Today, hackers are much more skilled at attacking systems than in the past. Often they will have a plan and an objective. Sometimes a group of hackers will work together and attack a system with the precision of a military maneuver. First, they will do reconnaissance, gathering as much information as possible from a wide variety of sources about the organization they plan to attack. Then they will gain access to a system. From that point on, they will continue to gather privileges until they have total control of the system. During this process, they will monitor your activities as system manager, cover up any evidence that they were ever on your system and open back doors so they can return at any time. Once this beachhead is established, they will branch out to other systems. They will collect a number of systems to make tracing their activities as difficult as possible. Finally, they will make their way to their target system and achieve their goal of engaging in whatever malicious activities they have planned.
Understanding the hacking process is critical to the ability of information security professionals to prevent intrusions. Regardless of the intent of the hacker, there is a normal process that is performed to achieve their goals. The process by which information systems are attacked is very predictable. A typical attack pattern consists of gaining access to a user 's account, gaining privileged access, covering his tracks, and using the victim's system as a stepping stone to expand his realm or to attack other sites.
Selecting the Target
Everyone is potentially the target of an attack. For the hacker, target selection is often the easiest part of the attack, while the victim may find it very difficult to determine why he was selected to be attacked. There are a number of common reasons why systems are attacked.
Who You Are
One of the key elements in being selected as a target is the visibility of the target. A very visible target will increase the status of the hack; it will increase the likelihood of publicity, which is what many of the attackers are after. Certain industries and businesses are more likely targets than others. Their level of visibility shines above the rest. It may be because of their dominance in the market, their position in the public eye, or their type of business.
What You Do
Attacks with personal motivation are most often selected because of what the organization does. It may be that the business or the industry in which the organization belongs is perceived as being involved in things of which the attacker does not approve. The perceived reputation is more important than the facts.
Sites which are expected to have good security are often targeted to illustrate the skill of the attacker. Companies which sell security products and services are prime targets as well as government and military sites.
Who Your Customers Are
An organization can become a target if its customers are targets. An organization who caters to a famous or highly-visible clientele will be of more interest to a hacker than another organization.
What You Know
An organization which has private information about its customers is a likely target. This private information can be as common as credit card information or as specific as personal itineraries . Credit card theft is one of the most common types of information theft. However, theft of more personal information ” one's personal schedule or where one's children go to school ” is much more alarming.
What You Have
If your site is selected as the ultimate target of the attack, it is because of something you have. It is something of value to the hacker. This could be monetary value, such as credit card numbers , electronic funds, or even the products you produce. All of these things can be turned into ready cash. It could also be that you have something the hacker wants to use. Sites with super-computers or other specialized computing equipment are targeted for this computing power which the hacker hopes to use.
Identifying the Systems to be Attacked
Systems are often attacked which are not the ultimate target of the attack. These stepping stone systems are selected because they will in some way assist the attacker in getting to his final target. It is rare that the target system is attacked directly or is the first system attacked. Most attacks use many stepping stones to get to their final destination.
Easy to Compromise
Overall, the most important criterion of why a system is attacked is its ability of it to be compromised. Attackers target systems for which they have the best ability to compromise and the least likelihood that they will be detected . Hacker tools can rapidly identify systems with known vulnerabilities and the tools which will successfully compromise them.
The further out-of-date a system is, the more likely it is to contain more vulnerabilities, but more importantly, this is an indication of the quality of administration the system is receiving. If a system is not updated, it is likely that there will be other administrative oversights in the configuration and management of the system.
Relationship to Target
Sites are often attacked because of the relationship between your company or systems and the hacker's target. The relationship may be based on network topology. The companies may use the same ISP, or have an extranet connection to support a business relationship. It could also be this business relationship which draws the attack. The hacker may want to disrupt the business process or strain the relationship between the businesses.
Other areas of commonality may be the reason for the attack. Companies may have outsourced part of their business to the same outsourcing company, especially computer operations. Companies who have common owners or members on the board may be targeted, as well as those who have common customer or suppliers, or are working as contractors on the same project.
Contain Valuable Information or Resources
Systems are attacked because the attacker believes that they contain resources or information which have value to him. Sometimes that which the hacker is after is obvious, such as credit card numbers or source code to yet unreleased software, while other times what the hacker wants is elusive to the victim. It is the hacker's perception of value which drives his actions. Therefore, every system needs to implement a level of security to deter hackers, and those systems which have unique or valuable resources or information need the level of security commensurate with the value of their contents.
Gathering Information
Gathering information is the most important part of hacking a system. Information is power. The more a hacker knows about a system, the more likely he will be able to achieve his goals and the less likely he is to be caught. Identification tools are used to locate and identify systems to be compromised. These tools will usually try to be relatively quiet in their activities so that they will not be noticed by intrusion detection software. Good reconnaissance reduces unsuccessful attempts.
Company Information
Many attackers will be targeting specific companies, but others will be looking only for systems which are easy to compromise. In either case, the attacker will want to know as much about the target as possible. Companies are targeted because of who they are, or what they do, or what they have, or with whom they associate.
Understanding a company's business will help the hacker with social engineering. It can help him locate systems with the information he is seeking. Knowing the company's organization improves his ability to find weaknesses to exploit.
Knowing the target company can determine the likelihood that the attack will be prosecuted and under which laws. Certain businesses and industries, such as government sites, have special protection.
System Information
Information about the specific system can be used to select specific targets that either are more likely to have what the attacker is looking for, or are more likely to be breached. The hacker will want to gather information about the target system ” what kind of system it is, what software it is running, what it is used for. Determining who owns the machine, who uses the machine and who administers the machine can indicate the likelihood that it will contain the information the hacker is looking for. Information about the utilization of the machine and the quality of administration can indicate the ability to compromise the system without being detected.
Business Processes
Understanding the business process can highlight where valuable information is located and where there might be weak links in the process. It can also identify individuals who have access to valuable information. Knowing the business process can help identify the function of systems and what information they might contain based on the services that the systems support. Specific information about software services, such as version, can pinpoint what type of attacks can be successful.
Business Partners
Today, businesses are entering into partnerships more frequently and with more organizations than ever before. Often these partners are not well-known to the organization and their security policies even less known. Identifying business partners indicates possible alternate ways that an organization can be attacked. A partner's network may be more easily penetrated and lead to an easier access point.
User Information
The users of a system are often the weakest link in the security chain. They are given the ability to give access to the resources under their control to others, and the responsibility to select passwords which are many times the primary access controls.
The hackers want to learn about the users of a system in order to decide which accounts are safer to use. They are looking for accounts that have not been used in a long time or those that go for long periods of time without use. Accounts that are connected with a lot of idle time may be attractive.
Gaining Access
Access comes in a number of forms. It may be physical access, or access to the organization's network or computer systems, or it may be access to the information itself.
Corporate business has responded to the growth of the Internet by putting business sites on the Internet. These business systems must have open access so that customer can access them at any time from anywhere . They also have to be connected to internal systems for real-time pricing, inventory, and other functions. These sites are very attractive to hackers.
Network Access
Network access gives the attacker many more options in probing and attacking a system. Corporate networks are usually a guarded resource. Direct attacks on firewalls are usually noticed. However, network access can often be accomplished by less direct methods . Employees will often add modems to desktop systems so that they can get access to Internet sites which are not allowed through the firewall. These modems can be used to gain unsecured access from remote sites.
Companies which share building access with other companies may find that their physical security may be lax enough for hackers to gain access to the network. Utility closets are often shared among companies in the same building, granting access to almost anyone .
A hacker's system on the company's network becomes a peer in many network protocols and gives significantly better chance of successfully compromising systems.
Wireless networks also provide access to internal networks to those outside the physical security controls. Wireless networks have to be considered un-secure and require appropriate protection.
System Access
Computer systems, desktops, and servers are the most common targets in the information system. They are valuable resources in the information system. They are the repository of information and they give the attacker a foothold. Even when the computer is not the ultimate objective of the attack, it is usually necessary to compromise systems in order to gain that ultimate objective.
Access to Information
Information can be accessed from any source that has the information. This includes information systems, storage, communications, and people.
Acquiring Privileges
Privileges are required in order to utilize information system resources. All accounts, programs, and services have some privileges to perform their functions. Different elements will have different privileges, based on their requirements. The security model of least privileges says that only the minimum privileges necessary to perform a task should be given. Another tenet of security is isolation, so that the privileges given to one element cannot be used to compromise another. Both of these are difficult to implement, so often privileges can be acquired and utilized to leverage more privileges.
Information Access
Information is often the target of an attacker. Access to information enables the destruction of that information, the vandalism or other alteration of the information, or the theft of the information. He or she may want the information to use personally , or to otherwise profit from the possession of the information. Theft of information includes the theft of proprietary information, credit card information, personal information, and government secrets.
Resource Utilization
A system may be targeted for its resources. It can be because of the uniqueness of the resources, such as specialized hardware or access to unique peripherals, which the hacker wants to use, or it can be the abundance of resources which draws the hacker. A very fast computer system or a system with a very fast network is a tempting target. The hacker can use these resources for his own purposes and can go unnoticed if his consumption is relatively small compared to the total resources available to the system.
Avoiding Detection
Even though many hackers are looking for notoriety, they do not want to get caught. Their online life and notoriety are based on their online identity or handle. Most hackers do not want this to cross over into the physical world where they might be arrested. Many of the tools in the hacker's toolbox provide the hacker with some level of stealth. Some of these tools replace some system utilities with versions which do not report the presence of the hacker, his tools, or his activities. The goal of stealth tools is to keep the hacker from being discovered .
Realizing a Goal
It is likely that the goal of the attacker is to do more than just access information or utilize resources. Most hackers have a goal ” there is a reason for their attacks. To achieve this goal, the hacker must compromise the system. Most of the time, hackers compromise systems by exploiting known vulnerabilities. These vulnerabilities can be software errors, improper configuration, or inadequate administration. Nearly all attack tools fall into this category.
Wealth
Computers have become a regular tool in the criminals' arsenal. Money flows through computers in the form of credit card numbers and electronic funds transfers, and enough personal information can be gathered about an individual to financially impersonate him or her ” identity theft.
Notoriety
Notoriety is a key element in many types of attacks. Website vandalism, e-mail viruses, and denial-of-service attacks are staged only to get publicity. The publicity may be an attempt for personal fame or to draw attention to a cause.
Cause Harm
Some attacks are meant to cause harm to a business or individual. It may be financial harm such as theft of money or product or a denial-of-service attack which keeps the company from conducting business.
There have also been attacks against individuals. Computer networks have been used to harm people either directly by the one instituting the attack or through involving a third party.
