HOW DO COMPANIES GET HACKED?
Every day we see breaches, hacks, databases stollen, logins stollen, credit card information stolen, ransomware, scams etc but how do all these happen? Basically, at one point in time, someone(a cybercriminal) manages to get access to information he or she is not supposed to have access to, and he uses that information in ways that cause direct and collateral damages, usually of financial nature.
So how do they do it?
HOW DOES A HACKER GOES ABOUT HACKING A COMPANY?
The first step they will take is called - reconnaissance.
During the reconnaissance process, the hacker would try to find out what type of operating system the target is using, what type of applications they are running, what type of security defenses they have in place etc. The research process would usually be done online, as the hackers would try to keep a very low profile.
There are two main types of reconnaissance activity: passive recon, and active recon.
Passive recon is where a hacker gathers information without actually interacting with any of the target’s computer systems. They can use public information that is made available to the public, they can find old hard drives that were not properly disposed of etc. Passive recon can take a while and be tedious but on the upside, it can be very hard for companies to detect and fight because there is nothing out of the ordinary to detect. In case of a breach, it can be nearly impossible for cyber-investigators to put the puzzles together. It is very hard to defend against this type of recon because there is no warning an attack is being planned.
Active recon is when a hacker is trying to interact directly with the company’s systems. Hackers can get information very quickly about their target using this method but it also makes them more vulnerable to being discovered as this method is easier to detect. Many companies have specialized software that can detect strange machines on their network, suspicious activity and commands being sent over the network, etc and the software is instructed to respond immediately and take action, like blocking specific IPs or quarantining certain devices or applications. During active recon, many hackers try to find what open ports are on each network, trying to use these ports to send code in order to attack machines on the network. Once a port is found being open, the hacker can determine what type of hardware the company’s using, what firmware version and even what type of OS is installed.
Having a firewall is the norm nowadays, but the cyber-threats are not directed only towards the network. Once all this info is acquired by the hacker, he will make a list of what software/hardware his target is running, check the versions and what known and unknown vulnerabilities exist for those devices and software versions and try to test those exploits and get onto the network. Usually, this task is not done manually, but automatically by specialized software. Just to make it clear, when people find ways to exploit an operating system or a piece of software, that exploit will be usually published online. Then the company that makes the OS or the Software will try to patch that specific vulnerability. That is why for the longest time, Microsoft has “Patch-Tuesday” where they regularly deploy security patches to specific Windows vulnerabilities. Many companies do not patch immediately, do not patch on regular basis and even if they would, they cannot protect themselves from Zero-day exploits, which are new, they were not made public and there are no security patches for them. Often, cyber-attacks are directed straight towards the websites of the targeted companies, not necessarily on what us, the users see at the surface, but more towards the back-end mechanisms of these websites, the databases etc. Many hackers use crawlers which are programs that automatically map out a site.
Once reconnaissance is done, they start to infiltrate. Usually, they check what type of information they can have access to, how they can get access to critical systems and how they can get administrator logins. Many times, once he’s in, a hacker would actually strengthen the security to make sure the target does not get breached by someone else the same way. The hacker’s moves on the network are so smooth that most detection programs do not catch the movements made. His interest is to stay hidden and not raise any red flags until the moment is right.
Many cybercriminals or BlackHats use social engineering tactics as well to get access to a company's systems. As most companies do not have a mandatory cybersecurity awareness training, BlackHats can easily deceive employees, business partners, C-level executives with specially crafted phishing emails, social engineering techniques or even blackmail, to get what they need. Over 60% of all breaches and cybersecurity incidents have behind them an error an employee did or malicious intent from actual and former employees against the company's data. Unfortunately, a company's IT security strategy is as strong as its weakest link which is the employee.
Once he managed to get all the info he needed, admin credentials, sensitive information, credit card data, whatever they could get, they will decide what to do with it. They could just install botnets and use the network for a centralized DDoS attack, they could mine bitcoins with the client’s resources, all in the background without the victim even knowing they got breached. The hacker can also take very drastic measures like encrypting all data, deleting backups, changing credentials to Active Directory, taking over the email server and ask for a Bitcoin Ransom. They can silently extract data and resell it to the highest bidder or just make it available to the public, depending on the motivating factors behind the hack. High-profile breaches are done usually by teams of hackers, not individual hackers and they require a lot of time to prepare and execute. The main problem we find today is the one small and medium businesses are facing, especially when it comes to ransomware.
We will use a real case of a breach where the hackers encrypted the company’s data and requested a ransom for it. The company had no other choice but to pay to get their data back. The IT manager of that company, came to Reddit/sysadmin to get help and ideas of how to mitigate the breach. Some advised him to polish his CV.
Below are the original links: I suggest, just for your curiosity, to read the comments. Some of them are pretty interesting.
Initial tread
Aftermath tread
Always remember, a good IT security strategy starts with prevention, continues with protections and is followed by a good disaster recovery strategy and a well-established incident response plan. Maybe a cyber-attack cannot be 100% adverted, but it can surely be contained, its effects mitigated and kept under control.
About the author:
Ioan Hipp is not a mathematical genius, he is not a world-renowned expert or a prominent figure in the cybersecurity industry. He is just a passionate person on the new cyber world that our IoT is developing into, a storyteller and a contributor to a better society.