Attack planning is handled like a business operation and includes hiring plans, budgets and timelines During my conversations with security executives, a topic that consistently comes up is what, exactly, constitutes a modern hacking operation. Security professionals understand they’re no longer facing script kiddies who lack a comprehensive plan. However, they’re also not fully aware of how detail-oriented adversaries are when developing an attack campaign.Today’s hacking operations are well-organized and developed by well-funded teams of highly trained adversaries who have diverse experiences and backgrounds. In fact, attack planning is handled like a business operation and includes hiring plans, budgets and timelines.To help security professionals better understand the attacks they’re facing, I thought I’d share some of my observations on the work that goes into planning a hack.Goals define the operationAn attack starts long before a network is breached. The first step in any attack is setting the operation’s goals. Hackers don’t randomly pick an entity, blindly attack it and hope they’ll discover valuable information. Targets are selected based on the data they possess and how that information will help the hackers meet their goals. Typically, the criminal entity behind the attack sets the goals, which vary depending on their objectives and motives. For example, a nation-state that uses a cyber attack to provide the country’s businesses with a research and development advantage would set a goal of stealing intellectual property and trade secrets from prosperous companies.+ Also on Network World: Rip up the script when assembling a modern security team + Larger campaigns may often include several smaller goals that when combined reach the main objective. In some cases, the campaign may include hacking into several targets to achieve a goal. For example, an operation may include hacking into another company in order to infiltrate the intended target’s network. Hackers used this approach in the Target breach when they first compromised the HVAC vendor’s system to access the Target network.This leads me to my next point about goals: Hackers will do anything to accomplish them. They’ll disregard rules and will use deception whenever possible. Criminals intent on making money, obtaining intellectual property or carrying out other nefarious activities are behind these operations, not people who follow corporate policies.Getting to know youThe reconnaissance that hackers conduct goes beyond mapping a company’s IT network or learning about its technology. They’re interested in gathering as much information as possible on their target, especially around how the business and its key personnel operate. These details will help attackers navigate around any technological or human barriers that hinder the attack.To collect these details, hackers will use social media to learn where key members of your security team worked or went to college. If a hacker has penetrated your network, they’ll review emails and calendar entries to learn when key security personnel are on vacation and attack when there’s a staffing gap.Not to make you paranoid, but in some cases hacking organizations will use insiders to obtain information on their target. They’ll either use a person already working at the organization or attempt to get someone hired by the company, allowing them to operate from within the target. Job interviews can teach the adversary how the company handles security events and how security personnel are measured and evaluated. If an adversary knows, for example, that a company’s security team is measured by how quickly it remediates incidents, an attack may include malware that’s easy to discover as a way to distract them from the real operation.Gathering all this information makes reconnaissance very time consuming. I’ve seen some hackers start reconnaissance a year before the initial infiltration. But all of this preparation increases the chances of the operation succeeding. Celebrate diversityHacking teams are composed of people who have various backgrounds whose expertise can help the operation. An attack targeted at a mine may include a geological expert, for instance, who can provide firsthand knowledge on how this organization functions. This diversity gives the hackers new ways of approaching the operation. Companies would be wise to follow a similar practice when building out their security teams, a point I made in a recent Network World blog.The roles on a hacking team are also diverse. For example, there’s usually a group of people dedicated to deception. This often-overlooked group creates a campaign that distracts the security team from the main operation. The distraction is meant to mitigate the risk of the campaign being discovered. Some of the more common distractions include a DDoS attack that brings down a company’s website or malware that a security team can easily detect. These decoy threats mask the real threat and allow it to continue unabated. Penetrating a network is the simplest part of an operation and is sometimes outsourced, a point that surprises many people because they consider penetration the operation’s most important component. But outsourcing penetration to someone who specializes in the task guarantees that the hackers will get into the organization. The reason is simple: Teams that handle penetration get paid only if they infiltrate the target. With their paycheck on the line, these teams will do everything possible to defeat a company’s defenses.Taking it easyHacking operations aren’t rushed. Attackers want to remain undetected in your IT environment for as long as possible. This approach allows them to minimize mistakes and, of course, gather more data and compromise more systems. I’ve seen cases where attackers went undetected for a year, giving them ample time to access systems like Microsoft Active Directory and Outlook Web App. Having this access let attackers collect every employee’s log-in credentials and maintain persistence in the environment. Think like the enemyTo combat more complex hacking operations, security teams need to adopt a hacker’s mindset. Remember, hackers are out to deceive a company. Security incidents, even minor ones, should be treated as a potential threat. Companies need to aggressively monitor their IT environment and look for any behavioral changes. Catching just one incident could expose the entire campaign. Related content opinion More cybersecurity drama, but some hope for defenders in 2018 And this for the short descriptive sentence: From fileless malware attacks to attack attribution becoming more complex, 2018 won't offer less security drama. But there's still good reason for security professionals to be optimistic about ne By Lior Div Dec 21, 2017 6 mins Data Breach Ransomware Technology Industry opinion What the good guys are up against: a roundup of popular attack vectors To help the defenders know what they’re up against, here are some of the attack vectors that have been frequently used in recent months By Lior Div Oct 09, 2017 5 mins Ransomware Technology Industry Malware opinion How security executives can feel comfortable in the boardroom and server room Successful CSOs and CISOs need to clearly articulate the importance of security to non-technical executives, show how security can help a company achieve its business goals and balance security with innovation. By Lior Div May 23, 2017 4 mins Security opinion Cyber crime as a service forces changes in information security Professional hackers are behind the keyboard, turning cyber crime into an industry, and organizations must change their approach information security By Lior Div Apr 26, 2017 5 mins Internet Security Cybercrime Network Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe