Most cyber attacks follow a common scheme made of the following 5 steps:
Let’s go through each of them.
This is the first step of a cyber attack where the attacker collects information about the target; it consists in getting crucial data such as names, credentials, IP addresses, etc. The data are usually gathered through the OSINT (Open Source Intelligence) framework (https://osintframework.com/). OSINT is a set of tools to collect online freely available data.
Nowadays, people post very personal information on social media that can also be collected with perfectly legal tools such as Social-Searcher.com and Maltego Teeth.
During this phase, the malicious actor scans the data gathered in the first step to detect weak spots.
The attacker proceeds with different kinds of scans; the two most common ones are:
- Port scanning: going through open ports to find exposed services. The goal is to draw an overview of the network (Common tool: dnmap)
- Vulnerability scanning: once all machines and ports have been reported, the attacker needs to find vulnerabilities to penetrate the network. (Common tool: nmap)
3. Gaining access
The attacker now decides how to gain access to the target network/system. The goal here is to obtain a basic foothold and not a full control yet.
Phishing attacks are undoubtedly the most common attacks. Indeed, they represent two-thirds of cyber attacks, but there are other frequent attacks such as man-in-the-middle, SQL injections, brute-force attacks, etc. Each attack type has its own very specific tool.
Man in the middle attacks are attacks where the attacker intercepts connections and modifies them to extract data. For example, when you connect to the McDonalds Wi-Fi, the attacker could place himself between you and the router to intercept your connection and steal your bank credentials.
Session hijacking is a type of man-in-the-middle attack where the attacker steals your browser session cookies to connect to your accounts. (Common tools: Ettercap and Hamster)
SQL injection is a way to abuse database queries and get information the hacker should not have access to. (Common tool: sqlmap)
4. Maintaining access
After getting a foothold on the target system, the attacker has to escalate privilege up to the administrator level. It is the only way for the intruder to obtain full control over the system.
Once “owning” the system, the attacker will install a backdoor to have later access it; only at this point the attacker will extract data from the victim. To remain undetected, he can use steganography to hide outgoing data packets. More on this topic in Kundur, & Ahsan, (2003), Practical Internet Steganography: Data Hiding in IP.
5. Covering tracks
Eventually, the attacker wants to clear evidence so as not to get caught; in fact, every action on the machine leaves traces in the form of caches, registries, cookies, logs, etc.
The attacker should remove logs resulting from his activities during the attack; however, deleting all logs is as suspicious as leaving them unchanged: that’s why the attacker needs to sort out his activities and remove only the ones he created. (Common tool: clearlogs.exe).
Another way to cover the tracks is to deliberately spread misinformation by corrupting files and writing fake logs. Yet most forensic tools can detect these unusual behaviours!
In this article, many tools were mentioned, each excelling in their own domain. However, there is a tool called Metasploit with which one can carry out a full attack. Metasploit is a comprehensive framework that is made of modules; each module performs a single task. For example, one can use the module
auxiliary/scanner/portscan/ to scan a network and then
exploits/windows/smb to exploit a vulnerability found. As any “one-fit-all” tool, Metasploit has its limitations and is usually used in the first place to spot obvious flaws
SentinelOne. (2019, July 17). OSINT: What Is It and How Is It Used? https://www.sentinelone.com/blog/what-is-osint-how-is-it-used/
Kali Linux Tools Listing. (n.d.). Kali. https://tools.kali.org/tools-listing
PhishingBox. (2018, September 24). Check Point Research 2018 Security Report Summary. https://www.phishingbox.com/news/phishing-news/check-point-research-2018-security-report-summary
Five Phases of Ethical Hacking. (2020, September 1). ITperfection. https://www.itperfection.com/network-security/five-phases-of-ethical-hacking-clearing-tracks-reconnaissance-scanning-hacker-security-cybersecurity/
Kundur, & Ahsan. (2003). Practical Internet Steganography: Data Hiding in IP. https://www.comm.utoronto.ca/~dkundur/pub_pdfs/KunAhsTXSecWrkshp03.pdf
Offensive Security. (n.d.). Metasploit Unleashed. https://www.offensive-security.com/metasploit-unleashed/