The Five Phases of a Hack - Covering tracks.

Business owners and managers in Ottawa, might be suprised to learn that the average data breach costs a company approximately US$3.62 million, and the average for each record breached is US$225. A staggering amount to say the least, This does not even cover the losses brought about in the months after the breach. Using a high quality computer services provider in Ottawa does not completely neutralise the chances of problems arising, but it certainly does help having the support of dedicated Ottawa tech support professionals.

The hacker has achieved their objective, their target system or network has been owned and they have installed all the desired software, but they're not finished just yet. They need to erase and hide the evidence of their achievement. This means deleting logs, and hiding files and processes. This step is somewhat an extension of the maintaining access phase, as covering tracks helps avoid detection, which in turn helps maintain access.

Obviously, the clever hacker would have disabled auditting in the gaining access phase, as soon as they escalated their privileges to a level where they could do so. Their attempts of cracking the password would certainly generate log entries if the network administrator setup account login logging, their probing of the network and services during the scanning phase probably generated log entries too. Let's not forget the malware that hacker the installed to maintain their access. So how does the hacker delete these logs and hide their files?

Deleting logs: Deleting logs is a relatively straight forward process. A hacker uses one of numeruous programs such as CCleaner to remove individual log entries relating to their presence. The reason a hacker would not delete log entries en masse is that no log entries being present is as suspicious as unexpected log entries.

Hiding files : There are many ways to hide files. For instance, using the hidden attribute in a files properties menus, although files hidden this way are easily detectable. There is also steganography, where a hacker can hide files within another file such as an image or audio file, this is much harder to detect than a simple hidden file. Microsoft NTFS has a built in steganography system called Alternate Data Stream, and files hidden this way can be very hard to detect without software such as TripWire and LNS.

Hiding malicious processes: Finding malicious processes that operate under the name of a genuine OS process can be quite tricky as odd- behaviour of a device usually has to be reported by a user for the IT department to engage in monitoring system processes. At the Task Manager/System Monitor screen it can be quite easy to detect a malicious process as they usually are using a disproportionate amount of resources under the name of a genuine OS process. Tunnelling of malicious activity in a often overlooked protocol such as DNS and ICMP, has become a favourite of hackers for exfiltrating data over the past few years. Unless a security analyst actively views collected data for these protocols it can be difficult to ascertain whether tunnelling is occurring or not. An indicator of tunnelling usually is large amounts of ICMP messages and DNS queries and zone transfers.

As well as aiding in maintaining access, a hacker covering their tracks acts as anti-incident response and anti-forensics mechanisms, allowing the hacker to try the hack again if necessary. The organisation will learn no lessons from the breach, and will be less likely to press charges against the individuals responsible, or have evidence to present in court. Due to these measures taken by a hacker, detection times can run up in to the months-scale.

If you are an Ottawa business and your managed sercvices provider thinks you are immune to a hack, its time to think again. And perhaps get an audit from another IT consulting company. As John Chambers, former CEO of Cisco, put it " There are two types of companies: those that have been hacked, and those who don't know they have been hacked."

<< Previous Five Phases of a Hack article

Contact Firewall Technical:

Ottawa IT Support