Introduction - Part 1 - Part 2 - Part 3 - Conclusions
Part 3: The Lifecycle of a Hack
When John McAfee suggests that Anti-virus type solutions, and the security model employed today, is reactive and inadequate, what does he mean? Why is this important? In Part 3 of this series we’ll dissect the lifecycle of a hacking incident and understand each stage and transition. In doing so, we will be in a better position to understand why the current solutions are not optimal. Along the way we’ll also get another glimpse of why cybersecurity does not get the attention and consideration that it should in our society.
The graphic below illustrates the relative position of important milestones in the lifecycle of a hack. There are many different ways that computers can be compromised, from actual virus infection all the way over to pure social-engineering exploits, but they all roughly follow this lifecycle. And because we are dealing with computers, some of these milestones are often achieved in an automated or semi-automated fashion.
Each stage in the process has implications for our data and our lives, and differing levels of exposure for the potential hacker. Let’s take a look at each milestone in the process.
The genesis of any hacking exploit is the point at which data is created and stored by a user on a computer or network. This may seem initially to be stating the obvious - physics – but as we saw in Part 1 of this series, data is increasingly life itself. In other words, this is no longer a conscious decision we make; it is a decision that is made for us. Merely existing in this world is enough to qualify at least portions of information about your life to be subject to hacking, theft and exploitation. And the more each of us does with technology individually, the more devices we introduce into our spaces, and the more information we convert into data, the greater the risk and the larger the threat surface.
Before a hacker can exploit your data, it must be identified as a target. In other words, your data must register on their radar as a target. Many of the processes used for identification are automated, and you become a target simply by being part of a class of users. This is largely defined by the platforms and protocols we use, both as the result of our direct choices or choices made by the the services we use. For example, if you still use Windows XP you are probably a target not because of who you are or because of the value of your data, but because hackers and malware exploits actively seek out the signatures of someone using that vulnerable platform.
In other cases the targeting is much more manual and specific. Social engineering hackers, for example, will scour the deep and dark web for information about companies that show them to be more vulnerable than others. They target companies because companies typically store the data of many users, not just one. A successful exploit will have a much greater yield for a similar amount of effort.
We can decrease our vulnerability to being identified by using secure platforms and services, but the latter is much more difficult than the former. If you’re like most Americans, you visit the doctor at least once a year. What do you know about his or her cybersecurity practices? How about the organizations they share data with? And what about all of the other entities that you do business with? In most cases, you don’t even have enough information to make an informed decision, let alone the right one.
Once a potential target is identified, it must be investigated. In other words, the hacker or malware must find a way in. For the case of a personal computer, this is a relatively quick process that involves testing for different vulnerabilities in the software to use as a vector for the malware. For a complex corporate network defended by an IT staff, this is more often a lengthy process of testing different service requests and ports, trying to find a weak spot.
During the identification phase, nothing is being hacked or stolen. Taken individually, each request made of the target computer or network will most likely appear to be an innocuous, if erroneous, request. None would raise an alarm, and there is nothing that would flag a signature-based Anti-virus system that something was wrong. Under the modern security paradigm little can be done to identify or thwart the attack at this stage.
Once a way in is found, the attacker must infiltrate the network. This is what many people consider the first stage in hacking, even though it should be clear by now that it is actually the fourth. Here the malware is planted, or social-engineering is employed to secure unauthorized password access to systems and networks. The computer or network, now compromised, will share its data, our data, with people that are not supposed to have access.
This is also the first point at which signature-based Anti-virus has any chance at all of spotting the threat. But this is by no means a guarantee, and very often is not the case. For if the malware or virus being used has not been caught and documented yet, the signature won’t match the database and no flag is raised.
Heuristic scanners will increase the chances of spotting an unknown exploit, but these too have their limitations. For one, most people would not consent to using 100% of their CPU power to scan data heuristically. Even at that pace, there are still limits on the amount of scanning that could be employed. There are simply too many possible combinations of malicious code and exploitable bugs.
