How do hackers breach institutions like Canada's NRC?
Published Tuesday, July 29, 2014 9:04PM EDT
Last Updated Wednesday, July 30, 2014 1:20PM EDT
Cyberattacks like the one against the National Research Council of Canada are increasing around the world. But by knowing the steps hackers would use for a sophisticated attack, security experts try to gain the upper hand.
"Sometimes in breaches, companies call it a 'highly sophisticated cyberattack' (as the Government of Canada's chief technology officer said in a statement Tuesday) in order to make it seem like they were beaten by the best," Geoffrey Vaughan, a security consultant with Security Compass, told CTV News Channel.
"In this case, the fact they were able to observe the attack for up to a month in advance probably suggests it was a serious, sophisticated attack."
Vaughan, who is an ethical hacker, told CTVNews.ca the process is complicated, but broke it down into six steps most hackers will use for more sophisticated jobs.
1. The first step is passive and then active reconnaissance. For passive, the hacker won't actually visit the site. They will use Google, LinkedIn and other services to learn as much as they can about the company plus they will see who the administration contact is on the domain name. Then the hacker will move into active reconnaissance and will likely visit every possible page on the website to collect information.
"When you are doing active reconnaissance, you will look like a regular user, but the usage will be abnormal," Vaughan told CTVNews.ca. At that point the hacker has done nothing wrong, but the strange usage is the first clue to a site administrator that something strange is happening.
2. Then they will move into the second step and start analyzing the vulnerability such as what type of server the entity is running, what ports are available on that server and looking for potential risks. Hackers will make requests to servers for the information. Vaughan said companies and governments "need to properly configure servers to not disclose this information."
3. Hackers then check to see if there are any known vulnerabilities or if anything is out of date. They are looking for a way in the door.
4. Step four is when the attack actually takes place and people cross what Vaughan calls the trust barrier and get into the system. Vaughan said with NRC, it would seem based on their response that someone breached that line and was able to successfully execute code.
5. A hacker may not get all of the access in the first step, so the next step is to escalate privileges and get more data.
6. Get as much data as you can.
"Any formal hacker would go through a more established methodology like this one," said Vaughan.
As for the attack against NRC, Vaughan said, "it’s suspect an attacker got a foothold in the network so they are probably into the bottom half of the hour glass."
Vaughan questions how far the hackers actually got before NRC decided to pull the plug and shut down the site. He wonders if NRC is saying it will take a year to recover because someone has a backdoor into the system.
"If they breach the trust barrier into the network … it's impossible to know with 100 per cent assurance you have removed the threat so the best way is to start over."