For a security researcher and analyst, references to this position include a “white hat hacker” or an “ethical hacker,” but more commonly and probably more preferred would be a “penetration tester.” I am going to go with a security researcher title. Nowadays, the term ‘hacker’ has negative connotations to it, rightfully so I might add, but, to me, I don’t think that it should be that way. The core definition I am basing this statement on is Google’s informal definition (I simply searched for “define hacker”): “an enthusiastic and skillful computer programmer or user.” To that degree, and with me enjoying computers and learning what I can in this domain, I want to be the best hacker (white hat, of course) I can be!
Note, however, that there is no right answer as the term itself is fairly broad with ambiguous meanings. The intention of this post is to provide a basic understanding of what it takes to be a security researcher. The reason I bring it up this way is because you have to think like a hacker to know what the end goal is for a hacker (black hat, at that). By that I mean, how do you know what a malicious hacker’s mindset is without putting on that hat yourself and thinking about it? This can lead to innovations in anticipating and protecting from flaws yet to be uncovered or worse, undisclosed (i.e., zero day malware).
For starters, let’s take a brief look into something known to ethical hackers and penetration testers alike. Below is a common methodical approach to this process. I’ll briefly touch on each stage and potentially build on this in future posts as well:
Next, let’s note some of the end goals of hacking from a malicious standpoint. Personally, it helps me to have a fair understanding of what the objectives are in anything I do; victory conditions for winning a game, purpose of a program or script. A few examples of a malicious hacker’s end goal may include, but are not limited to:
- Stealing usernames and passwords
- Siphoning sensitive information and files
- Network discovery
- Ransomware / financially motivated extortion
- Creating a backdoor to maintain persistence into a host / onto a network
That should be good to start working. Now, what do they ALL have in common? They all orient around network connections and activities. That seems like a no-brainer but it’s important to try to be as thorough as possible. You can’t hack someone’s computer without gaining network access to it first. Actually, that’s not entirely true. There are a few exceptions; leaving a malicious USB / CD laying on the ground, though a network connection would be required to send whatever potential information back to you (the threat actor / hacker), noticing an unlocked computer in the wilderness (to which you can do whatever up until you’re noticed by the owner). Now that we settled that (hopefully), let’s move on.
To set the stage, let’s assume that you’re not local to the target(s); i.e., in a remote location with no physical access to a machine / network. How would you go about trying to infiltrate a computer system that you don’t have direct access to? Let’s keep this in mind and work our way through the aforementioned stages while thinking of this in terms of a penetration tester / security researcher, as well as a malicious threat actor.
Start with the Reconnaissance stage. Reconnaissance refers to the information gathering stage in that, well, you need to find out some information about a given target. This can include hosted websites, IP addresses, employees (if a corporation or a place of business) or friends of your target. This stage is split up into active reconnaissance, which requires probing the network information known to you and is considered intrusive, and passive reconnaissance, which is less intrusive and focuses more on checking out their Facebook or LinkedIn profiles.
Next is the Scanning stage, which is similar to the active recon work and involves actively scanning the IP address(es) of the target. Typically, businesses have open ports for mail flow or internally hosted web servers, but it’s not always the case. The main goal of this stage is to gather more information about your target, with a main focus on identifying what operating systems are in use, frequently used software applications, or any open ports – something to take and work with. This then leads to researching known vulnerabilities about the target, or at least getting more information about how that OS works.
Up until this point you may be thinking, “Okay, that seems easy enough. Where do I go from here?” – which is fair because the next steps are where the tricky stuff happens. Unlike what you see on TV where hackers are hacking away at their keyboard, legitimate hacking takes many forms; exploiting OSes, applications (Microsoft Word, Adobe Reader), and web browsers (Firefox, Chrome). This is where the informal description hits home, “enthusiastic and skillful computer user.” Take some time to think about what was said above and how that ties in with the definition. As a hacker, your aim is to exploit vulnerabilities; as a security researcher you want to find these vulnerabilities and figure out a way to close the holes; a penetration tester would use this in their report back to their customer.
So, how does that tie in?
Where are the usernames and passwords stored on your OS? That depends – are you using Windows, Mac, Linux? What OS version are you running? From a malicious standpoint, you want to know how to extract that information, from a security standpoint you want to know how to protect against those measures.
How about the services / daemons that handle network activity that allow networking with local hosts and the Internet at large? The same applies – how do you exploit flaws from a malicious standpoint and harden those processes from a security stance.
What about user files versus system files? Does the target have admin / root access to the system they’re using? How do you harden these measures to prevent such privilege escalations attacks?
How do you suppress warnings or notifications that an OS may pop up to ensure authentic requests for an action that can be severe or intrusive? An example of this is capturing network traffic. You need admin access to tap into your network card’s ability, if applicable, to “promiscuously” listen to network traffic. Obviously as a hacker, this warning raises flags of concerns as this would be prompted to the user on the computer. From a security standpoint, this messaging is welcomed, and you’d want to find a way to ensure suppression of such is indeed authentic.
These are all valid questions that can be mind-boggling, considering that there are different ways to store this information depending on many, many factors. This does not require you to be a computer engineer, however, it would be nice. Google can help though!
To intertwine the past few points, after you gather some information about the target software being used, you can then investigate the above specifically for the target OS in question. From a hacking and penetration standpoint, you want to know how to build more off of that. As a security researcher, how can we tighten the loose ends?
Once you get to that point, which, to me at least, is the more difficult part, then you can further work through the methodical approach. Let’s try the Gaining Access stage. A hacker or penetration tester would start by creating an email that appears to be legitimate (via means of phishing, spear phishing, social engineering) and hope the target takes the bait. The email may contain a link to a malicious domain or have an attachment hiding malware in disguise as a Word document. If that pans out, then how do you go about maintaining access to the host, and therefore have an infiltrated host on the network? You can achieve this by creating a backdoor appropriate for said OS. What works on Linux may not work on Windows, or vice versa. How do you work with this from a researcher standpoint?
And last but most certainly not least, the Clearing Tracks stage. I am confident in stating that NO hacker or penetration tester wants to get caught, ever! There are many things to keep in mind in this stage. How and where does said system contain logging information? How did you go about infiltrating the network – are you using a VPN or proxy? Think of it this way, “can a security investigator trace ANYTHING back to you?” From a researcher standpoint, you’d want to find ways to have the system logs less susceptible to being deleted.
In conclusion, I am by no means supporting hacking in the terms of malicious activity nor trying to give guidance to aspiring hackers wanting to wear the black hat. However, to not think like our enemy would mean staying blind and reactive to issues as they arise versus being proactive in this cyber war. You have to understand the game to know how to better play it and you do this by wearing many different hats. Penetration testers and security researchers play a huge roll in the developments of hardening computer systems and how things run. It does in fact require actively hacking a system to find these. What differentiates these white hats from the black hats is that we wouldn’t keep them to ourselves but rather disclose them appropriately to close the gaps. What color hat do YOU want to wear?
References
Greycampus.com Contributors. Phases of Hacking. Retrieved from https://www.greycampus.com/opencampus/ethical-hacking/phases-of-hacking