.
• Limiting the types of attachments (eg, PDF) is another good control. Be careful to ensure that you know the types of attachments you need to accept, or else your staff won’t be able to receive them which will prevent them from doing their job properly.
• Implementing email threat scanning for malicious attachments, and links can be done by many tools out there. Threat actors are often a step ahead and will use extravagant methods to obfuscate the malicious content.

It is important to note that threat actors or hackers are often a step ahead and will use often extravagant methods to obfuscate the malicious content. This can be somewhat mitigated by ensuring that any tools you use, and any configurations are patched to ensure the most up to date defences are deployed.

How hackers operate and the lengths they go to

Depending on their resources and determination, hackers, will go to extreme lengths.

Believe it or not, there are hackers out there who have created “phishing-as-a-service” type products and will come up with realistic emails, landing pages to capture users' authentication data. They will then implement a “man-in-the-middle” type attack where they host a page which sits between the real login page to the service (eg, AWS, Microsoft 365, Google) and then, once the user has completed authentication, including any MFA requirements, can then hijack the session and give them access to the system.

Hackers are always out there looking for opportunities, as demonstrated by the story of a cloud provider offering a honey trap bounty, where prizes were offered to the first people to find certain files / or data which had been hidden within their environment. It took hackers 3 minutes from the time of the announcement to claim all of the prizes!

Encrypting data can help make it difficult for malicious actors to see and exfiltrate data from your system. However, thought should be given when implementing the control about ensuring the effectiveness of the control. One hacker found a database, where the personal data had been encrypted, however, the keys used in the data encryption were also stored in the same database, which, once discovered, allowed the threat actor to decrypt the data after it had been exfiltrated.

Then, they will try to exfiltrate the data from the system, or implement their attack. Monitoring the points where data exits your system will help to track this and catch any malicious actions.

Ensuring that you have backups of systems and data is also important. Then, should a hacker gain access, and encrypt or compromise your data, you can restore to a backup and limit the damage caused. However, like anything, some thought is required for the control. Don't be like the victim whose backup was stored on the same server as the main system, and was also encrypted as part of the hack, preventing it from being able to be used.

Conclusion

So, the main lesson to learn is that protecting your system against attack is a multi-step, multi-level activity. By implementing many levels and steps of defensive controls, and monitoring each of these, you will have also give yourself the best chance by having multiple opportunities to detect malicious actors in your system, and give yourself the best chance of detecting their presence and reducing the harm caused.

Check out our other learnings from CyberCon

• Post 1: A certificate doesn't guarantee security.
• Post 2: Insider the mind of a hacker.
• Post 3: Are you really ready for a critical incident?
• Post 4: Cyber security of the future.