Every once in a while the TV shows news about computer intrusions to American companies or large-scale cyber-attacks , but no one gives news on how it could have happened. So today, without pretending to explain the subject in detail, we see how a cyber-attack occurs.
“Know the enemy as you know yourself. If you do this, even in the midst of a hundred battles you will never be in danger,” says Sun Tzu’s Art of War, and this is precisely the purpose of this article. In order to defend against cyber-attack, it is necessary to know the hacker attack strategy, phase by phase.
Therefore, here are the 5 phases that characterize every cyber-attack on companies by cyber criminals around the world.
Step 1 – Recognition and information gathering
The first phase is the most important and involves the collection of as much information as possible about the objective. The methods involve both the use of computers, both Social Engineering and Dumpster Diving techniques.
At the computer the criminal tries to detect open ports, network mapping, accessible PCs, router positions, application details, etc.
The social engineering or social engineering, using a variety of techniques to obtain sensitive information from people (internal telephone numbers, names of managers, internal procedures and protocols). The Dumpster Diving (immersion in the dumpster) aims to recover from the waste documents and information deemed unimportant by the company but which contain information useful for the attack such as the name of the cleaning company, an invoice for a hosting service, etc.
Step 2 – Scan
Scanning is the first operational phase. With the information gathered, we now move on to identifying vulnerabilities. I am not just talking about the vulnerabilities of IT systems but also about the vulnerability of company procedures.
From an IT point of view, port scanners, exploit databases and any other automated tool are used to detect any vulnerabilities.
With regards to company procedures, through stalking, phone calls or direct contact with employees, weak points can be identified that can be used for the attack, such as a hole in the return of cleaning, an unmonitored access during the coffee break, etc.
Step 3 – Obtaining access
This is the most important phase! It is carried out by exploiting the information retrieved in the previous phases. An out-of- date PC that is connected to the internet can be vulnerable and attackable with an exploit, but in the same way, it is an employee who leaves the password on a post-it in the first drawer of the desk.
Access can therefore be done remotely but also on site. Obviously, the second mode is much riskier, so access from an external network is preferable so that you can hide behind various firewalls and proxies.
Step 4 – Access maintenance
Once access is obtained, it is necessary to facilitate subsequent ones by leaving a “back door” open. The access procedure of phase 3 could be complicated or not usable several times therefore software called backdoor must be installed, which guarantee a hidden reserve input to be used later.
On Windows and Linux systems, the backdoor opening methods are different but basically it is a matter of installing software that remain resident and are automatically started each time the system is started. These programs open unconventional external communication channels that can only be exploited by those who know how they work and access parameters.
Step 5 – Elimination of traces
To avoid being discovered it is necessary to eliminate all the evidence of one’s passage and of the activities carried out within each attacked computer. Each operating system maintains one or more records of the operations performed within it and it is therefore easy for a system administrator to retrieve undesired access.
Many registers contain cross-data so deleting the tracks is not the fastest technique. In these cases, it is preferable to modify the access data, to make it difficult or even impossible to trace the time and the type of attack. Alternatively, a very fast system is the restoration of a previous version of the access registers.
If access is via an external network it is not possible to delete all the traces, therefore the use of multiple proxies in cascade is an excellent technique to make tracing impossible. Some cyber-criminal organizations use proxies in countries with which there are no international agreements for the exchange of information, thus making the traceability of the attack impossible.
Now that you know how a cyber-attack occurs and what are the phases that characterize it, you also know what the weak points of your organization can be to keep under control. If you have a company and think you need to revise the information security policy, I advise you to contact specialized companies that will be able to guide you in this phase.