Every now and then the TV shows news of cyber intrusions to American companies or large-scale cyber attacks , but no one gives any news on how it could have happened. So today, without pretending to explain the topic in detail, let’s see how a cyber attack occurs .
“Know the enemy as you know yourself. If you do so, even in the midst of a hundred battles you will never find yourself in danger ” , says Sun Tzu’s Art of War , and that is precisely the purpose of this article. To be able to defend against a cyber attack, it is necessary to know the hacker attack strategy , step by step.
How a cyber attack happens
Here are the 5 phases that characterize every cyber attack on companies by cybercriminals around the world.
- Reconnaissance and information gathering
- Gaining access
- Maintaining access
- Trace elimination
Step 1 – Reconnaissance and information gathering
The first phase is the most important and involves gathering as much information as possible about the goal. The modalities foresee both the use of the computer, both Social engineering and Dumpster diving techniques .
At the computer, the criminal attempts to detect open ports, network mapping, accessible PCs, router locations, application details, etc.
The social engineering or social engineering , using a variety of techniques to obtain sensitive information from people (internal telephone numbers, names of managers, internal procedures and protocols). The Dumpster Diving (immersion in the bin) aims to recover from the waste documents and information deemed not important by the company but which contain useful information for the attack such as the name of the cleaning company, an invoice for a hosting service, etc …
Step 2 – Scan
Scanning is the first operational step. With the information gathered, we now move on to identifying vulnerabilities. I am not speaking only of the vulnerabilities of IT systems but also of the vulnerabilities of corporate procedures.
From an IT point of view, port scanners , exploit databases and any other automated tools are used to detect any vulnerabilities.
With regard to company procedures, through stalking, phone calls or direct contact with employees , the weak points that can be used for the attack are identified, such as a hole in the cleaning change, an unsupervised access during the coffee break etc …
Step 3 – Gaining access
This is the most important step! It is carried out by exploiting the information recovered in the previous stages. An out-of-date PC that is connected to the internet can be vulnerable and attackable with an exploit, but so is an employee who leaves the password on a post-it in the top drawer of the desk .
Access can therefore take place remotely but also on site. Obviously, the second mode is much more risky , therefore access from an external network is preferable in order to hide behind various firewalls and proxies.
Step 4 – Maintaining access
Once access is obtained, it is necessary to facilitate the subsequent ones by leaving a “back door” open . The access procedure of phase 3 could be complicated or not usable several times therefore software called backdoors will have to be installed , which guarantee a hidden reserve entry to be used later.
On Windows and Linux systems, the ways of opening backdoors are different but basically it involves installing software that remain resident and are started automatically at each system start. These programs open unconventional channels of communication to the outside that can only be exploited by those who know their functioning and access parameters.
Step 5 – Elimination of traces
To avoid being discovered it is necessary to eliminate all evidence of one’s passage and activities carried out within each computer attacked. Each operating system keeps inside one or more logs of the operations carried out and it is therefore easy for a system administrator to trace unwanted access.
Many logs contain cross data, so deleting traces is not the fastest technique. In these cases it is preferable to modify the access data, to make it difficult or even impossible to trace the time and type of attack. Alternatively, a very quick way is to restore a previous version of the access logs .
If access is via an external network it is not possible to delete all traces, so the use of multiple cascaded proxies is a good technique to make tracing impossible . Some cybercriminal organizations use proxies in countries with which no international information exchange agreements exist, thus making it impossible to trace the attack .
Now that you know how a cyber attack occurs and what are the phases that characterize it, you also know what the weak points of your organization may be to keep under control. If you have a company and you feel you need to review the IT security policy, I recommend that you contact specialized companies who will be able to guide you in this phase.