In 2019, hackers are experiencing what sea-pirates experienced in the 17th century: a golden age. And just like the British Navy used privateers to keep pirates at bay, modern businesses must use the tools and methods of hackers to prevent successful attacks.
For the past few years, data breach occurrence has steadily climbed. The average cost of a cyberattack has hit $1.7 million, and by 2021, annual cybercrime damages will reach $6 trillion – exactly when the world will have 3.5 million unfilled cybersecurity positions.
Vulnerability assessments and penetration tests are a proven line of defense against hackers as they can show where points of attack and unauthorized entry exist. But these methods are only successful with a professional touch: in order to beat hackers at their own game, an organization must be able to think like them. In this article, we’ll explain what that means.
Two Types of Attacks
The media continues to depict hackers as socially isolated trolls. But if this stereotype was ever accurate, it no longer reflects reality: hackers around the world come in many stripes, from lone professionals to organized crime groups and even governmental or military organizations.
For organizations, there are two major categories of motivation that define the attacks they can encounter.
Attacks for Effect
Some hackers aim to cause as much destruction as possible. This group may comprise amateurs who wish to gain the respect of other hackers or disgruntled current or former employees with a personal vendetta. But also included in this group may be hacktivist groups or politically motivated attackers whose intent is to send a message – either to the site owner or to the public. The product of their attack is to make the site a very visible billboard for their favorite cause.
But the biggest threat to organizations today comes from the second class of attacks.
Attacks for Gain
Criminals undertake hacking for reasons ranging from data theft to political terrorism to monetary gain. Far from being trolls, hackers in this class of attacks are organized, professional, well resourced, and persistent. They thrive on invisibility and may evade detection for a long time while doing their work – a persistent threat.
Since hackers in this class are the most dangerous to an organization, understanding their modus operandi is crucial to avoiding them.
How a Hacker Thinks
Prior to an attack, hackers may spend months preparing, gathering reconnaissance and strategizing how to execute. During this time, they will search for points of entry by mapping an organization’s network and IT assets, its structure and procedures.
Tactics used may include,
- Social engineering
- Accessing public records
- Port scanning and probing
Even with high levels of security control, hackers may dupe employees or administration into divulging critical information via phishing and social engineering. Training and compliance at all levels of an organization are therefore crucial portions of a security strategy.
During the preparation phase, hackers search for anything that can grant them unauthorized access to a system. This means that any exploits may be used, no matter how obscure – and in fact, obscure vulnerabilities may be preferred.
Organizations have many levels of IT infrastructure that may provide a gateway for deeper penetration. So-called “non-critical” systems like internal email should not be neglected when it comes to documentation and testing. At the same time, during a vulnerability assessment or pentest, systems should be prioritized to reflect the likeliest starting point for a real-world hacker.
While trolls are interested in visibility, criminals are not. Professional hackers use a variety of techniques to keep their activities hidden from administrators and lurk within a system for years at a time:
- Enter discretely – hackers know that obvious entrances are carefully guarded and seek out less obvious points of entry to begin an attack. Additionally, 90% of hackers use encryption to disguise their origin.
- Persistent access – once they are inside of a system, hackers quickly try to establish a backdoor for persistent access. This way, they will always be able to return, even if the vulnerability by which they gained access is patched.
- Move laterally – by re-entering over time, hackers advance slowly from point A to point B. This allows a careful and methodical progression from small vulnerabilities to much larger ones.
In order to keep systems secure, it’s not enough to guard the front entrance: organizations must continually scan and monitor activities on their network to detect signs of suspicious activity.
It should be clear by now that real-world hacking is a difficult process that requires preparation, and commitment to a long-term strategy. Every hacker therefore pursues some concrete object, such as:
- Political sabotage – an organization may be attacked either because it is involved in political activities, because it serves the government, or its products and services are critical to a nation’s political process. In this case, hackers may aim to obstruct its daily operations by targeting mission-critical systems.
- Data theft – today, almost any organization has a wealth of information about its customers and clients. This data can be exploited for many purposes and – wherever it is stored – attacks should be anticipated.
- Monetary gain – hackers rarely steal money directly from their victims. But companies possess many assets which can be used for profit, including intellectual property and trade secrets.
Concerted attacks, like any other business risk, are difficult to predict, but they are not difficult to anticipate. Although cyberattacks are inevitable, they should never be viewed as inexplicable or mysterious. To protect itself, an organization should identify and monitor its most valuable assets.
Hackers will use deception in the earliest stages of their campaigns. During reconnaissance, they often trick employees into forwarding “important information” to their colleagues, which is – in reality – a phishing attack.
When they actually begin their work hackers will, moreover, use false-flags to misdirect system admins, and anyone else who may be watching. This includes targeting systems they do not really care about and using exploits that are not crucial to their end-games
Experience vs. Automation
To enforce real security, companies require experts who know how to think like hackers. Throughout the industry, however, those who claim to do so are frequently misguided. Most pentests, for instance, are left to automated software, leaving clients vulnerable to attacks that software can’t anticipate.
Securicon is comprised by infosec veterans who have played red-team against government agencies in real-world hacking scenarios and formulated unique toolkits that money cannot buy. Our scans and assessments reflect this experience and uncover the only vulnerabilities that matter: those our clients are unaware of.
Most hackers will not work for anyone except themselves. But Securicon’s team shares the knowledge and experience of professional hackers, while aiming to protect – rather than harm – the companies they target. In the long term, we believe there is no better way to enforce security, and anything else is a compromise.