If you’re protecting any network then understanding the options and various phases of an attack can be crucial. When you detect an intrusion, it’s important to quickly assess what stage the attack is at and what possible developments are likely. Whether it’s a skilled attacker of some opportunist kid with some technical skill makes a huge difference in the possible outcomes.
Even regular, normal traffic in suspicious or unusual situations can indicate a possible intrusion. If you suddenly notice TCP three-way handshakes completing on TCP ports 20 and 21 on a home Web server, but you know that you do not run an FTP server at home, it is safe to assume that something suspicious is going on. Post—Attack Phase After an attacker has successfully penetrated a host on your network, the further actions he will take for the most part follow no predictable pattern. Obviously the danger is much greater if the attacker is both skilled and has plans to further exploit your network while many will simply deface a few pages or use it as a VPN to watch US or UK TV channels abroad.
This phase is where the attacker carries out his plan and makes use of any information resources as he sees ﬁt. Some of the different options available to the attacker at this point include the following:
- Covering tracks
- Penetrating deeper into network infrastructure
- Using the host to attack other networks
- Gathering, manipulating, or destroying data
- Handing over the host to a friend or hacker group
- Walking or running away
If the attacker is even somewhat skilled, he is likely to attempt to cover his tracks. There are several methods; most involve the removal of evidence and the replacement of system ﬁles with modified versions.The replaced versions of system ﬁles are designed to hide the presence of the intruder. On a Linux box, netstat would be modified to hide a Trojan listening on a particular port. Hackers can also cover their tracks by destroying system or security log files that would alert an administrator to their presence. Removing logs can also disable an HIDS that relies on them to detect malicious activity. There are automated scripts available that can perform all these actions with a single command. These scripts are commonly referred to as root/ens.
The most obvious possibilities for the attacker are to gather, manipulate, or destroy data. The attacker may steal credit card numbers and then format the server. The cracker could subtract monies from a transactional database.The possibilities are endless. Sometimes the attackers motivation is solely to intrude into vulnerable hosts to see whether he can. Skilled hackers take pride in pulling off complicated hacks and do not desire to cause damage. He may turn the compromised system over to a friend to play with or to a hacker group he belongs to. The cracker may realize that he has gotten in over his head and attacked a highly visible host, such as the military’s or major financial institutions host, and want to walk away from it praying he isn’t later discovered.