What is the Hacking Process?

Knowing how hacking works and the tactics threat actors employ to achieve their goals is becoming more and more important, especially in world where groups are selling or even giving freely premade, off-the-shelf tools to deliver hacking capabilities to even non-technical customers, including criminal organisations who may want to break into using ransomware. 

How do hackers really exploit systems? 

Hacking is not a single activity. It is a series of activities, and none of them are particularly short or glamorously fast-paced, especially if you want to get into a system without being detected.  

Each step is essentially a mini-project.  

You have to know who your target is, what systems they are using, and the known and even unknown weaknesses for a start. That’s not even getting to writing the exploit code, constructing the malware or getting it off-the-shelf, figuring out the best delivery means, and many other important things. 

There’s a lot more to hacking than meets the eye.  

Using the Lockheed Martin Kill Chain framework, we can break hacking down into several standard categories of activity: 

• Reconnaissance 
• Weaponisation 
• Delivery 
• Exploitation 
• Installation 
• Command and Control 
• Actions on Target 

We’ll explore these below. 

Reconnaissance: 

Reconnaissance is, as the name suggests, where a hacker carries out research to determine and understand a target. The age-old wisdom of knowing your enemy is very apt here, as the threat actor needs to understand you to uncover your weaknesses. 

One technical-orientated example of this is a threat actor looking up what operating systems a company is using. If a company is using Windows 10, for example, the hackers may either use their own Windows 10 to route around for vulnerabilities via off-the-self tools like Linux Kali or perhaps their own Custom-made tools. They can also go onto the Mitre’s online resource Common Vulnerabilities and Exposures (CVE) to map already known vulnerabilities about that system which work. 

This is where you may wonder: If the vulnerabilities are already known, how come they’re not all fixed already? 

Technology is a two-edged sword, especially in cybersecurity. Just like how often a sentence can be read two different ways, the protocols, essentially the instructions, the basis that allow PCs and the internet to be such multifaceted, flexible tools which allows us to do all sorts of useful and integral things can also be leveraged to perform malicious acts. 

Essentially, the perfect solution to solving all vulnerabilities in the internet and systems is to turn it all off, destroy every digital device on the planet and its physical infrastructure, and possibly start wearing medieval robes. This is something the vast majority of us don’t want. 

In regards to companies, it’s important to be aware of the known threats to the operating systems and applications you’re using. You too can utilise CVE to look up known flaws in your operating systems, just like the hackers, and think about what defences you need. 

Aside for researching operating systems and software in use, threat actors will also conduct more non-technical reconnaissance, like optimising something as a Search Engine like Google, like a turncoat from a Russian Conti hacking group revealed recently in an NBC News article on August 5th, to conduct research.  

Threat actors will: 

• Research the structure of the organisation to discover how the company is broken up and which unit does mainly what to decide a priority target. 
• Research employees, trying to find out who works for the company and what position they hold, e.g.  System Admin, Admin Assistant, CEO, etc. This can uncover who to target depending on their aims. 
• Researching employees’ hobbies, likes and other personal content they have posted on social media or elsewhere online so they can tailor lure files, which are vital for Spear Phishing tactics. 
• Utilise keywords to play search engines in order to find information which wasn’t intended to be necessarily public. 

Weaponisation 

Weaponisation is the stage where the threat actor takes all the information they’ve gathered and starts writing an exploit code that will trick your computer into giving them access by leveraging vulnerabilities they’ve uncovered.  

In order to streamline the often lengthy, hacking process to an extent, hackers will often use pre-existing, off-the-shelf products, which are made by others, as long as it does the job effectively. This is often true of hackers from all groups to varying extents, including even Advanced Persistent Threats (APTs) that are often associated with nation states, as these standard tools can still be very effective. 

Delivery 

Of course, after all that, the hacker still needs to get the malicious file from the infrastructure under their control to your own.  How do they do this?

Well, one common tactic is Spear Phishing. This is where a threat actor may send a seemingly innocuous email or social media message or text with an attachment or link with the exploit code embedded in it. This commonly called a 'lure file', it’s purpose being to entice a human being into clicking on it by whatever means possible. 

