How hackers hide: uncovering common techniques
This blog was updated on 1st November 2023
Being untraceable, untouchable, and ungovernable is a key part of the myth and mystique of ‘hackers’. Sure enough, the ability to hide has always been a central part of the hackers’ MO in both the physical and digital world. At Bulletproof, we’re no strangers to the insidious nature of hackers. We regularly analyse cyber attacks, the tools and techniques used and the motives behind them – and crucially, how this data can be used by our customers to implement better cyber defences. You can find out more about this in our 2023 State of Cyber Security Report.
Hackers use a variety of techniques to hide their activities and evade detection, making it challenging for the good guys to catch them, whether that’s law enforcement or security professionals. In this blog post I’ll explore some common techniques that hackers use to hide and let you know what you can do to protect yourself.
How do hackers hide themselves?
Hackers are continually finding new and more efficient ways to infiltrate systems, whether that’s buying a ready-made exploit on the dark web, innovating new security flaws, or using AI language models, such as ChatGPT, in phishing attacks. However, we also see hackers using the same methods time and again to break into systems that lack basic security. So, while cyber criminals do make use of sophisticated hacking techniques, they will first choose the path of least resistance. For example, hackers will often brute-force weak passwords to gain unauthorised access to a system, or use passwords scraped from previous data breaches. Quite often, and here’s a pro tip, the weakest part of your business’ security isn’t your tech, it’s your people. That’s just one of the reasons that security training is an overlooked superweapon in your defences.
Because hackers first look for an easy way in, it's up to organisations to cover the security basics. What this means is that for much of the time, hackers don’t need to go to great lengths to hide themselves because your business is in no state to detect or track them. In fact, if you’re not doing the basics, there’s a good chance you won’t even know you’ve been breached. It often surprises people when I tell them that sometimes hackers are in and out with no real need to obfuscate themselves at all. And whilst I’m here, you should be regularly looking for (and ideally, fixing) the holes that hackers will use to get in. I’m of course talking about penetration testing.
How to stop hackers - getting the basics right
There are several baseline measures businesses can put into place, such as making sure software is up to date, using strong unique passwords, and being aware of common threats such as phishing emails. A good tip here is to make compliance work for you. A good one for the basics is Cyber Essentials. Not only does it make you do the security basics, stopping a lot of opportunistic attacks, but it’s also a business enabler. As well as showcasing your commitment to security to potential customers, Cyber Essentials Plus certification is also a pre-requisite for a lot of UK Government and public-sector contracts. That’s an easy win-win.
Making use of tools & technology
Encryption is great way to make data unreadable, but that goes both for the good guys and the bad guys. By encrypting their communication and data, hackers can prevent others from intercepting and reading their messages. Encrypting data before they leak it is also a way hackers can bypass your security tools that are set to look for signs of corporate data leaving your organisation.
The biggest use of encryption from hackers is surely ransomware, where they encrypt your data and hold you to ransom for the decryption code. In this instance they’re hiding your own data from you! They hide themselves by using cryptocurrency as the extortion payment method, as cryptocurrencies are generally untraceable.
Steganography is a technique where hackers hide data or communication inside other files, such as images or videos. The hidden data can only be accessed with a special tool or key. What might look like a normal image file could actually contain command and control data for malware on your system. To protect yourself from steganography-based hacking attempts, be wary of downloading files or opening attachments from unknown sources. Use trusted endpoint software and - crucially - keep it up to date.
Obfuscation is a technique where hackers hide the true function of code or scripts by making them difficult to read. It might look like nonsense, or it might look like innocent behaviour. In some cases, the real functionality can only be understood when the code is run. Specialised code analysis tools, and more recently AI tools such as ChatGPT, are a good at de-obfuscating code, but it relies on the potential threat being spotted before the code is run.
Virtual Private Networks (VPNs)
VPNs are another common tool that has a multitude of uses, both innocent and malicious. You might use a VPN to connect to your corporate infrastructure or have a VPN for home use to get around geographic content restrictions. Hackers can also use VPNs to hide their activities, such as concealing their IP address and location, making it more challenging to trace their activities.
Like a VPN, a hacker can use a proxy as an intermediary that sits between their device and the target. For example, a hacker might use a proxy server to send spam emails from a different IP address than their own, making it more challenging to trace the source of the emails. This is one of the reasons why hackers will try to attack any machine – even if it doesn’t contain valuable data, it still has a use for them in their illicit activities. This is also how many DDoS attacks are orchestrated.
Uncovering the common tactics & techniques
Hackers are always getting smarter, and a recent trend is using off-the-shelf software instead of custom-crafted components. Bespoke software made by hackers leaves behind a digital fingerprint that can identify perpetrators, and as cyber criminals have started to be challenged by digital forensics, they have stopped using custom-built technology. Instead, they increasingly opt for open-source tools. These tools make it harder for criminal investigators to trace an attack because they are openly available and, in many cases, they are written by multiple contributors.
For example, Metasploit was initially built for use by ethical hackers to probe network and server vulnerabilities through pen testing. However, thanks to Metaspolit’s adaptability and open-source nature, this tool has now been adopted by malicious hackers as well. Anyone can download open-source hacking tools and use them to identify and exploit weaknesses in a target’s system.
A while ago our Co-founder Oli Pinson-Roxburgh did a whole webinar about how uncovering how hackers operate and hide. This video goes into a bit more detail than this blog and includes a great walkthrough of an attack in-action.
Dwelling on dwell time
Once hackers have gained access to a system they can sit for months or sometimes even years within the network using a stealth approach to avoid detection from scanning and monitoring software. For example, hackers will analyse and mimic authorised user behaviour, such as only probing the network during normal working hours. Hackers will also attempt to blend their activity with common network connections and protocols using domain name system ports to route fraudulent activity, disguised as seemingly harmless queries between public and private networks. In the case of business email compromise (BEC), this continuous access to a system can be very useful for exfiltrating data.
Hiding in plain sight
Malicious actors lurking within an organisation are already authorised users within your perimeter, making it easier for them to go rogue with sensitive information and credentials. Disgruntled employees, or those who have been bribed or blackmailed by hackers from outside the company, could be tempted to leak sensitive information for personal or financial gain. This is arguably one of the most insidious ways hackers hide. After all, where better to hide than in plain sight? Sometimes the hacker isn’t a teenager in a hoodie on the other side of the world, it’s not a nation-state threat actor in a bunker... it’s the person sitting next to you in the office.
Hide and seek security
The great game of cat-and-mouse that is cyber security means that tactics and techniques are always evolving on both sides. When one door is closed, another is found. Hackers are not unintelligent or lazy, and complacency will get your business breached. But that doesn’t mean there aren’t effective, cost-efficient measures your business can take to stay secure. My best advice is make sure you’re doing the basics, and here I specifically want to call out Cyber Essentials here. It’s a fantastic universal security baseline. Beyond that, if you’re not making elemental efforts find and manage your cyber threats – for example with penetration testing – then start ASAP. If you’re reading this and are in a more enterprise frame of mind, check out our blogs on how to get value from enterprise pen testing and getting the most out of pen test remediations.
The bottom line is, when hackers need to hide, they can be really good at it. The more you do up-front, the more effective you can be at dealing with problems. It applies to many things in life, and cyber security is no exception. Proactivity always makes your life easier in the long run.
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.