Story image

Inside modern hacking: The seven stages of a breach

19 Dec 17

There’s absolutely no doubt that implementing the right approach to cybersecurity in contemporary business practices is an issue of massive importance.

However, it’s no longer true that having strong internal security architecture is sufficient to keep your organisation - and people themselves - safe.

There has been a bit of an ideological shift in how hackers are thinking about gaining access to critical information and internal systems, and it revolves around gaining a critical understanding through fine-tuned targeting of an organisation's most precious resource - its employees.

Hackers are most evidently tracing what they describe as the ‘keys to the castle’, which are privileged accounts that provide the deepest access to confidential and sensitive data on computer systems and networks.

Once a privileged account is breached, it can have absolutely catastrophic effects on an organisation, as extremely sensitive data and systems are compromised before an organisation is even aware of the breach.

Industry analysts estimate that from 60 to 80% of all security breaches now involve the compromise of user and privileged account passwords.

This presents a significant opportunity for resellers, as privileged access management solutions are becoming the new standard for cybersecurity.

To understand this, let’s have a look at six stages that might typically make up what a contemporary hack looks like.

Stage one: reconnaissance

The methods that hackers are using to be able to source the required information that facilitates breaches is truly astonishing.

Hackers utilise the wealth of personal information provided to them by the internet to develop a profile of the person in which they’re targeting.

This comes in the form of things like full name, home address, telephone numbers, IP address, biometric details, locations details, date of birth, birthplace, and even family members.

Cybercriminals and hackers can spend up to 90% of their time performing reconnaissance of their targets before acting, using both public and deep web searches to collect information on a company and its employees.

All of this information can be easily obtained without touching a company’s security perimeter.

Stage two: spear phishing

Once vital personal information is sourced, attempts to target employees become far easier.

In many cases, an unsuspecting employee receives an authentic looking email from a third-party supplier or via a social media message.

Known as spear phishing, the urgent message “requires” the employee to click once on a hyperlink and type in their credentials.

Once submitted, the employee has handed over their secret password and digital identity to the cybercriminal, who can then bypass security controls and pose as a trusted employee.

It’s not just limited to this technique though when reconnaissance and enumeration are conducted carefully and extensively, it literally takes 24-48 hours to gain access to a network, often via a secondary unsuspecting victim.

This could be in the form of a family member or spouse that uses a company laptop, who attacker can then specifically target for critical information.

They use their comprehensive profiling to target unsuspecting victims, and ultimately gain access to networks more easily.

Stage three: exploration

Once the attacker has gone through the time and effort to learn about the victim and gain initial access to the company network, they typically don't act immediately.

Attackers perform more reconnaissance, including observing regular schedules, security measures, and network traffic flow.

In most cases, cybercriminals begin by looking for well-known system vulnerabilities, such as unpatched servers.

With compromised credentials, the cybercriminal can work his way across the network further and deeper into the victim’s IT infrastructure, creating additional backdoors for future access.

Stage four: escalation

This is where hackers often look at leveraging regular hacked accounts to gain access to the ‘keys to the castle’ - privileged accounts.

There are many ways to elevate privileges on systems. Whether it is exploiting services, file/folder permissions, task scheduler, cached credentials, DLL hijacking, or simply using tools like Mimikatz or John the Ripper to hijack sessions or pass the hash exploits.

Most of the problems come from organisations using the same local admin password on all systems, meaning once a single system local admin is compromised, moving around using the same account is quite easy.

Stage five: maintain access

Hackers must ensure that they maintain access to systems, once they’ve breached them, which typically quite easy to accomplish.

Hackers can download compressed, encrypted tools and utilities from the internet that allow them to avoid existing security controls.

Hackers can also create new privileged accounts - called backdoor accounts - which provide access should the original account be terminated.

They can also accomplish this by changing existing passwords on services accounts, or install remote access tools that are hidden behind normal applications used every day by employees.

Stage six: conduct malicious activity

Financial gain is most commonly the motivation for hackers, and recent incidents featuring ransomware such as WannaCry and NotPetya illustrate how damaging these kinds of attacks can be.

To implement their full attack plan, hackers rely on typical methods for accessing the now compromised privileged accounts and sensitive data.

They will do this by using troubleshooting or helpdesk tools for operating systems that provide remote access, remote shells, or even malware that calls home to a command and control server on a predefined schedule, waiting for instructions from hackers.

Stage seven: covering tracks

Removing any sign or indication that a network has been hacked is the final step in a successful breach, which can be beneficial in case they want to revisit the network.

This can be accomplished by deleting log files or any other traceable activity.

This process is actually easily conducted by hackers, as the privileged accounts that they hold give them all the tools they need.

Where do we go from here?

People are the new perimeter, and organisations must look at tools to mitigate these people-centric modern hacking approaches from ever occurring in the first place.

Privileged access management offers a next-generation solution for mitigating these issues, as these solutions control privileged accounts and validate identity and permitted access to critical systems and data.

Resellers can take advantage of this phenomenon, as we’ll start to see the cybersecurity market shift towards adopting and implementing these solutions.

While having a strong firewall is important, people within an organisation must be given an extra layer of stability, as this is what hackers will find most challenging to deal with.