This is where the research on employees the hackers have gathered can become especially useful. All those hours of them scrolling through your social media can pay off by allowing them to construct of psychological profile of you to help make the lure file more attractive, using the victim’s favourite hobbies or current situation against them. 

This is why it’s especially important for organisations and their employees to be more aware of information about them that may exist in cyberspace, be it by their own hand or previously stolen by others and sold on the dark web. 

Other popular, threat actor delivery tactics can include: 

• Using a USB Thumb Drive for example if they have direct access, either due to a device which has public access when it shouldn’t or due to recruiting insiders.  
• Using website with malicious exploit code embedded in the page which throws it at you when you visit it. 
• Taking advantage of an unpatched web server to brute force way through into your network. 

Exploitation and Installation  

The express purpose of the exploit code is to gain access to your system, leveraging protocols and their vulnerabilities. The code is executed once the delivery process is successful, such an employee opening the attachment or clicking on a malicious link, allowing a secret connection between the threat actor’s infrastructure and the victim’s device to be established. 

Once the hacker has access to your system, they will discreetly install malware. This is a program that allows them to traverse and further maliciously affect your computer and network. Think of it as their car on your motorway that they can instruct remotely. 

Command and Control 

In order to achieve their goals, threats actors need to be able to direct their malware, utilising the illicit, secret connection they’ve made to your network in order to perform tasks they want and artfully avoid detection. 

One of the main points of hacking is to remain undetected for as long as possible as you work your way through a victim’s network, stealing or damaging or encrypting data. A hacker’s efforts may be made null and void if their malware steps on the toes of an antivirus or raises alarm with a concerned Systems Admin too soon.  

Hackers utilise a variety of ways in order to hide their presence and maintain that lifeline they have to your system. They’ll protect themselves and their connection in a number of ways, such as: 

• They’ll use encryption and even off-the-shelf or custom techniques 
• They try to blend in, such as using common internet ports such as 443 and 80 to blend in with ordinary internet traffic. This can trick a System Admin into believing they’re just one of many of their customers traversing the web. 
• Another way to blend in is they might use common web services to relay commands like social media to make it seem like this extra traffic is simply employees checking their Twitter or Facebook. One infamous example of this is when the APT group Turla embedded a Command and Control Centre in the comments of Britney Spears’ Instagram back in 2017 to instruct their malware. 
• Another thing they do is redirect their communications through proxies to avoid attribution. They can use established proxies that are either off-the-shelf, like The Onion Router (TOR) router for example, or they can create proxies from other compromised systems and by Virtual Cloud Machines depending on their time and resources. 

Actions on Target 

Finally, it is important to remember that the hacker, the threat actor, is always trying to achieve something.  The type of damage a threat actor can do can often be boiled down to affecting the Confidentially, the Integrity or/and the Availability (CIA) of your business and services. It can also include fraud. 

Their goals can include: 

• Encrypt your critical files to halt your operation, which is common in ransomware cases where they’ll demand ransom in exchange for decryption. This makes it even more important to have your important assets like operation files backed up and protected.  
• Stealing a service or product without paying for it. This can be especially disastrous for an E-Commerce site with expensive, possibly irreplaceable products being sold. 
• Compromising your customers’ confidentiality and selling it on the dark web.  
• Taking down the availability of your services both externally with DDoS attacks on websites as well as internal attacks, if they’re in the system, like doing a router reset to factory settings.  
• Defacing company website or social media in order to either promote their message or maliciously misalign public profiles. 

Understanding what hackers may hope to gain is important for a general idea of where they’ll be heading and what you need to protect. 

What can you do about hackers? 

It’s important that your company has an IT Consultant to keep you evolving and surviving in cyberspace as opposed to lagging behind. Your software and operating systems in general need to be patched up-to-date with the latest security measures and you need to be as reasonably aware of your vulnerabilities as possible in order to combat them. 

Securiwiser can help you evaluate your company’s cybersecurity posture and gives it a cubit score, while flagging up vulnerabilities with your ports, networks and applications and much, much more. Sign up for your free trial today.