The Hacker’s Surprisingly Disciplined Process
Hackers usually follow a well-established attack pattern with four distinct stages. The process is one of exploration that builds a comprehensive profile of a website’s weaknesses, that eventually allowing a hacker to build and execute a focused attack plan. Depending upon the hacker’s motivation (e.g. greed, reputation damage), information theft may occur quickly or at a slow and steady pace that is difficult to detect.
| Stage || Action || Typical Tools || Results |
| Reconnaissance || Extensive browsing to traverse website and discover operational parameters || Web debug proxy to examine traffic between browser and website; Google hacking || Profile of OS, HW, app language, DB, libraries; complete site, error pages and navigational map |
| Probe || Determine weak points; establish and test boundary conditions || Anonymous proxies, privacy controls, VMs; vulnerability scanners; automated scripts || Assesses defenses and establishes successful attack vectors; learns DB table, field names |
| Attack || Launch attacks to compromise app and DB and collect data || Known attacks: SQL injection, X-site scripting & request forgery, directory traversal, remote file inclusion || Proof that attacks work; locate and collect sensitive data to assess most effective approaches |
| Harvest || Mask and automate attacks to maintain low profile; collect data quickly or via slow trickle || Productized hacker toolkits, Bot networks for rent with easy-to-use mgmt tools || Collect sensitive data on an on going basis; publish, sell or use depending upon goals |
Hackers know that, like any other visitor, they are accessing an application as intended – through the “front door.” This makes their behavior, while distinctive, difficult to detect given the volume and diversity of normal user activity on a typical website. They are also aware that network firewalls are the first, and often the only, line of defense for a website and that a firewall’s signature-based approach is not effective in detecting behavior patterns – subtle or not.