This is the third installment of our four part series on The Industrialization of Hacking. Previously, I discussed the risks and opportunities the Internet of Everything introduces for business and hackers alike. I also discussed how attackers and defenders are in a cybersecurity arms race.
With the Industrialization of Hacking, attackers’ techniques are highly sophisticated and often go to extraordinary lengths to mount an attack, following a series of steps known as the “attack chain,” a version of the “cyber kill chain.” It’s not uncommon for hacker groups to follow software development processes, like QA (quality assurance) testing or bench testing their products against security technologies before releasing them into the wild, to ensure they’ll evade the defenders.
Long before they actually execute an attack, hackers enter into the target organization’s IT infrastructure, conducting recon using surveillance malware. Only when they know what they’re up against do they write target-specific malware targeting specific departments, applications, users, partners, and security processes. To ensure the malware works, malware writers recreate an environment to test it against security tools. Some even offer guarantees that their malware will go undetected for weeks or months.
Only then do the hackers execute their attack. In a growing number of cases, they even set up custom command-and-control servers inside the network in order to control the malware without being monitored. Sometimes, the goal is to gather data; in other cases, it is simply to destroy it. Once the mission is complete, the attackers remove evidence but maintain a beachhead for future attacks.
In the last installment I will discuss A Threat-Centric and Operational Security Model. View past installments of The Industrialization of Hacking series: