What Can We Learn from Malicious Hackers?

In this video, we’re going to be going over what we can learn from malicious hackers.

Now, as we learned in the previous video, hackers generally go through a certain series of steps in a very specific order. And this order is called the five phases of hacking. So let’s go over what we can actually learn from this. So understanding the methodology is going to be huge for us. The order of the attacks, how these attacks work, and the type of attacks, all these things are going to help us in order to secure ourselves. So let’s break this down. Understanding the type of scanning that hackers could use, the things that they’re trying to probe our networks for, things like open ports, IP addresses, we could use this to train our users.

And we could also view our network as a bad actor. So in the reconnaissance phase, what type of information are they looking for? Knowing the type of information they’re looking for during the reconnaissance phase can help us identify the type of information hackers are going to be looking for. This gives us an opportunity to try to minimise our exposure. We can begin locking down our information that’s being shared on things like social media, our websites, and whatnot as we tend to leak a lot of information if we’re not careful. We also want to be wary of the type of photos that we share, details on our calendars, and other items that could be used against us.

Now, a prime example of this would be you put a new server room in. You put your new servers in, new network switches, whatnot. You’re really proud, and you post a photo online. Now, a malicious hacker doing reconnaissance, finding that photo, what type of information are they going to get? Well, they’re going to know what type of switches you’re using, what type of servers you’re running, how many servers you’re running, at least in that area there. Things like that are going to actually help the hacker map your network. So you do want to be careful about things like that.

Things like sharing your calendar, if you’re sharing that, well, we’re doing an upgrade on this date, then that can actually help a hacker break in your network, or things like, well, so-and-so is going to be on vacation. A hacker might actually spoof an email, send a spear phishing email out under that person’s account, and try to get more information or access.

Now, the next phase, scanning, we can use the same tools hackers use to scan our own networks to try to find things a malicious hacker would find. In doing these scans, we can also potentially find vulnerabilities that would otherwise be exploited. Now, if we find potential vulnerabilities that come up in a network scan or vulnerability scan, we do want to test those and verify that they actually are real vulnerabilities, and not a false positive. The next step is when we find these things, we want to make sure that we patch, update firmware, whatnot to try to mitigate and prevent a data breach.

Gaining access - so in this phase, a hacker is going to try to actually go out and break into your network. So what we want to do is we want to take a look at the previous steps. We want to follow the previous steps of scanning, and identifying patching, and mitigating, because this is largely going to help stop this particular phase, the gaining access phase. Another important thing is training, another key avenue for a malicious hacker to exploit our users. So unfortunately, we can’t apply a patch to our users like we can our servers, our switches, or whatnot. So we do want to make sure that we train our users on best practises.

Now, how you train your users, you generally want to make sure that it’s informational, but not going to be so overwhelming that the users aren’t going to understand it, or so draconian where that users really are going to push back against actually following these procedures. It’s got to be user-friendly, and it’s got to be easy to understand and very accessible. But again, trained heavy users understand why security is important. It’s going to be huge in securing your network. And in the worst case scenario, develop a plan that if your network gets breached, how you can identify it, and recover and mitigate it in the future.

Maintaining access - so in this phase, as we know, hackers will try to maintain their access. So what can we do in this phase? We want to keep an eye on our log files for suspicious activities, such as missing entries, or odd login hours. It also helps to audit your users. Keep an eye out for unknown admin accounts and unusual login times, especially if users are logging in after hours when they normally don’t. These might be flags that a malicious hacker is on your network. Also, we want to run regular security checks on our servers, our workstations to help keep our network safe.

And the last phase is hackers will generally try to clear their tracks. So be sure to read your logs. Also, you’ll probably want to have a backup of your log. That way if someone does tamper with it, you can potentially get a good copy of it, and find out what happened. And try to go through periodically and verify any sort of tampering - again, missing entries, odd timestamps, things like that. If you’re missing certain times, then someone may have gone in there and start deleting out the logs that they were ever on your network. So in wrapping up, the five phases are very important.

You want to pay attention to the five phases a hacker is going to use against you. Understanding these phases will help us understand a hacker’s methodology. Also, we could use much of the tools that they’re going to use to help identify exploits of our own network. We want to try to learn from this. And we won’t try to tidy up our online presence and mitigate as much as possible. In other words, reduce our attack surface. And also, we want to make sure that we’re patching and practicing best security practises.

So in the next video, we’re going to take a look at scanning tools and methodology. Thank you for watching. I’ll see you in the next video.