The Hacker Methodology - How Is It Done?

June 2020 | Michael Wetherald

Know Your Enemy

In order to defend yourself, you need to know what your opponent is capable of and predict what he is likely to do.

Before we go through the typical methodology of a hacker, let’s analyze a set of characteristics seen in nearly every security breach so that we can see at which stage in the hacker methodology they are able to successfully meet those characteristics.

Nearly every successful breach has the following characteristics:

1. A host accessible from the Internet
2. Scanning and service enumeration is not detected or not acted upon
3. An unpatched vulnerability is exploited

Understanding these characteristics and an adversary’s methodology for meeting them is crucial for an adequate defense.

The Hacker Methodology

Adversaries will typically follow this well established methodology. Keep in mind, more sophisticated attackers and attacks will follow more of these steps, while less sophisticated attackers looking for low hanging fruit will skip many of the steps.

Step 1) Reconnaissance

Adversaries will first scope out their target. This step involves finding hosts accessible from the Internet. The adversary’s goal at this stage is to find their targets and develop a plan of attack for those targets. This step can be thought of as a bank robber’s stage of “casing the joint”.

Step 2) Scanning

Once the adversary has chosen a target to exploit, they will inspect that target in more detail, looking for a way in. This is typically done via a process we call scanning. Most hosts are running software called services which are listening for instructions via network traffic. For example a web server will process requests sent by your web browser.

An adversary will then enumerate these services and look for ones which are running out of date versions containing unpatched vulnerabilities. This is where the adversary is hoping to meet characteristic #2: Scanning and service enumeration is not detected or not acted upon.

Step 3) Exploitation

When an adversary has found their target, and determined that it is vulnerable to exploitation, they can exploit their target and gain access to the machine. This is where they meet characteristic #3 An unpatched vulnerability is exploited.

The typical adversary is now in a position to execute their original goal. For example, this might be where they steal information from the target, vandalize a website, or destroy information in order to wreak havoc.

Step 4) Persistence

More sophisticated attackers will now attempt to establish persistence so that they can continue to achieve their goals inside your environment. This might involve pivoting to other hosts which they now have access to if the exploited host they is trusted by others. Most times they will create a backdoor allowing them to easily reconnect at a later time.

Step 5) Covering Tracks

More sophisticated attackers will also take steps to cover their tracks. They will remove their activity from logs, or plant information into those logs to send investigators down the wrong path, or even trick investigators into accepting false conclusions about what happened. The adversary’s goal here is to obfuscate their presence and activities.

Building An Adequate Defense

As you can see, steps 3-5 are where the real damage happens. Investing in detection and prevention mechanisms will stop most attackers in steps 1 and 2, and prevent costly headaches of a successful breach into your organization. Contact us today if you’re ready to take steps to reduce the cybersecurity risk in your organization.