For Immediate IT Support 613-288-5805 or

The Five Phases of a Hack – Covering tracks

Business owners and managers in Ottawa might be surprised to learn that the average data breach costs a company approximately US$3.62 million, and the average for each record breached is US$225. A staggering amount, to say the least, This does not even cover the losses brought about in the months after the breach. Using a high quality computer services provider in Ottawa does not completely neutralize the chances of problems arising, but it certainly does help to have the support of dedicated Ottawa tech support professionals.

The hacker has achieved their objective, their target system or network has been owned and they have installed all the desired software, but they’re not finished just yet. They need to erase and hide the evidence of their achievement. This means deleting logs, and hiding files and processes. This step is somewhat an extension of the maintaining access phase, as covering tracks helps avoid detection, which in turn helps maintain access.

Obviously, the clever hacker would have disabled auditing in the gaining access phase, as soon as they escalated their privileges to a level where they could do so. Their attempts of cracking the password would certainly generate log entries if the network administrator setup account login logging, their probing of the network and services during the scanning phase probably generated log entries too. Let’s not forget the malware that hacker the installed to maintain their access. So how does the hacker delete these logs and hide their files?

Deleting logs: Deleting logs is a relatively straight forward process. A hacker uses one of the numerous programs such as CCleaner to remove individual log entries relating to their presence. The reason a hacker would not delete log entries en masse is that no log entries being present is as suspicious as unexpected log entries.

Hiding files: There are many ways to hide files. For instance, using the hidden attribute in a files properties menus, although files hidden this way are easily detectable. There is also steganography, where a hacker can hide files within another file such as an image or audio file, this is much harder to detect than a simple hidden file. Microsoft NTFS has a built-in steganography system called Alternate Data Stream, and files hidden this way can be very hard to detect without software such as TripWire and LNS.

Hiding malicious processes: Finding malicious processes that operate under the name of a genuine OS process can be quite tricky as odd- behavior of a device usually has to be reported by a user for the IT department to engage in monitoring system processes. At the Task Manager/System Monitor screen, it can be quite easy to detect a malicious process as they usually are using a disproportionate amount of resources under the name of a genuine OS process. Tunneling of malicious activity in an often overlooked protocol such as DNS and ICMP has become a favorite of hackers for exfiltrating data over the past few years. Unless a security analyst actively views collected data for these protocols it can be difficult to ascertain whether tunneling is occurring or not. An indicator of tunneling usually is large amounts of ICMP messages and DNS queries and zone transfers.

As well as aiding in maintaining access, a hacker covering their tracks acts as anti-incident response and anti-forensics mechanisms, allowing the hacker to try the hack again if necessary. The organization will learn no lessons from the breach, and will be less likely to press charges against the individuals responsible, or have evidence to present in court. Due to these measures were taken by a hacker, detection times can run up into the months-scale.

If you are an Ottawa business and your managed services provider thinks you are immune to a hack, its time to think again. And perhaps get an audit from another IT consulting company. As John Chambers, former CEO of Cisco, put it ” There are two types of companies: those that have been hacked, and those who don’t know they have been hacked.”