The Organized Hacker

Recognizing and Understanding the Signs

Gone are the days when the word "hacker" conjures an image of a mischievous, unruly, and dysfunctional teenager operating out of his parent's basement on a computer put together by parts from the junk lot. Those days are long gone; in its place, a new era has risen. It is the time of the dark hacker.

?It is a bit of a surprise to see the vast misconceptions of how hackers attack a company. So many still believe that hackers attack at random; this is far from the truth. They don't just wake up, have a cup of coffee, and decide to attack a particular company. If your company is targeted, it means you have something the hacker wants. If you have a well-managed process of Data Classification in place, this would usually help you figure out the hacker's target and provide you with the means of implementing the appropriate protection and countermeasures to securing those assets.

Yes, hackers usually target a company's databases as they contain information regarding their customers and other internal projects. However, in the age of state-sponsored cyber attacks, hackers target databases, company proprietary information and corporate secrets.

The decision to attack a company requires careful planning, coordination, and stealth. We are not talking about your opportunist hackers such as script kiddies or the revenge types. We are talking about the "Organized Hacker." The truth is the professional hackers are organized, focused, and determined. The unprecedented success of these attacks is a testament to how organized, coordinated, and focused they are.

Secondly, hackers have various "tools of the trade" in their arsenal that are not readily available to the average company security personnel. Many of these tools are sold on the "Dark Web," or the hacker developed them specifically based on their needs. These homemade tools pose a significant threat as they are not known and are harder to defend against.

Like a well-organized military unit in a war, the hacker has a strategy and a plan. To execute the attack, the hacker must first gather intelligence on the target.?Much advanced work goes into the attack on a potential target, ensuring the attacker accomplishes their goals without being detected.

Each successful attack follows six basic principles of the seven steps of a penetration test. The first step in launching an attack is the:

Note: I did not add step number seven, "Reporting," as we are talking about the average hacker and not the Mercenary Hacker hired by someone and may have to provide a report to his/their client.?

Intelligence/Information Gathering

You need to know the strength and weaknesses of your target. The hacker can do this either from a physical or a logical point of view, or both. For the sake of this article, we will focus on the analytical approach.

In this phase, the hackers will research the company and find out as much information as possible. The accuracy and effectiveness of the intelligence gathered will determine how the attack on the target will be executed and the mission's outcome (in this case, the attack on the target company).?

Again, this can be done via targeting employees through such methods as "social engineering/social networking, and impersonation." Additionally, social media such as LinkedIn and Facebook provide a trove of information for hackers to exploit.?

Companies with an effective "Awareness Training Program" can educate staff about the risks of providing too much information on social media. In addition, organizations should consider giving special attention to C-level executives as they are the subject of targeted phishing campaigns by hackers.

Reconnaissance/Probe

This phase happens from a perspective of logical (port scanning, phishing, ping packet sniffing, and internet Queries) and physical (Social Engineering and Dumpster Diving). The hacker will use this phase to survey the target, enabling him to collect additional information not identified in the information-gathering stage, e.g., what type of systems and applications is installed and how vulnerable they might be.

The survey enables hackers to identify those systems with the least protection and exploitable vulnerabilities in the target environment. In addition, this stage provides the attacker with crucial information that can potentially aid the attacker in gaining access to internal protected systems (e.g., networks beyond the Internet). The reconnaissance phase can be time-consuming.

It is vital to know that anytime a hacker targets a company, one of the initial first steps is to conceal their identity and location. To do this, the hacker employs several techniques and tools such as VPNs, proxy servers, and DNS services. This technique is called "anonymizing." It's a covert means to hide the origin of the attacking IP address and the hacker's identity (e.g., The hacker launches the attack from China, but his actual location is in the US).

Anonymizing is not one hundred percent foolproof, but the more proxies used make it extremely difficult to locate and identify the hacker.

Scanning and Discovery/ Identification

The hackers will probe or scan the target company's defenses to identify any exploitable weakness: ports, services, unpatched systems, network devices, and subdomains. However, with the proper countermeasures, a company can detect the ongoing probe to their infrastructure.?The deployment of tools such as Intrusion Protection System, (IPS), Network Sniffer, real-time monitoring, or the usage of a Security Operation Center, SOC, equipped with specialized tools for network traffic analysis and advanced Threat Analysis, can effectively detect and thwart such attacks.

These tools can detect things such as unusual network traffic and slow down and unidentified traffic.

