Editor's Note: This excerpt has been derived from Leonard Chin's white paper, "5 Phases Every Hacker Must Follow," which has been reposted with permission. This is part four of the series on hacking. See part three here.
Once hackers gain access into a system, one of the first things they do is to take steps to maintain access for several good reasons.
First, depending on the target, gaining access initially may have cost the hacker considerable time, effort, and resources. Losing access to the computer or system that took the effort to breach is wasteful (from the hacker’s point of view).
Sometimes hackers just can’t accomplish all their goals in a single visit. It may take multiple attempts to steal, change, or destroy the information they are looking for. Also, some hackers make it their business to hack into systems and then simply sell that access to other hackers for cash. That business model wouldn’t be sustainable if their “customers” couldn’t get access later.
Therefore, hackers need to maintain a way to get back into a victim's computer or system, even after multiple reboots and virus scans. Hackers call this “persistence." But how do hackers maintain persistence?
The first way a hacker maintains persistence is to not be detected. After all, if the user or IT staff detects the intrusion, they will deal with it quickly. Therefore, for example, if a user opens an email attachment (with malware), the malware is typically designed to run in the background or in a small window behind the main window. Likewise, malware is often encoded to avoid detection by scanners looking for specific known signatures.
It’s also critical for attackers to be stealthy in their actions. When scanning a network for other targets, they often slow down scans to a trickle of packets. While this can take longer (hours in some cases), they can avoid attracting suspicion from network intrusion tools and IT staff.
When a target is discovered with information the hacker wants to steal, they often use very slow methods to extract the data from the server or computer. They don’t want their actions to burden the machine and possibly cause it to slow down, and they want the data to be mixed in with all of the legitimate data on the network to avoid detection.
They also make sure the connection from the target to their collection machines waiting outside is established from the inside out, so it looks like legitimate traffic. In cases of extreme stealth, hackers will sometimes hide their data in innocuous-looking Domain Name Server (DNS) requests or web service requests rather than using an obvious file transfer protocol (FTP).
Finally, hackers may use a technique called steganography to hide data in other files. Common techniques include hiding data in unused bits in a photo or sound file. This allows hackers to transfer the data out of the organization “in plain sight."
Once hackers have infiltrated a server or PC, it is common to immediately try to get higher-level permissions on that machine. This is called privilege escalation and serves two purposes.
First, the hacker can establish a new account as the server administrator with a unique ID and password. This allows the hacker to simply log in for access on the next visit, rather than trying to inject malware each time.
It also allows the hacker to install and run even more software on the machine. This is useful for scanning other machines in the environment and subsequently hacking into them as well.
Privilege escalation is also used at the network level. For example, if hackers can get into a Windows Active Directory server and escalate privileges to the administrator, they can access any machine in the network. Likewise, if a hacker gets administrative privileges in routers or switches, they can make changes to the infrastructure to access remote segments in other parts of the organization.
The hacker may install software called a “backdoor,” which allows the hacker to remotely log into a server or computer without detection. Some backdoors have also been discovered in routers and switches as well.
Even with all of this, it’s often difficult for backdoor software to survive multiple software patches and revisions, especially if the operating system is upgraded. Therefore, hackers install “rootkits." These are malware packages installed in the kernel level of the machine and boot up before the operating system.
Therefore, even if the operating system is completely reinstalled, the hacker maintains access. Some rootkits developed by nation-states are installed in the boot sector of the hard drive, so they can even survive entire disk reformatting.
In order to avoid detection by virus scanners on computers, some modern malware packages are built to run in memory only without ever writing a file to disk (which could be detected). These malware executables are often launched by rootkits. They run outside the operating system, so they are very difficult to detect by anti-virus software running inside the operating system.
Another area that sophisticated hackers concentrate on is to hide any evidence that they have infiltrated a computer or system. In fact, if they can successfully hide their presence and delete malware as they depart, an attack might never be detected.
Hackers do this by trying to locate every log and file that would maintain some record of their presence or movement. For example, Windows and Linux machines keep logs of all logins and actions taken on the computer. These are intended for troubleshooting but can be used for forensic purposes to detect illegal entry. Hackers know this, so they need to deal with these logs.
The easiest course of action for a hacker is to simply delete the log, but this would cause suspicion. Some hackers simply edit the logs to remove only the entries showing their presence. However, an astute researcher would notice a gap in the log time stamps.
Therefore, advanced hackers will replace a section of the log with a previous section with updated timestamps. Even this can be detected, but with much greater difficulty. Even with these precautions, an attacker needs to take additional steps to remove evidence of the attack.
Windows machines not only have logs, but also an index file database of all software that was ever installed (even after it is deleted). That would need to be cleared as well. Further, some graphics processors have the memory of screen actions that would also need to be deleted.
After the attacker removes traces of the intrusion from the computer, they also need to remove traces of the attack from the network logs. Routers and switches store meta-data about flows of traffic in NetFlow logs. While not a copy of the traffic itself, these are lists of all of the sessions and communications (along with timestamps) that happened between devices on the network. Cybersecurity researchers can use these flows to create a timeline of the attack and can often deduce what information was affected by the attack. Therefore, hackers would also need to hack into network devices to edit these NetFlow logs as well.
Finally, many other systems in the network keep logs, including Domain Name Servers (DNS), Dynamic Host Configuration Servers (DHCP), and file servers. A determined hacker must hack all of them and edit their logs to remove all traces of the attack. However, most hackers relax in "the knowledge of security through obscurity." Tracking their movements through millions of data entries in these logs is extremely difficult, especially if the attack was slow and kept a low profile.
Determined Hackers Will Gain and Maintain Access
The most sophisticated are excellent at hiding their presence in an attack. This not only allows them more time on target (loitering time), but also helps to hide the intrusion long after they have left the target. This allows them to make repeated visits if necessary. More importantly, the attack signatures are not picked up by threat researchers and published to other victims.
In every case, security engineers can take steps to reduce the risk of attack and intrusion. However, it takes good training to do that.
Here are some courses to get you started: