The Five Phases of a Hack - Maintaining Access

Even a small business can be marked hacking. Big name companies certainly have a bigger target on their back, but users of managed services in Ottawa (which tend not to be tech giants) are at risk too. Ottawa IT companies
will help clients learn, and understand the damage a hack can do to their reputation, assets and ultimately their viability.

It's worked. The hacker now has unauthorised, free reign over their target system. Although (after the mandatory victory dance) they still have a lot of work to do. They have to maintain their access to the system. What is the point of gaining access to a system if you don't want to maintain it and exfiltrate data? How does simply getting access achieve their objective? How can they prove to others within the hacking community that they pulled it off?

Maintaing access is as easy as executing applications on the target. These applications vary in their uses, but installation of backdoors, keyloggers, and command-and-control channels are seen more often than not. Why are these types of software so dangerous to an organisation?
Here's a brief explanation of what each of these types of software, to give a deeper understanding of how damaging these applications can be.

Backdoors: A backdoor, bypasses security mechanisms and provides a hacker remote access to a system, allowing the hacker to do whatever they please whenever they please. Backdoors can be very difficult to detect as they are most apparent when the hacker is using them. Even then they might tunnel the communication through another protocol such as DNS or ICMP, to make their comminication even more stealthy. Backdoors can exist in many ways. Some maybe be hard-coded into the software by the developer, network or systems administrators may include them for troubleshooting and recovery, and the hacker may install applications themselves which provide a backdoor.

Keyloggers: Keyloggers are technologies that log keystrokes on a system. They can be used to exfiltrate many types of data, such as login credentials, bank account/credit card details, and other forms of sensitive data. They can come in either hardware or software forms. They can be programmed to collect and save the logged keystrokes in a file that can be sent to the attacker after office hours, or sent through the internet to the hackers devices as the keys are typed. Keylogging activity can be hard to detect, and as with backdoors, traffic can be tunneled through other protocols to avoid raising suspicions..

Commmand and control channels: A Command and control (C&C) channel, is a channel of communication between a hacker's server and one or more compromised systems that is used to issue commands for nefarious purposes. After a hacker has gained access to your system they might want to use it for other malicious activities against other targets, turning your device in to a bot for their own means. The target system might now be a part of a botnet to perform Distributed Denial of Service's (DDoS) against another target, or used to download more malware for further malicious actions on the network. Customers of network support providers in Ottawa should query their IT service provider about suspected C&C channels through analysing network data and statistics fofr anomalous behaviour, such as large volumes of DNS and ICMP traffic.

At this stage in the hack the only thing that can be done would be through the incident response team. Analysing logs, detecting the hacker's presence on the system and network, performing digital forensics and remediating any repairable damage caused by the breach would be their main objectives. This is where documents such as blue team playbooks and incident response plans come in to action. Back-ups will be needed to restore the system to a clean-state and notification of the breach to necessary parties will be performed. The organisation will need to perform an investigation in to the events surrounding the breach and draw from the conclusions of the investigation what lessons need to be learned. For Ottawa small businesses, a qualified tech support provider shoudl be of great assistance in maintaining a secure IT environment.

<< Previous Five Phases of a Hack article Next Five Phases of a Hack article >>

Contact Firewall Technical:

Ottawa IT Support