Step Into Behaviour of Hacker

Identifying typical behaviour or methods or techniques followed by a hacker to launch attacks to penetrate an organization's network gives security professionals insight into upcoming threats and exploits. Security professionals can adapt various security measures as a defence against different cyberattacks and plan network security infrastructure with its assistance.


Internal Reconnaissance

  • Reason: Once the attacker is in the network, the first thing they do is recon. For example, enumeration of systems, hosts, processes, and the execution of various commands to find out information such as the local user context and system configuration, hostname, IP addresses, active remote systems, and programs running on the target systems.
  • Protect: Monitor the activities of an attacker by checking for unusual commands executed in the Batch scripts and PowerShell and by using packet capture tools.

Use of PowerShell

  • Reason: It can be used for automating data exfiltration and launching further attacks. 
  • Protect: Check PowerShell's transcript logs or Windows Event Logs. The user agent string and IP addresses can also be used to identify malicious hosts who try to exfiltrate data. 

Unspecified Proxy Activities

  • Reason: An attacker can create and configure multiple domains pointing to the same host, thus, allowing an adversary to switch quickly between the domains to avoid detection. 
  • Protect: Find unspecified domains by checking the data feeds that are generated by those domains. Using this data feed, one can also find any malicious files downloaded and unsolicited communication with the outside network based on the domains. 

Use of Command-Line Interface

  • Reason: After gaining access, an attacker can use the command line to interact with the target system, browse the files, read file content, modify file content, create new accounts, connect to the remote system, and download and install malicious code. 
  • Protect: Check logs for process ID, processes having arbitrary letters and numbers, and malicious files downloaded from the Internet.

HTTP User Agent

  • Reason: The server identifies the connected HTTP client using the user agent field. An attacker modifies the content of the HTTP user agent field to communicate with the compromised system and carry further attacks. 
  • Protect: Identify this attack at an initial stage by checking the content of the user agent field. 

Command and Control Server

  • Reason: Adversaries use command and control servers to communicate remotely with compromised systems through an encrypted session. The adversary can steal data, delete data, and carry out additional attacks using this encrypted channel. 
  • Protect: Identify the presence of a command and control server by tracking network traffic for outbound connection attempts, unwanted open ports, and other anomalies. 

Use of DNS Tunnelling

  • Reason: An attacker uses DNS tunnelling to obfuscate malicious traffic in the legitimate traffic carried by common protocols used in the network. An attacker can also communicate with the command and control server, bypass security controls, and perform data exfiltration.
  • Protect: Analyse malicious DNS requests, DNS payload, unspecified domains, and the destination of DNS requests. 

Use of Web Shell

  • Reason: An attacker uses a web shell to manipulate the web server by creating a shell within a website; it allows an attacker to gain remote access to the functionalities of a server. Using a web shell, an attacker performs various tasks such as data exfiltration file transfers, and file uploads.
  • Protect: Identify the web shell running in the network by analysing server access, error logs, suspicious strings that indicate encoding, user agent strings, and other methods.  

Data Staging

  • Reason: An attacker uses data staging techniques to collect and combine as much data as possible. The data collected includes sensitive data about the employees and customers, the business tactics of an organization, financial information, and network infrastructure information.
  • Protect: Monitor network traffic for malicious file transfers, file integrity monitoring, and events logs. 

We hope this helps. If you have any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment