The tools and techniques that ethical hackers use mirror those of malicious actors. The difference is their intent.
If you bring up cyber security, business leaders start imagining the “bad guys.” They’re called many things…cybercriminals, threat actors, and frequently hackers. But “hacker” is a broad term and it doesn’t always refer to “black hat” hackers – the people that infiltrate computer systems intending to steal or destroy data.
There are also “white hat” or “ethical” hackers – security experts that deploy the same kinds of techniques on behalf of companies to identify security gaps and strengthen their defenses.
Meet the Hackers
In a popular webinar hosted by Envision Technology Advisors and KLR, we introduced our audience to two leading ethical hackers, Manny Lobao and Emilio Teixeira. Throughout the hour-long conversation, Manny and Emilio shared real-life instances of security gaps they discovered by mirroring the same steps that “black hat” hackers use: Reconnaissance, Weaponization & Delivery, Exploitation & Installation, Command & Control and Execution.
We’d like to revisit this webinar's subject matter and dig a little deeper into their process. With some additional context for their methodology, you can determine if a proactive review of your company’s vulnerabilities makes sense.
The first step any hacker takes is to create a profile of the target business. Who are they? What industry are they in? Who are their strategic partners? What kind of valuable assets might they possess? What information is available about them online?
This research helps the hacker to understand the target and zero in on their vulnerabilities.
In the webinar, Emilio relayed a disturbing story about an auto repair company. After just a few hours of research, he found an open directory that contained plain text credentials for the client’s accounting email account. When he tested the credentials, he gained visibility into their purchase orders, invoices, their global email directory, and much more.
Thankfully, this problem could be addressed before a malicious actor made the same discovery. But it highlights the importance of conducting this kind of recon work.
Weaponization & Delivery
Once a hacker has gained enough intel about their target, they formulate a game plan. Specific tools and techniques are selected that line up with that company’s weaknesses. The goal is to penetrate the first layer of defense without detection, using the path of least resistance.
But there’s no end to the creativity that hackers employ.
Imagine finding a thumb drive in your company parking lot marked “executive salaries.” Many good and decent people would be tempted to plug it in and find out what it contained, unwittingly giving cybercriminals a pathway into their network.
Exploitation & Installation
When a hacker gains entry, their next job is to install software to help them establish a foothold. To wring a victim for every cent possible, they’ll need the ability to communicate externally and bypass both network and endpoint security.
Ethical hackers take the same approach in testing an organization’s defenses. If an ethical hacker installs a piece of software, it should trigger an alert. If an alert is triggered, the responsible parties in IT should act accordingly. If they don’t, there’s clearly room for improvement.
Command & Control and Execution
Once a hacker has installed the necessary software, they work to gain control over the entire network, piece by piece. By gaining persistence, they cannot be shut out easily, even if the original entryway is blocked.
During the webinar, the ethical hacking team discussed a hospitality company in California. They had been hit by ransomware, were able to recover, and then months later were hit again.
Multiple extortion attempts are becoming increasingly common. Sometimes that’s the original hacking group taking another bite at the apple, other times it’s a new group that is piggybacking on the original hacker’s success.
Ethical hackers follow the same pattern to test a company’s defenses. How easily can they move laterally and gain new access? Where are the most valuable assets, the “crown jewels”?
The most valuable systems and data should have extra layers of protection. If an ethical hacker can get read/write access to your most important data, then a malicious actor can do the same.
Call in the Experts
When a breach occurs, having a cyber security team with ethical hacking experience can be a lifesaver. Because they can think like threat actors, consulting with them speeds up the processes of containment (stopping unauthorized access), remediation (eliminating persistence and fixing any damage), and forensic auditing (understanding cause and impact).
Where to Start
One of the most common questions that business leaders ask is, “Where do I start?” Because cyber security is such a huge topic, it’s easy to feel overwhelmed.
Envision offers security assessments for companies in exactly that situation. Our goal is to provide a clear picture of our client’s current cyber security posture, pinpoint the risks, and rank those risks in terms of criticality so that the highest priority flaws are addressed first.
Want to learn more? Attend our new webinar on October 20th, 2022 to find out more about incident response from an ethical hacker's point of view.