What Happens When You Get Hacked? Cyber Attack Anatomy

hackedToo many lawyers and law firms are convinced that even if hacking is a problem, they’re not a target. Law firms tend to be too small, too insignificant compared to the likes of Sony Universal or Anthem Health Insurance to get hacked. If you believe this, you’re sorely mistaken.

Not only is the situation vastly different than you imagine – hackers attack the little guys too – but your vulnerability is worse. Not only will you have to deal with the financial fallout of being hacked, you’ll have to deal with the ethical implications as well.

What can be done? Well, a lot of things, really. But nothing prepares a person to handle a difficult situation like knowledge. Knowing what it means to be hacked – not the feeling like you’ve just been robbed, but an actual understanding of how it happened – is critical. Here’s what it is to get hacked – an anatomy of a cyber attack:

1) Reconnaissance

The first phase of a hack is basic – recon. At this point, it’s all about information gathering. Using publicly available information, the hacker or hackers will gather all possible information on the target of the intended hack. This information can be technical – such as IP addresses, information on network infrastructure, hardware, or even passwords – or nontechnical – such as office social structures or location information.

To get this information, hackers might look to search engines, social networks, the Domain Name System (which contains important information about the owner of a website), or even a company’s website itself. Importantly, there are no attacks at this point. The only interaction would likely be a simple visit to your website. However, phishing and social engineering scams are also popular.

At this point, the hackers are attempting to focus on the right targets. For example, obtaining the office hierarchy will allow the hackers to more easily identify the person who has the highest level access. The managing partner is going to have higher level access than the summer intern.

At this moment, you’re not getting hacked yet. Your data is safe. However, at this moment, the hackers are also undetectable.

2) Enumeration

The recon had one goal – identify possible vulnerabilities in your system. The second step is to test those vulnerabilities to find actual entry points into your network. Unlike the Recon phase, the hackers are now interacting with your network, testing those vulnerabilities.

The enumeration phase usually begins with general scans of the network, but may be more specific depending on the vulnerabilities identified in phase 1. The first thing hackers look for are known bugs and software weaknesses. Oftentimes this involves looking for software or systems that have not been updated, as those updates frequently contain fixes for identified vulnerabilities.

Even though this phase does involve interaction with the network, the purpose is not to actually breach it. Rather the hacker meticulously catalogs possible entry points into the system.

3) Exploitation

Once the hacker has completed the enumeration phase and identified preferred points of entry, the next phase is exploitation. Generally, exploitation takes one of two forms – intrusion or denial of service.


When a hacker successfully identifies points of entry, the hacker can use those weaknesses to access the target network. Once inside the network, a hacker can access and gather sensitive information, identify new targets that weren’t previously available – parts of the network not directly connected to the internet, or insert malware (discussed below).

There are many types of cyber attacks that a hacker can use to gain entry into a web server, network, or service, including:

One of the most dangerous types of attacks is what’s called a “zero-day exploit.” For this type of attack, hackers gain access to a network through a vulnerability unknown to even the developers. These exploits are usually distributed on the black market between hackers. According to Forbes.com, the average zero-day exploit goes undetected for 10 months… after the hackers have started using it.

Denial of Service

Even if the hacker doesn’t find a weakness that will allow access to a system, the hacker can still attack the network (or server or service) through a Denial of Service (“DoS”) attack. The goal of a DoS attack is to basically overwhelm the target so that its ability to function is either dramatically reduced or eliminated.

This type of attack works by sending more data requests to a server than it can handle. Imagine flooding a phone bank with calls so that no real callers can get through – that’s the idea. The result, if the attack is successful, is a server overload, which either shuts down or severely slows activity on the network. When multiple hackers are involved, it’s referred to as a Distributed Denial of Service (“DDoS”).

There are numerous types of DoS attacks, including:

4) Malware Insertion

Once a hacker has penetrated a network, they may leave behind malware to allow the hacker to maintain ongoing control of the network and perform certain types of actions within. Dell security experts separate malware into three different categories: nuisance malware, controlling malware, and destructive malware.

Nuisance Malware

Nuisance malware is probably best described as annoying. The malware itself isn’t overtly malicious, but is more of an annoyance, affecting system performance and productivity. The two most common types of nuisance malware are Spyware and Adware.

Spyware, as should be painfully obvious, is malware that monitors, collects, and relays sensitive information to the hacker. Key loggers that track all inputs from a keyboard fit in this category. Spyware can be used for anything from theft of national secrets and high-level industrial sabotage all the way to spying on a cheating spouse.

Adware, on the other hand, is a brutally annoying malware that is designed to bombard the user with ads. These were so common that web browsers don’t survive without a tool to block most of these – it’s called a pop up blocker. Frequently, these ads offer some type of financial benefit to the hacker who inserted them.

Controlling Malware

Controlling malware allows the hacker to gain access to the network, server, or system either by remote command or as the result of an action taken by the proper user. These types of malware are usually inserted as a Trojan or a Rootkit. Once installed, a hacker is able to gain access to the system, and potentially use the system as a “zombie” in order to hack additional systems.

A Trojan is code inserted into a regular program (oftentimes a popular program a user would be likely to use), and is usually triggered unknowingly by the user or via remote access.

Rootkits are considerably more difficult to deal with. They are usually installed in a low level system within the sub-root directory. This makes them very hard to detect, but when activated, gives the hacker unrestricted network access. Oftentimes, this type of malware is undetectable to conventional anti-virus software.

Destructive Malware

As its name implies, destructive malware is inserted to destroy something. Destructive malware generally comes in one of two forms: a virus or a worm.

A virus is malware that must be executed on the system in order to become dangerous. Sometimes this takes the form of a program file in an email that needs to be opened to become active. However, action by a valid user is not required. A virus, once active, will replicate itself and, depending on its programing, can wipe out an entire hard drive, or target one specific file.

A worm, on the other hand, does not need to be executed to become active. Once inserted into a compromised system, a worm will use the compromised system and scan for other vulnerable networks. Depending on the worm, it can be just a nuisance, or it can both destroy files, locate vulnerable networks, and spread other types of malware.

5) Clean Up/Cover Up

Once the hacker has inserted the malware, or when the malware’s job is done, the final phase of the hack is to cover up the tracks. Depending on how the hacker gained entry to the system, this can be as simple as deleting a command line from the network. On the flip-side, the hacker can also eliminate evidence of the burglary by setting the proverbial house on fire with a rampant, destructive worm or virus.

To truly understand how quickly everything I described can be accomplished, I strongly recommend reading The Anatomy of a Hack, a recent piece from The Verge. It’s… frightening.

In the end…

As I’ve said numerous times, you can’t protect yourself completely, but there are a lot of steps you can take to reduce your vulnerabilities. Go through a cyber audit, make sure your employees are using tough passwords. If you allow everyone to bring their own device, make sure you have a detailed, effective BYOD policy in place.

The best way to prevent hackers from getting to phase 3 is to make sure that they can’t get past phase 1.