Inside a hacker’s playbook

The hacker knows your machine better than you ever will and wants to get their hands on your intellectual property, at any cost. It's all about staging the attack and knowing when and who to target. PHILIP PIETERSE, Senior Security Consultant at Trustwave in South Africa explains the rules of hacker engagement.

With a little bit of research, some crafty writing and the right technology, cyber criminals make a good living running targeted virtual attacks to steal corporate and government data.

A new e-book, Inside a Hacker's Playbook (available here), Trustwave cyber security experts give us an inside look at how the bad guys can get their hands on valuable data and maybe even hit the jackpot with the target’s most important intellectual property.. Highlights from the e-book include:

1. Stage your attack

Cyber criminals spend a lot of time researching their target as they dig for information. Then, they use that info to find the right employee to “spearphish” – once the bait’s taken they have access to the corporate network where they can use that employee’s PC to spread malware, infect different connections, and install more tools to steal and exfiltrate data.

2. Specialise and outsource

It’s not what you know, it’s who you know. Cyber criminals can put together their own little group of specialists who work together to hack and scam vulnerable people. The top 5 common specialities named by the FBI include Coders (write malware), Vendors (trade and sell stolen data), Criminal IT Guys (maintain criminal IT infrastructure like servers and bullet-proof ISPs), Hackers and Fraudsters.

3. Scale the attack

Once they’ve put together their A-team, they are ready to milk each vulnerability dry. Say for example they bought an exploit kit for a new vulnerability in a company’s retail Point Of Sale (POS) system. They can then use that kit to work on other POS systems at other franchises of the same brand. They can steal ten times the data but only really do the work once.

4. Play the player, not the game

There’s a good chance that the target’s employees will be oh-so-helpful without even knowing it. The phone rings, you pick up the phone, and the voice on the other end says, “Hi, it’s Johann from IT – we’re just doing an upgrade, can I have your username and password please?” Cyber criminals can also use “social engineering” techniques, whereby the put on a uniform, clutch a bunch of flowers, and watch the corporate doors open.

5. Get social for better recon

Employees often give away a lot of corporate info on their social media platforms such as Facebook and Twitter. Not only can cyber criminals figure out where you went to school, when your birthday is, and your mother’s maiden name, but there’s also a good chance they can find out where you work, who your boss is, big projects coming up, etc. All this info can be valuable hints at passwords and system challenges. Even if cyber criminals know that you like knitting, they can send malicious emails to your work address with “free patterns” and once you click on the link, they’re in…

6. Probe for every weakness

Why break a window when you’ve got the key for the front door? Cyber criminals look for user credentials at every step of the way to find clues about the target’s IT infrastructure. This will allow them to find the right malware kit or custom build something that can help them pick the proverbial locks.

7. Reinvent old web and email attacks

Say a cyber criminal got his hands on a target’s organisational chart, and read in the company blog that they’ve just hired John Smith as the new marketing manager. The criminal can create a Gmail account under the name of the HR manager, write and send an email to the whole company with an attachment of John’s salary and benefits. Employees open “JohnSmithCompensation.xls” and bang – curiosity killed the network.

8. Think sideways

One open door to a corporate network is good, but of course more is better. That way, if one intrusion is detected and malware is eliminated, there are still a few other routes to take instead. 

9. Hide in plain sight

Stealth is the name of the game in these targeted attacks. Sometimes these cyber criminals can just smash-and-grab, but generally the most profitable way is to drain the database little by little, over a long period of time. 

10. Take data quietly

Cyber criminals spend a lot of time trying to get in to the network, so they will be patient as to not blow their cover, and will quietly and slowly exfiltrate data out of the network. This way, they won’t set off any alarms.

Targeted attacks are successful because they are stealthy, specific and disarmingly personal. If they do it right, advanced attackers can quietly infiltrate a network and steal data or information over months or even years, and so businesses need to do all they can to protect themselves against cyber attacks. This could include employee awareness campaigns, identifying which employees have access to specific data, protecting data with a multifaceted security approach, managing devices that have access to the corporate network, regularly review systems to ensure that proper data capture and reviews are taking place, and last but not least, understand what the emerging threat landscape looks like and continuously update systems and processes to stay on top of (and even ahead) of attacks.