What enables the enlightened rulers and good generals to conquer the enemy at every move and achieve extraordinary success is foreknowledge.


Understanding the enemy is an essential component of a successful defense.  Like a general planning fortifications, a security manager must understand black hat tools and techniques and use this knowledge to design countermeasures into the information defense frameworks.

According to the EC-Council’s Certified Ethical Hacker material, successful black hat operations typically follow five phases: Reconnaissance, Scanning, Gaining Access, Maintaining Access, and Covering Tracks.  In this post, we’ll explore a high-level view of each phase.  I’ll drill down for a more detailed examination of each in future articles.

Phase 1 – Reconnaissance

Reconnaissance is probably the longest phase, sometimes lasting weeks or months.  The black hat uses a variety of sources to learn as much as possible about the target business and how it operates, including

  • Internet searches
  • Social engineering
  • Dumpster diving
  • Domain name management/search services
  • Non-intrusive network scanning

The activities in this phase are not easy to defend against.  Information about an organization finds its way to the Internet via various routes.  Employees are often easily tricked into providing tidbits of information which, over time, act to complete a complete picture of processes, organizational structure, and potential soft-spots.  However, there are some things you can do which make it much harder for an attacker, including

  • Make sure your systems don’t leak information to the Web, including:
    • Software versions and patch levels
    • Email addresses
    • Names and positions of key personnel
  • Ensure proper disposal of printed information
  • Provide generic contact information for domain name registration lookups
  • Prevent perimeter LAN/WAN devices from responding to scanning attempts

Phase 2 – Scanning

Once the attacker has enough information to understand how the business works and what information of value might be available, he or she begins the process of scanning perimeter and internal network devices looking for weaknesses, including

  • Open ports
  • Open services
  • Vulnerable applications, including operating systems
  • Weak protection of data in transit
  • Make and model of each piece of LAN/WAN equipment

Scans of perimeter and internal devices can often be detected with intrusion detection (IDS) or prevention (IPS) solutions, but not always.  Veteran black hats know ways around these controls.  In any case, some steps you can take to thwart scans include

  • Shutting down all unneeded ports and services
  • Allow critical devices, or devices housing or processing sensitive information, to respond only to approved devices
  • Closely manage system design, resisting attempts to allow direct external access to servers except under special circumstances and constrained by end-to-end rules defined in access control lists
  • Maintain proper patch levels on endpoint and LAN/WAN systems

Phase 3 – Gaining Access

Gaining access to resources is the whole point of a modern-day attack.  The usual goal is to either extract information of value to the attacker or use the network as a launch site for attacks against other targets.  In either situation, the attacker must gain some level of access to one or more network devices.

In addition to the defensive steps described above, security managers should make every effort to ensure end-user devices and servers are not easily accessible by unauthenticated users.  This includes denying local administrator access to business users and closely monitoring domain and local admin access to servers.  Further, physical security controls should detect attempts at a hands-on attack, and delay an intruder long enough to allow effective internal or external human response (i.e., security guards or law enforcement).

Finally, encrypt highly sensitive information and protect keys.  Even if network security is weak, scrambling information and denying attacker access to encryption keys is a good final defense when all other controls fail.  But don’t rely on encryption alone.  There are other risks due to weak security, such as system unavailability or use of your network in the commission of a crime.

Phase 4 – Maintaining Access

Having gained access, an attacker must maintain access long enough to accomplish his or her objectives.  Although an attacker reaching this phase has successfully circumvented your security controls, this phase can increase the attacker’s vulnerability to detection.

In addition to using IDS and IPS devices to detect intrusions, you can also use them to detect extrusions.  A short list of intrusion/extrusion detection methods, described in Chapter 3 – Extrusion Detection Illustrated (Extrusion Detection: Security Monitoring for Internal Intrusions, Richard Bejtlich, 2006), includes

  • Detect and filter file transfer content to external sites or internal devices
  • Prevent/detect direct session initiation between servers in your data center and networks/systems not under your control
  • Look for connections to odd ports or nonstandard protocols
  • Detect sessions of unusual duration, frequency, or amount of content
  • Detect anomalous network or server behavior, including traffic mix per time interval

Phase 5 – Covering Tracks

After achieving his or her objectives, the attacker typically takes steps to hide the intrusion and possible controls left behind for future visits.  Again, in addition to anti-malware, personal firewalls, and host-based IPS solutions, deny business users local administrator access to desktops.  Alert on any unusual activity, any activity not expected based on your knowledge of how the business works.  To make this work, the security and network teams must have at least as much knowledge of the network as the attacker has obtained during the attack process.

The final word

This article is not intended to make you an expert in network defense.  Instead, it should serve as an introduction to methods employed by black hats when compromising an information resource.  Armed with this information, security professionals are better prepared to prepare for battle, locating and engaging the enemy wherever or whenever necessary.