In-Depth

Understanding the New Breed of Hackers

Knowing how today's hackers think and work is the first step to combating their attacks.

• By Frederick Felman
• 10/13/2004

Just as hackers' techniques have evolved over time, so, too, have their motivations. Anyone in IT knows that Hollywood's stereotype of the hacker as an anarchy-minded 14-year-old wunderkind is dated. These days, real-world hackers are white-collar criminals seeking cash. They are targeted hackers, and they are a whole new breed.

The old adage "know your enemy" can give you an edge. To best protect your network, you must think like a targeted hacker. To that end, here are the four steps he follows in his attacks:

Step 1: Select a Victim

Unlike most virus writers, the targeted hacker has a specific target in mind. He (or she) chooses the target based on the value of the data he can extract. High-profile examples of successful targeted attacks include the theft of Windows source code from Microsoft and eight million credit card numbers from Data Processors International. Whatever your company's intellectual property, odds are someone can put it to use. Is it a tempting target for a hacker? If the risk/reward ratio is right, absolutely.

The moral here is that stronger protective countermeasures make an assault riskier for the hacker. The more time he takes in breaching your defenses, the greater the risk of being discovered.

A new trend worth watching: viruses that mimic targeted hackers. For example, Bugbear.B has a special payload, triggered only in certain environments. If Bugbear happens to infect a PC in a financial institution, it runs a special search for passwords and other critical data, and then attempts to e-mail the confidential information to the virus's creator. NetSky, however, casts a wider net, as it creates distributed spamming networks by turning consumer and enterprise PCs into "spambots." The virus writer then sells that powerful spamming network to actual spammers. In fact, these hackers are now so entrepreneurial that they build deactivation dates into these spamming networks; this creates a recurring source of revenue, as the spammers are thus forced to purchase new spamming networks from the hackers.

Step 2: Find a Chink in the Armor

Unlike the noisy vandal of the nineties, the targeted hacker will spend time quietly investigating your defenses. If he's good, you won't even know he's doing it. Even the old reliable port scanner is probably too noisy for him to use; its scans are too easily noticeable, and tend to leave too many clues in server logs. If a targeted hacker does require the information that a port scanner can give, he'll probably use the relatively new technique of slow scanning a network. This is done using distributed host sources--previously hacked machines controlled remotely by the hacker.

Keep in mind that at this point, you're not simply defending against a single hacker. The combined efforts of countless others are behind his attacks. The truth is that the hacker community generally cooperates better than security vendors do. Hackers routinely submit the source code of their utilities and scripts to peer review. Hacker newsgroups, Web sites, and mailing lists support a vibrant underclass of programmers looking to show off to one another by making the most powerful tools that any white-collar criminal can use in his PC-based assault.

Disturbingly high-quality tools are available every step of the way: hackers have made effective defense-analysis tools, they have catalogued thousands of vulnerabilities for hundreds of defense components, and they offer useful scripts and utilities that take advantage of those vulnerabilities.

If you're responsible for keeping your network safe, it behooves you to be familiar with these resources and communities. Your research there could be the only heads-up you get about vulnerabilities in your system.

Step 3: Exploit Vulnerabilities

Whatever knowledge the hacker learns is put to use in developing a plan to actually breach your defenses. Odds are, this penetration occurs in several smaller steps; initially, the targeted hacker gains only limited access to part of your network, but ultimately exploits that chink in your armor to gain total access. The hacker will exploit unprotected endpoint PCs, buffer overflow bugs, social engineering, and more, in different combinations to get what he wants. Once in, he may further his knowledge-gathering by planting Trojan horses, keyloggers, traffic sniffers, or other malintended gifts.

Step 4: Grab the Goods

If the attacker can get immediately to his target data, he will. Otherwise, he'll install some backdoors so that he can stealthily search the network on his own schedule, coming and going as he pleases. In the Microsoft case, several hackers breached an employee's home PC, tunneled in through his VPN connection, and had the run of Microsoft's internal network for three months before they were discovered.

Step 5: Conceal the Evidence

The attacker manually changes logs and removes any incriminating hacker tools, so there's no evidence of the security breach. If he foresees a need to go back in later, he'll keep a backdoor or two active. But otherwise, if he's a true pro, he'll even do away with those, completely covering his tracks so that there's never any indication that there was a break-in.

Conclusion

Obviously, you need to evolve your network security to protect it from this new breed of attacker: the targeted hacker. Clever, patient, and quiet, he doesn't care about making a splash, or winning the accolades of fellow hackers. He just wants the cash.