From the enterprise perspective, there is often no malware to even spot. For most enterprise hacks the exploit is the social-engineering capture of passwords, granting one the ability to appear to be an authorized user on the network. So again, the investment of millions of dollars into Anti-virus solutions may help people sleep better, but is of little actual benefit these days.
Once the wedge is in the door, so to speak, exploitation can begin. The usual form that this exploitation takes is the mass export of the data present and flowing in and out of the computer or network that has been compromised. Files are mass downloaded, databases are copied, and traffic is intercepted and recorded.
In many hacks against individuals, as opposed to enterprise networks, the benefit sought is not the data existing on or passing through that person's computer. Instead, the hacker will seek to convert that computer into a zombie node controlled by the hacker. This then becomes part of the toolset for hacking more sophisticated targets. A cluster of computers compromised in this way can be used to bring down another computer or network by generating millions of bogus requests all at once, or to brute-force password access to other networks.
Regardless of what form the exploit takes, there are patterns associated with the activities required. Spotting these patterns is well beyond the purview of Anti-virus software, and very few existing security solutions even attempt to address it. Stopping or preventing exploitation in most cases still depends on spotting the infiltration successfully. In the worst cases, this could take weeks, months or even years.
Once spotted, the usual result is termination. Sometimes a threat can self-terminate, or be abandoned after the damage is done, without ever having been discovered. In the case of social engineering exploits, perhaps everything of value has been taken, or an administrator noticed some suspicious activity in the log files. Regardless, the termination point is the point at which the window for exploitation closes.
What also terminates is the real world ability for forensics. Once a hack has been terminated, either by the attacker or by defense mechanisms, it becomes difficult and in some cases impossible to gather an information that would help identify the attacker and perhaps even bring them to justice of some variety. What we as individuals gain in immediate security, society collectively loses as the perpetrator remains at large to benefit from their crimes and to attack others.
Despite the fact that the computer or network under attack can no longer be actively mined for data or used as a zombie in a botnet attack, it is another common misconception that the hack is over at this point. The truth cannot be any more strikingly to the contrary: the entire reason hacking is a problem hasn’t even occurred yet.
For the final stage an any hack is the set of consequences attached to the incident. This is meaningful not only from the perspective of the computer owner – it affects many other people. There is the person that, according to the definition given in Part 1 of this series, actually owns the data. Then there are the consequences, positive or negative, for the hacker. Taken together, this is the least understood and studied stage in the lifecycle but, as indicated in the graphic, the most enduring and the most threatening.
There are many ways our data can be used against us in the real world, so many that it would take a large volume to attempt, probably unsuccessfully, to list them all. An obvious one that happens very often is the theft of money by unauthorized account access gained by using information stolen from computers. This costs people millions of dollars collectively each year. So why isn’t this more of an issue?
One problem is that the link is usually never made in the minds of individuals. A news story may report on the successful hacking of a large organization, but nothing has happened by that time for them to report as a consequence. The money is stolen later, and reported as a separate breach that “may” be linked to the original incident, at best. Victims of identity theft may get a special interest story in the local or regional paper, but they are not lined up and reported on in conjunction with the theft of social security numbers that occurs semi-regularly. The organizations responsible for losing the information never feel the pressure of these losses. They just provide a year of credit counseling, whatever that is, and call it a day, writing off the loss. The lack of adequate investment into cybersecurity measures in many of these organizations, even after a breach, is evidence of this.
And what of the hackers? What consequences to they face for their actions. In most cases this will come down to catching them in the act, or compiling forensic data to identify them and build a case. While hackers do sometimes get caught, they are often also clever people and groups, and so usually are not caught. Why? Because our security professionals were so busy reacting to the threat once they spotted it that they didn’t have time or attention, or tools in place, to collect the necessary forensic data.
If society as a whole is to turn the tables on black-hat hackers it will require two conditions. The first is a heightened awareness of the problem, and why it is important. The second is a shift to a proactive stance in cybersecurity. MGT seeks to lead the way on both fronts, and progress is already being made on the first front as you digest and consider this series of articles.