Top 5 Ways Hackers Get Into Your Network
How are hackers getting into our networks? That’s a question we get every day.
As part of our Managed Detection and Response (MDR) service, StreamScan remotely monitors our customers' networks’ security. So we have inside knowledge on the most common types of cyberattacks, the most dangerous attacks, and what targets cybercriminals are most interested in. This information is vital for us to provide the best protection possible for our customers.
We also provide incident response services to companies that have been hacked (ransomware, data theft, intrusion, etc.). Those investigations give us first hand insight into which attacks hit hardest.
Here’s an insider’s guide to the 5 most common real-world attacks hackers use to get inside your network.
Phishing
Phishing is by far the most common way to hack into a computer network. Most of the time, the user receives an email with a malicious attachment or link. When he clicks, a malicious tool is installed on his computer without his knowledge.
In the case of ransomware, the compromise is often not immediately identified. It is usually only the next day or a few days later that the user realizes that they have been infected when they see a ransom demand message or cannot access their files. Some types of ransomware delay revealing their ransom demand to allow the infection to spread to other computers or servers on the network.
When the hacker’s intent is data theft, several months can pass between the malicious access and the intrusion discovery. In some cases, the hacker has been in the network for more than five months.
Brute Forcing the RDP
Many companies offer off-site network access via Remote Desktop Protocol (RDP). The user launches a session and enters his username and password. If this information is correct, the user has remote access to the network under the same conditions as in the office. RDP is a crucial technology for today’s work from home reality, but it also increases exposure to cyberattacks. Hackers quickly identify RDP servers via robots that scan the Internet 24/7, looking for new targets. As soon as you plug in an RDP server, the attacks can start in less than 5 minutes.
The robots then attack your RDP server by simulating user connections and trying several combinations of usernames and passwords until they hit on a valid combination. This is called brute-forcing. As soon as a robot gets access, the hackers can jump into action. They can connect to your network, search for interesting computers and servers to infect with ransomware, run botnets on them or exfiltrate data, etc.
In some cases, brute force attacks can last days before the hacker gains access. The hackers can then stay in the network for months to find high-value targets (domain controllers, sensitive databases, etc.). The paradox is that this type of attack is straightforward to detect by network surveillance.
Shellcode injection
Robots that scan the Internet 24/7 also look for machines (web servers, DNS, etc.) with known vulnerabilities. Once a vulnerable machine is identified, the bots run a computer program (called shellcode) to exploit that vulnerability and take control of the device. If the attack succeeds, a hacker will take over as soon as the robot takes control of your machine.
A shellcode attack allowed the remote stopping of the antivirus on a server before the hacker infected it with ransomware in one publicized case. In another, the shellcode attack allowed hackers to undermine a company's web servers without the attacker even taking control of them.
Attack exploits are not detectable by the firewall or antivirus software. More advanced technologies, such as StreamScan's CDS, are needed to detect such attacks.
Exploits From the Darkweb
We observe that more and more Office365 email hackers in the Cloud rely on account information purchased on the Darkweb. This information is collected during massive hacking operations on sites such as LinkedIn, Yahoo, etc. Hackers search for additional information on social networks to get more information about users. Suppose they determine that you are a target of interest (e.g. you work in the finance department where you are part of senior management). In that case, they take control of your Office365 mailbox, observe the e-mails you exchange and develop a strategy to commit fraud.
Malicious Websites
More and more infections are being observed while surfing on malicious websites. Thousands of websites appear every day, and web filtering tools cannot detect and block them all. Hackers exploit this, and when their malicious site gets blocked, they simply move to a new site. It’s a cat and mouse game where the pirate always has the upper hand.
In rare cases, hackers take control of a legitimate high-traffic website and insert malware that infects users while they are surfing. The advantage for them to use a legitimate website is that they can quickly infect many people. In one case, a transportation/metro company’s website was hacked, and thousands of users clicked on the infected link in just hours. Remember, just because you are surfing on a known company website doesn’t necessarily guarantee you are safe.
How to Protect Yourself
When it comes to cybersecurity, you can only protect yourself against what you see. Here are our top recommendations for how to stay safe:
- Educate your employees about security risks, particularly phishing
- Implement one or more intrusion detection tools that allow you to have 360-degree visibility of your network's security
- Don’t rely solely on security event management tools (SIEM) because they can’t detect shellcode attacks or web browsing infections
- Monitor your network to identify cyberattacks that target you. Monitoring allows you to identify effective protection measures to put in place
- Use multi-factor authentication (MFA) for remote access
- Implement robust access control: user accounts should lock automatically (e.g. 10 minutes) after 3 or 5 failed access attempts
- Use VPN for remote access instead of RDP
- Check regularly if your information is for sale on the Darkweb.
- Use multi-factor authentication (MFA) to access your email in the cloud (Office365, etc.).
Find Out How Our Monitored Detection and Response (MDR) Service can Protect Your Network
We’re convinced that after seeing our MDR solution (powered by our CDS network monitoring technology) in action, you won’t want to leave your network unprotected again. So we are offering a 30-day free trial that includes:
- Fact-finding session
- CDS configuration
- 30-day free Proof of Concept
- First month activity report and recommendations
Email: Freetrial@streamscan.ai
Phone: 1 877-208-9040