A Hacker's Playbook - The basic strategy of cyber criminals
Without a basic understanding of cyber adversaries and their mechanics, utility networks run the risk of aimlessly applying security measures rather than effectively addressing the most vulnerable areas of their networks. An attacker’s process of compromising a system involves information gathering, exploitation, privilege escalation, and post-exploitation activities.
These are the most common types of attacks as they generally yield the most success for hackers. A hacker will scour the internet looking for devices offering services with known and easily exploitable vulnerabilities. Since there’s an abundance of internet connected devices, there is also abundance of low hanging fruit. A hacker’s process of discovery and information gathering can be automated through software or websites like shodan.io can be used to make searching for vulnerable devices easier.
Once vulnerable devices are found and exploited, hackers will often leverage their control over a great number of devices to create a botnet, or a zombie horde of affected systems, to launch denial of service attacks on higher profile targets, run advertisement scams by selling ad space and generating phony traffic, work to spread amongst more devices, or a number of other possibilities.
Avoiding this sort of attack is relatively simple, update regularly, set good passwords, don’t leave unnecessary services exposed on the public internet. Basically, don’t be a low hanging fruit! Hackers are looking for quick and easy opportunities in this situation.
Targeted attacks are far less common than automated attacks but can carry a greater risk. Rather than sloppily sweeping the internet for vulnerable systems, a hacker picks a specific person, organization, or company and attempts to cause them problems. Their motivations could be rooted in monetary gains, political or social views, or just in the interest of having fun.
Targeted attacks begin with information gathering using search engines and simple reconnaissance tools to discover domains, subdomains, and their corresponding IP addresses relating to an organization. Once the attacker has identified a target, they will begin gathering information through port scanning to search for known vulnerabilities in services that the network owner has either failed to update, deprecate, or properly configure. The attacker may find publicly available exploit code. Offensive Security maintains an extensive exploit database. If the attacker’s information gathering has led them to a known vulnerability, they will move on to exploitation.
A highly skilled hacker may find and exploit what’s called a zero-day vulnerability, or a new vulnerability that is unknown to others in the software community. Exploitation will begin with searching through publicly accessible databases in search of exploit code that matches the identified vulnerability. In many cases the matching exploit code will be used to achieve remote code execution on the target. In the hacking world, remote code execution is the whole ball game. At this point the attacker will have a foothold on the remote machine as well as in the internal network it’s connected to and may choose to move on to privilege escalation.
Privilege escalation is the process of elevating the capabilities of the attacker’s current user on the remote system. Many initial exploit attempts result in limited access to the remote system that lacks complete control over the system. Often an attacker can leverage vulnerabilities of the operating system to gain the capabilities of an Administrator(Windows) or root(Linux) user.
Whether the privilege escalation portion of the attack was successful or not, the attacker will proceed with post-exploitation activities that can involve a wide range of attacks. The attacker may enumerate the rest of the devices on the internal network and exploit their corresponding vulnerabilities, they may perform man-in-the-middle attacks to intercept any sensitive, unencrypted information that’s shared on the network, or they may proceed to manipulate or disrupt services.
Hopefully an understanding of basic hacking techniques will serve to demystify the process of attacking internet connected devices in order to provide utility networks with an awareness that can aid in implementing effective security measures. Enforcing encrypted protocols, strong passwords, and frequent updates can go a long way to protect critical devices.