Hacking! The term itself is popular among us, but the exact same term has been a myth for some of us. What is a hack? Why do people hack? What do hackers really get? Who else are targeted for a hack? Who are those hackers? Most of us begin to ask these questions to ourselves. Unfortunately, very few of them get the right answer. If you are one of them who still haven’t got the answers yet, you have come to the correct place. This blog may answer your questions.
What is a hack?
We’ll make it simple. Hacking or a cyber attack is one of the popular ways of causing damage to an entity. It has become a way of taking revenge. It may involve stealing of information or may be stealing of money. Some hackers may not steal anything from the victim but may cause some other damages like reputational damages to the victim.
Who else are targeted?
This takes us to the interesting part. As I have mentioned earlier, most of the hacks are revenge. Not all of them. Revenge may be between individuals, groups, organizations, or even between states. But the rest of the attacks are random. Does it sound wired? Yeah, it does.
Hackers use techniques through the Internet and other means to untargeted audiences. Which means, it may be via an email or may be some malicious websites, etc. Any random person can be a victim for these kinds of attacks. That could be a common man or may be an executive of an established company. But the sad part is, most of the people don’t know if they are been hacked or not. While you read this blog, you may be a victim of a hack without your knowledge. You may be an individual on your own, or may a representative of an organization who holds tons of confidential information. According to Verizon’s 2016 Data Breach Investigations Report, in 80% of hacks, the victims didn’t find the breach for weeks or more.
“Criminals are getting better, faster and nobody on the defensive is getting better fast enough. It usually takes a third-party to find signs of a data breach”
– Bryan Sartin, an author of the report
Who are these hackers? Are all the hackers bad?
No. Not all of them are bad. Hackers can be categorized into three categories. This is done according to the hat they are wearing. Just kidding!
They are categorized as Black Hat, White Hat, and Gray Hat hackers. There is nothing to do with the hat by the way. Black Hat hackers or termed as “Black Hats” are real bad guys. They hack for their personal gains or may be for revenge. Organizations and governments fund some black hats to attack their competitors or enemies. Their motives may vary, but the ultimate goal is to make harm to the victim. The activity of a black hat is done without the knowledge and authority of the victim. They usually violate the rules and ethical standards. Then comes the Gray Hat hacker. They are not intentionally bad guys. Sometimes they may be violating the rules or may be accessing a system without authority. But his or her intentions are usually not to harm anyone. Confused?
I’ll put it this way. A black hat may break into a system and steal information without authority. A gray hat would ideally break into the system, but won’t steal anything. He will inform the system owner to fix the vulnerability. Sometimes the system owner may reward the gray hat for finding the vulnerability. Even if they don’t do a bad thing, still what they do is unethical. Then who really are the good guys?
White Hat Hackers
White Hat Hackers or Ethical Hackers are the good guys. If they are good, why do they hack?
White hat hackers break into organizations to test their security levels. But they do it with the full authority of the organization, which is being hacked. In fact, organizations invite the white hats to hack or test their infrastructure and find vulnerabilities. The main difference between white hats and black hats is, the white hats hack for good, legal and ethical purposes, but the black hats aren’t. This helps organizations to identify the vulnerabilities and fix them before the Black Hats break in. If you represent any organization, you may be having the question of “where to find these white hats to test my organization?”
That’s so normal to have this question. Here comes the answer. White Hat hackers are employed by organizations, which provides information security consultancy services. Those white hat hackers have been given the skill and training to break into the systems without making any harm to the organization. They also act with integrity and maintain confidentiality to protect the information is accessed while the test.
We, EncryptAsia is one of such organizations which provides information security consultancy. We employ professional White Hat Hackers to conduct secure and safer hacks to our clients. How do we conduct these testings?
How do we do the hack?
The process of ethical hacking is called as a “Penetration Test” or a “Pentest” in the information security industry. The person who does the Penetration test is called a “Pentester”. A Pentest can be divided into two main categories as an external Pentest and internal Pentest. Many subcategories of Pentests can be listed in both of the main categories, which we will be discussing in another blog. Today we’ll focus on the external Pentest.
This is the phase where the data or information is gathered regarding the target. The target is specified according to the scope of the assignment. Information gathering takes a huge amount of time as a preparation for the attack. More the information we have, higher the possibility of breaking into a system or the target. Typical collection of information will include products, plans, employees, competitors, interests of employees, pictures, educational qualifications of employees, their social network presence, company annual reports, their locations, organization chart, user names used in social networks, job openings, and many more information, which is relevant to the scope. Information gathered in this phase is publically available information and which are considered useless by many of us. But, that information makes the Pentest easier. Search engines and many other tools are used to gather the publically available information.
In the Vulnerability Assessment (VA) phase, we footprint the services exposed to the Internet. We gather information about the services, operating systems, etc. Then we move to the next steps, which are Vulnerability Identification and Vulnerability Validation.
Vulnerability identification is the main phase in a VA. Once we identify the vulnerabilities, our team will perform a validation on the vulnerabilities to reduce the vulnerability count to the actually existing vulnerabilities. Commercial and open source tools are used to perform the vulnerability analysis.
Once the vulnerabilities are identified and validated, then we try to exploit them. In this phase, the valid vulnerabilities will be exploited through various tools. It is not possible to exploit all the vulnerabilities found. Because there may be defensive arrangements (Ex: Installing firewalls, etc.) taken by organizations to protect them from being exploited or attacked. But it is the Pentester’s capability to find a way to exploit vulnerabilities and get into the system. One successful exploit may aid the Pentester to gain access to other systems as well. The exploitation is the activity, which actually referred as Hacking. If the exploit fails, the hack fails. Pentesters use many techniques to successfully exploit targets, evade the firewalls and antivirus, etc. We may need to create or code custom scripts to exploit a particular target.
Techniques like Brute-forcing, Injections, Cross-Site Scripting, Social Engineering and many other are used in the exploitation phase. You may be thinking what are those techniques and how to do them. We’ll be covering them in an upcoming blog.
Okay. Now that we have exploited and got inside the target, are we done with the hack? Obviously not. Now starts the fun. Once we get in, we need to figure out a way to get more information and get into more and more systems (as a black hat would do). The methods and steps taken after an exploit may vary according to the operating systems and the structure we see inside the organization. No matter what the system is, a good Pentester should be able to break in as much as possible.
In the post exploitation, we try to do things like getting the password hashes and try to access any account, try to elevate the privileges of a particular user, access confidential files and access the database, etc. If we need to access the system at a later time to do further compromises without having the trouble of doing the above phases again, we sometimes create backdoors, which may enable us to access the system at a later time within the scope. There are many more activities involved in the post-exploitation phase.
Now that we have gone through almost all the phases, the final thing is to submit a report to the client. EncryptAsia would submit a report detailing about all the vulnerabilities identified and the exploits made. The report will consist of the methods used to exploit and will also consist the recommendations to rectify those vulnerabilities. Are we safe now? Not exactly. In today’s evolving threat landscape, there are so many vulnerabilities identified and exploited day by day. So we have to keep us updated and tested frequently.
EncryptAsia will be conducting Pentests against the systems in a defined frequency to identify any new vulnerability on your systems and will be recommending the clients on how to rectify them with time.
As we have gone through, a Pentest is an exercise, which emulates a real hacking scenario. It is done through several phases namely, Intelligence gathering where we gather information about the target, Vulnerability Assessment where we find the vulnerabilities, Exploitation where we really break in, Post Exploitation where we further compromise the system and Reporting where we list and recommend for rectification. These are the exact phases of a black hat hacker who hacks for bad things, and we hack for good.