Vulnerability Assessment/Test

This phase should not be confused with "Discovery and Scanning." Instead, this phase provides crucial information on weaknesses, technologies in use across the environment, access to the target infrastructure, and how the hacker can exploit them. The information gathered here also enables the hacker to select the proper tools and vector for the attack. In addition, it helps to determine the type of tools and how they will be deployed against the particular target.

Here, the hacker may find an ID to utilize in a (Privilege Escalation) to gain further access into other systems and applications within the targeted company's environment.?

Organizations can defend against this probe by ensuring they have an ID and system configuration management process in place, ensuring that IDs are reviewed, configured, monitored, and assigned ownership. In addition, this process must be the strict management of privilege credentials. Finally, Human Resource, IT, Information Owners, and the company's internal security team must implement a managed "Leaver's" process that ensures the prompt disabling and deletion of the IDs of employees who have departed the organization.?

Exploitation

The cumulation of all the effort leads to this phase. In this phase, the hacker will put what he has learned about the target into action. Then, he will launch the attack targeting all the vulnerabilities, weaknesses, systems, and ports with the tools he has selected for the attack. This phase also might expose the attacker to detection on the target.

Again, with proper countermeasures and defenses in place, a company can successfully detect and intercept an attack in real-time. While most companies are not equipped to detect sophisticated attacks such as an Advanced Persistent Attack (APT), it is possible, for instance, the sudden influx of phishing emails, unrecognized logins and access, data relocation, and unusual connections. These are some of the tell-tale signs that may alert you to an impending or ongoing attack on your company.

Analysis

Like the Whitehat hacker, the Blackhat hacker analyzes the attack results in a lessons-learned approach. Then, depending on the outcome, they might deploy it again in future attacks. In either instance, it will add to the hacker's knowledge base. If you track the evolution of cyber-attacks, you will see that the techniques, tools, and tactics have evolved to almost an art form over time.

Tips to Preventing Cyber-Attacks

The sophistication of cyber-attacks makes it almost impossible for companies to protect themselves. However, there are some simple and effective countermeasures that organizations can do to prevent being a victim.

1.??????Security Awareness.

Implement a 'Proactive and Targeted-Awareness' training program to ensure all staff is trained on security based on their roles and responsibilities and updated security threats. The program should focus on C-level personnel as they are the subjects of specially crafted Business Email Compromise (BEC) Phishing attacks.

In addition, emphasis should be given to perusing email more thoroughly before opening.

2.??????Secure Configurations

Ensure systems are configured based on the established internal security policies and industry best practices. Many attacks where attackers gain access to a company's information are due to the lack of secure configuration. Therefore, establish a process for checking the configuration of; 1. New systems before rollout into the production environment, 2. Conduct a periodic check of all critical system's secure configurations and access. Also, ensure all changes are review and updated in a Change Control manner to track authorized changes.

3.??????Access Control

Establish an "Access Control" process to ensure access is assigned based on job roles and responsibilities. For example, limit the usage of privilege credentials to "admin" personnel only. In addition, there should be no regular user with privilege access unless there is a justifiable business reason; in such an instance, strict control should be implemented, e.g., monitoring such credentials.

Auditors frown at privilege access for regular users. Also, unmanaged and excessive access is a significant reason many companies cannot close audit points.

Companies should set limits and permissions on privilege credentials. Unfortunately, many still fall short of this essential aspect of access control. Also, consider implementing such tools as EPAS to strengthen password security in your environment further.

4.??????Monitoring

Have a robust monitoring process in place that is focused on your critical systems. The monitoring should be configured to send an immediate alert to the relevant security or admin teams. In addition, the monitoring should include clear guidance on incident action should one arise.

5.??????Suspicious Network Activities

As I mentioned earlier in the blog, hackers conduct a probe of your network before an attack. This probe indicates that something more ominous is about to occur in your network environment. Pay attention and investigate. Ignore it, and you may be at peril.

6.??????Incident Response

An effective Incident Response process is critical for an organization during a time of crisis. Not having a tested incident process in place only contribute to the disaster rather than resolving it. It is not a good idea to try and figure out your IRP during the crisis itself.

Develop and implement a well define IRP that the relevant stakeholders understand. Resource should be assigned roles within the IRP group base on capability, experience, and a strong "Project Management' ability. For example, you would not want to put a helpdesk intern at the helm of your IRP for apparent reasons. These abilities will be crucial during a time of crisis.

Note: Companies should be more vigilant and proactive in protecting their businesses from cyber attacks. They need to make the investment and commit the necessary resources to thwart the threat of cyber attacks against their company. Cyber attacks will be more frequent, sophisticated, and destructive. Only the prepared will survive the storm.

Hacker Types and Motives

There are so many hacker groups and individuals out there I cannot list them all here. "Everyone gives a different explanation for what an, e.g., Blackhat hacker, Mercenary hacker, and cybercriminals are, etc. Therefore at CORE, we've come up with the term "Dark Hacker" to explain these types of hackers in one category."

Although this is not an exhaustive list, I will attempt to focus on the main ones in this article.

1)????Script Kiddies

It can be argued that hacking started with the Script Kiddies. The Script Kiddies are amateur hackers with no particular motive other than fame, attention, and reputation. The Script Kiddies are more of a nuisance than an actual threat. However, some Script Kiddies have risen to fame by accident over the years. One such person was the suspected creator of the infamous "I Love You" virus.

Motive and Goal: Disruption and chaos. A typical type of attack by these novices is a DoS, Denial of Service, also call DDoS. Attack. This attack is very generic and can be launch by anyone.

2)????White Hat Hackers

A "Whitehat" hacker is a professional cybersecurity expert that uses their skills to test private companies and governmental organizations. They hack systems through weaknesses and loopholes within the cybersecurity of the client organization. Your Pentester falls within this category. They gain access to the system via authorization and approval of the company they are testing.

Motive and Goal: The goal of the Whitehat hacker is to aid businesses in identifying and mitigate gaps in their cybersecurity posture. They work with an organization to strengthen and protect their business against potential cyber threats.

3)????Black Hat Hackers

Like the Whitehat hacker, the Blackhat hacker is a security expert. However, the primary difference is that the Blackhat hacker uses their knowledge and skills for nefarious reasons. These hackers gain access to the system without authorization to cause damage to an organization's systems and network. They will also steal data and information.

Motive and Goal: This group can be confusing. They can act as a single individual for personal gain by stealing information and selling it on the dark or deep web, or they can work as a collective united by a common goal.

4)????Red Hat Hackers

This group of hackers is interesting as they are sometimes referred to as "Vigilante" hackers. These hackers are somewhat similar to White Hat hackers, but their modus operandi differs. They target the activities of Black Hat hackers with direct action, such as counter strike with malware that decimates the Black Hat hacker infrastructure and potentially exposing the hackers.

Motive and Goal: To prevent and disrupt the activities of Black Hat hackers.

5)????State/Nation/Country Sponsored Hackers

Governments employ hackers for various reasons. Governmental hackers are utilized for numerous cyber activities for the state, such as cyber warfare, cyber espionage, cyber counterintelligence. One of the primary directives of the governmental hacker force is to prepare and defend the nation from cyber threats from adversaries. The state sponsor hackers can retaliate against either an adversary state or non-governmental hackers that might threaten the country's national security or critical infrastructures.

Motive and Goal: Depending on the nation, if the government is operating within the confines of the law, they can use their state sponsor hackers for defense, retaliation, and protection. Other non-compliant governments can use their hacker force to attack and harass rival countries or make political statements.

6)????Mercenary Hackers

This group of hackers has been gaining recognition lately. These hackers are "hired guns." As the business of cybercrime, corporate espionage, and scams become more lucrative, the rise of this group has exploded exponentially. The "Mercenary "hacker is the group or individual paid to act on behalf of an anonymous client to commit some form of illegal cyber act. Hacking as a Business/Service, HaaB/HaaS is growing and getting noticed in the press, governments, and businesses.

Groups such as BellTrox, DeathStalker, also know as "Deceptikons," Bahamut, and CostaRicto are just a few that comes to mind.

Motive and Goal: Mercenary hackers have no particular reason or goals. The rationale and intent are that of their paying client.

7)????Dark Hackers

These hackers are not a group but a category. A Dark hacker is an individual (s) or group who uses their profession or computer skills for nefarious purposes to attack companies, individuals, governments, and institutions for financial gains, political statements, revenge, blackmail, extortion, disruption of business and services, and destruction of properties.

Let me know your thoughts. It will help to improve future articles.

?

??

?

?

?

?

?

?

?

??

?

?

?

?

?

?

?

?