INVITATION TO CYBERSECURITY 82 4.1.3.1 Maintaining Access “By reprogramming the hard drive firmware (i.e. rewriting the hard drive’s operating system), the group achieves…an extreme level of persistence that helps to survive disk formatting and OS reinstallation…[and] the ability to create an invisible, persistent area hidden inside the hard drive.” - from “Equation Group: The Crown Creator of Cyber-Espionage” by Kaspersky Labs Usually hackers want to maintain access to the victim for as long as possible. This goal is known as persistence, and it allows them to spy on the victim and search for valuable information over a period of time. Maintaining access gives the hackers the ability to increase their access to the victim’s computers and network. It is analogous to how in physical space, before an intruder can gain access to the interior rooms of a large building complex, he must first breach the perimeter. Once the attacker gains initial access, it is much easier to gain additional access because they are in the position of an insider. The first rule of maintaining access is to remain undetected. This is accomplished through covering your tracks and remaining stealthy. Cyber defenders are always on the lookout for indicators of compromise (IOCs). IOCs are detectable evidence that indicate a device has been compromised. Therefore, from a hacker’s perspective, covering tracks involves hiding as many IOCs as possible. It may include deleting or altering log files and deactivating antivirus software. Stealth also involves minimizing IOCs in the first place to avoid tripping alarms. Some computer users have discovered they had been hacked when they noticed their mouse cursor moving by itself as they looked on in disbelief at their computer screen! This is an obvious IOC and poor hacking tradecraft. In general, the better cybersecurity the victim has the more difficult it is for the hacker to remain undetected. Hackers can afford to be sloppy when the victim is not vigilant. Unfortunately, many households and organizations around the world are not as vigilant as they need to be. We will discuss how cybersecurity principles and best practices can help detect unauthorized access in Chapter 9. A good way for hackers to maintain access is to create one or more alternative ways back into the victim’s network. The initial method of gaining access may not be available in the future. In some cases the hacker might even fix the original vulnerability he used to gain access himself! This is done to prevent other hackers from exploiting the same vulnerability and potentially blowing both hackers’ cover. A backdoor is an unauthorized access point. To gain persistence, hackers may create multiple backdoors. This way, even if the victim detects the hacker’s presence and deletes an access point, as long as at least one foothold still remains, the hacker is able to maintain access. This fact causes consternation for cyber defenders because it can be difficult to be certain that a hacker has been completely eradicated from a machine or network. How do defenders know when they have identified and eliminated every backdoor? It is difficult to prove that they have— there always could be one more that they just have not found yet. The SolarWinds hack mentioned above resulted in such deep access to the victim networks that some cyberse-
RkJQdWJsaXNoZXIy MTM4ODY=