Anatomy of a Hacker Attack
A hacker attack typically includes a couple of phases.
by Torbj√∂rn Hovmark, president of Abtrusion Security AB
- Collect information about the target of the attack
- Locate a weakness to be used as an entry point
- Download and execute software on the target
- Use security holes to elevate privileges
- Steal or modify information
- Cover the tracks
Phase 1 - Collecting Information
The experienced hacker will probably spend the most of his
effort collecting information, often called profiling. Once he has sufficient
information, the remainder of the attack may be relatively quick and easy. The
novice, however, will often skip phase one altogether and go straight for step
There is a lot of information that could be potentially
valuable to a hacker trying to gain access to a private computer network. The
design and layout of the network is always valuable. Where are the important
computers on the network? What kind of applications do they run? How is the
network wired? Where are the firewalls? How does it communicate with the rest of
the world? Information such as IP addresses, dial-up access numbers and so forth
are also valuable.
A second type of information that is often even more valuable
is related to social factors. What are the names of some of the employees of the
target? In a big company where all employees don't necessarily know each other,
the name of an employee and some social skill is often sufficient to gain access
to a login account. Using information about who knows who is potentially very
valuable. Organizational charts are also a gold mine for the would-be hacker.
In the first phase, the hacker typically does not have direct
contact with the company, or at least does not do anything unusual or
suspicious. Instead it is a matter of trying to gather bits and pieces of what
is already publicly known about the target.
Phase 2 - Locating a Weakness
Once sufficient information is available, the hacker will move
on to locate a weakness that can be used to gain access to the target. In the
bad old days, before firewalls, the hacker would be able to attack computers on
the Internet directly without much effort. Today things are a bit more
difficult, but not very much. Some of the weaknesses frequently used by viruses
are bugs in e-mail clients. The same weaknesses are also used by hackers. There
are a number of other ways to gain access to a computer network, with
bugs in web browsers and web servers being some of the most common.
Another potential weakness, not related to software bugs, is the human
factor. If enough is known about an organization, the hacker can often use a
little bit of his social skill to trick or pressure someone into letting him
into the network. For instance, in many of the larger organizations, when you
forget your password, you just call up support and they will change it to
something of your choice. All the hacker might need in this case is the name of
an employee and an account name in order to gain access to the account.
Pretending to be someone important is often a way to pressure the technical
support organization into bending the rules a bit. Pretending to be a friend of
an employee when you send him an e-mail with an attachment is often a good way
to get him to trust you and open the attachment. The From address of an e-mail is very easy to forge. The point is, the
possibilities are endless, and in most cases, the firewall will provides little
or no protection against social skills.
Phase two is concerned with finding a way to establish contact between the
private network and the hacker's own computer. Typically (but not necessarily)
this contact occurs over the Internet.
Phase 3 - Download and Execute Software
Once a weakness is found, it is typically used to download one
or several executable files to the target computer. The hacker might use a
buffer overflow, an e-mail or a web browser bug to initiate this phase.
Although there are many
publicly available hacker tools on the Internet, the professional hacker will
probably custom build his own executable tools. This means that normal
virus protection software will not be able to recognize them.
Hacker tools can be used to perform most of the tasks the
hacker wants, more or less as if he were physically present in front of the
computer. They can also be designed for very specific purposes, such as
elevating privileges or bypassing security controls some other way. Yet other tools may
be used to hide the fact that the computer has been hijacked.
If the hacker gets past phase three, the game is basically up.
Once he is able to execute arbitrary code on your computer, there will not be
much holding him back.
Phase 4 - Elevating Privileges
Normally, important information is protected so that only
certain users can access it. For the hacker, this is usually not much of a
problem. If he can execute code on the target system, there are a number of
known security holes that can be exploited to elevate privileges, i.e. gain
access to an administrative account. These range from bugs in operating system
components to being able to replace system files or tricking the system into
executing the wrong files. It is very unlikely that all of these holes are
plugged on an individual system.
Phase 5 - Stealing or Modifying Information
To steal or somehow modify information is probably the primary
goal of the hacker. There are also instances of hooliganism, but they are less
common. A professional hacker will probably have a goal other than destruction.
Sometimes, he will break in to one network only to use it as a base from which
to attack his next target, but sooner or later he will want something.
With the right privileges and ample information about the
target, stealing information is usually a piece of cake.
Phase 6 - Covering Tracks
Most hacker attacks go unnoticed. Many times this is because
no-one is looking. Most computers have logs, but usually, there will not be
anyone reviewing them. However, for the hacker, covering tracks by deleting
entries from a log file is usually pretty easy. Other ways to cover tracks is to
use hijacked intermediaries for all communication with the target computer. That
way, locating the hacker through his IP address will be much more difficult.
Software may be used to hide your tracks as well. Once you
have sufficient privileges on a computer, you can theoretically do more or less
whatever you like with it, if you are skilled enough. For example, so called
root-kits can be used to modify the operating system itself in a way that is
practically impossible to detect.
Copyright © 2002 Abtrusion Security AB.
All rights reserved. This document may be reproduced provided that it is
reproduced in its entirety and that this copyright message is retained.