To catch a hacker, you must think like a hacker. Security expert Andrew Whitaker explains the hacker mentality and points out how hackers combine multiple exploits to achieve their goals. Andrew is the lead author of Chained Exploits: Advanced Hacking Attacks from Start to Finish , which teaches how attackers chain together attacks.



Nothing makes you worry more about your job security then when the network that you're paid to secure gets hacked. You work tirelessly to ensure that systems are patched, unnecessary services are turned off, configurations are hardened, and procedures are followed. Here's the problem, though: You must be right 100% of the time, but hackers have to be right only once.

You find yourself in the boss's office. "What went wrong? How did we get hacked? I thought you said that our network is secure," he says, in a displeased tone. With your job on the line, you try to retrace the steps of how your network was compromised.

Retracing the attacker's steps isn't an easy task. It's not always as simple as naming a single vulnerability that was exploited. Often hackers use a number of exploits that are chained together to form an attack. When faced with incident response, you must see the attack from the attacker's perspective. This means looking at your network from all angles, finding openings, and tracing out how an attacker could combine multiple exploits to achieve a malicious goal.

To foil an attack, you must think like the attacker.

Missing the Obvious

Few security professionals today know how to think like an attacker. Knowing how to install locks on your front door doesn't train you in thinking like a burglar. In the same way, knowing how to configure a firewall or other security technologies doesn't train you to think like a hacker. Too often, security professionals spend their time learning technologies, rather than learning about what they're trying to guard against. Which leads to this question: How exactly do you think like an attacker?

No one becomes a malicious attacker overnight. It takes years of late nights in the basement gulping energy drinks, listening to progressive techno music, and writing cryptic assembly code. Okay, maybe there's a little more to it than that. But not much. Let's examine the common characteristics of malicious hackers.

Hackers Love Technology

A hacker is someone who loves technology. The term hack is believed to have come from the MIT Tech Model Railroad Club, where members would "hack" DEC programmed data processors to try to improve electric trains, tracks, and switches. A similar passion for understanding and improving technology is what led to the birth of UNIX, Linux, and Apple. Behind each of these technologies are people who are, in the true sense of the word, hackers.

Taking this idea forward to today, a malicious attacker loves technologyperhaps even more than you do. He or she knows the security products you've implemented, beyond just configuration; the hacker may even reverse-engineer these technologies to unmask how they really work.

Hackers Think Outside the Box

You can tell a lot about people by how they cook. Some like to follow a recipe perfectly, using the exact amount of each ingredient and checking off steps as they go. Others are more carefree, throwing in a splash of one ingredient and a dab of another. This latter group isn't interested in the set recipe on the box; they prefer to try something different, to see how it turns out.

Such is the mindset of the malicious attacker. To use the cliché, he or she thinks "outside the box." This is important to remember, because while you spend time reading manuals and configuring your firewalls and servers as the vendors instruct you, the hacker is wondering what happens if a certain bit is changed in a packet, or if a particular machine instruction is incremented.

This out-of-the-box thinking extends beyond just modifying code or packets. It's part of the mindset of hacking. When I perform penetration tests, my mind races with options on how I'm going to attack my target. If an attack fails, I have three or four other attacks ready to go. It's the difference between thinking linearly and viewing an attack like a massive spider web or the map of a city, with multiple ways to get from one point to another. If one path is blocked, many others can lead me to the same destination.

Unfortunately, I seldom get the opportunity to try every avenue of attack. A penetration test is limited in scope and time. But someone maliciously attacking your network has all the time in the world. To quote Benjamin Franklin, "He that can have patience can have what he will." If an attacker wants in badly enough, it's just a matter of time.

Hackers Chain Attacks

In addition to loving technology and being an out-of-the-box thinker, an attacker looks for ways to chain together multiple exploits into one large attack. On the cover of my book Chained Exploits: Advanced Hacking Attacks from Start to Finish is a picture that serves as a good visual metaphor for chained exploits: A trail of ants carries parts of leaves up a tree trunk. The ants work separately, but the whole group is working together to carry their food. Each ant takes a small part of a leaf; when combined, these parts make up the entire leaf. The same approach is taken by skilled hackers; rather than relying on a single attack point, they chain their exploits together to form one larger attack.

Take the following scenario as an example. You get a call at 2 a.m. from a frantic coworker, saying that your website has been breached. You jump out of bed, throw on some clothes, and rush down to your workplace. When you get there, you find your manager and coworkers in a frenzy, wondering what to do. You look at the web server and go through the logs. Nothing sticks out. You go to the firewall and review its logs. You don't see any suspicious traffic heading for your web server. What do you do?

I hope you said, "Step back and take a look at the bigger picture."

There are many ways to attack a website, and some of them don't involve attacking the web server from the Internet. An attacker may attack a router, a backup server, a database server, and finally creep in to attack the web server. Never assume that the attacker launched a single exploit from the Internet to your network. A skilled attacker combines multiple exploits, which means that your job will require unwinding the chain of attacks and following the trail back to the attacker.