• How to Catch a Hacker

  • How to catch a hacker is a question that I get on a regular basis. Your success in catching a hacker largely depends on your preparation before you are hacked. Traditional incident response is the typical ways of catching a hacker, but in some cases that approach is cost prohibitive.

    When a large organization suffers a breach they call in a trained incident response team to determine how the hacker got in. In smaller organizations and with individuals, it’s often up to them to catch the hacker.

    One of the most important things you can do to prevent being hacked is to change your security posture. From a business perspective, you need to emphasize the importance of security from the top down. The next step is to perform a security assessment to determine the appropriate policies and procedures for the organization.

    You should also consider using a security control and security program framework such as the CIS Controls and the NIST CSF. These two frameworks serve as a blueprint for securing your systems and networks.

    Tracking the Hacker

    Tracking a Hacker

    With the appropriate security program in place you should also have the appropriate levels of logging and monitoring on the systems, devices, and network. These logs are going to provide the information you need to determine how the hacker got into the network and what activities they performed.

    Catching the hacker is a matter of reviewing the logs and putting everything in context to determine who the hacker is and how they got it. This is a high level idea of how it works, and it’s far from from being that easy.

    The reality of catching hackers is that they really advanced ones known as “APTs”, or Advanced Persistent Threats, are really good at not getting caught.

    These APTs excel at covering their tracks, looking like normal activity, and mimicking the activities of other APTs and nation states. Attribution can be extremely difficult in these cases. It’s at this point we need to take a step back and define what “catching a hacker” really means.

    Catching a hacker means detecting when a hacker gains unauthorized access to your systems and network. Ideally they are caught before bad things start to happen. This is possible with the right security posture, but attackers can be present for months, if not years before they are detected.

    That being said, catching a hacker is much different than identifying a hacker. Even then, identification rarely singles out a single individual. When a threat actor is identified it’s usually a country or APT group that’s named.

    When it gets Personal

    Online Account Compromised by Hacker

    If you are personally hacked, as in your accounts are compromised in some way, then there are some things you can do to try and identify the responsible party.

    First let’s talk about prevention before we get into attribution. The best thing you can do at home is start treating your home network like a small business network. Buy a commercial grade firewall, endpoint protection, and even consider adding a SIEM for monitoring and alerting.

    This will harden your home network and give you some idea of when the network is compromised. You should also invest in anti-malware for your mobile devices. Mobile device comprise is increasing and becoming a bigger target. What that means is that you need to change your approach to how you secure these device sooner rather than later.

    Your online account passwords should use a password greater than 15 characters where possible and all be unique passwords. Use a password manager that’s secure and encrypted to keep up with these passwords.

    When it comes to security questions, use random values, phrases, or acronyms instead of the actual answers. Keep track of these in your password manager as well.

    Don’t share your passwords with anyone. The sharing of accounts is one of the easiest ways to get compromised. If you must share your password be sure and change the password immediately after the need is resolved.

    Use multi-factor authentication on all your accounts that support it. It’s best to use an authentication service such as Google authenticator as opposed to text message or email.

    Responding to the Hack

    Responding to Hacking Incidents

    How you respond to the hacking event can affect your ability to determine who the responsible party is. Let’s walk through a fictional scenario to get an idea of what can be done to identify the hacker.

    You are going about day when suddenly you are unable to log into your email account. you use the reset password function and are able to gain access again. The next thing you notice is that you’re locked out of certain social media accounts. Again, you reset your passwords and are able to gain access again.

    That’s weird, but then it gets weirder. You start receiving password reset requests for your bank, iTunes, and assortment of other online sites. You check these accounts and find that they are fine, but clearly someone is trying to get into them.

    It’s at this point that you really start to panic because you are locked out of your email again. Someone has gained access and changed your password. The questions you should be asking at this point are:

    • Is my computer or laptop comprised?
    • Is my mobile device compromised?
    • Is the network I’m on comprised?
    • Am I reusing passwords and have any of these accounts suffered a breach?

    Hunting for Hacking Evidence

    Threat Hunting for Hackers

    One of the first things to check is if any of your online accounts log the IP address when you log in. Next you need to know your own IP address so you know the difference between your IP and the hacker’s IP. You can find your IP address at this site: https://www.whatismyip.com/.

    Once you determine the hacker’s IP address you can look up who is responsible for the IP address at these sites below depending on the geographical location:

    When you look up and IP address at any of the above sites, you get information of the ISP responsible for maintaining that IP address. The responsible ISP can track down who the IP was assigned to, but it requires a court order in most cases.

    Setting a Hacker Trap

    Hacker Trap

    One of the things you can try is setting a trap for the hacker when they are accessing your account or set the trap before your account is ever compromised.

    The way can do this is by using a Canary Token. A Canary Token is special file that looks tempting enough for the hacker to open, but when it’s opened it sends you the hackers IP address and their geographical location.

    You can set this up at the Canary Token site. I recommend choosing the Acrobat Reader PDF Document and renaming it to something like “Password List.pdf” and then email it to yourself from another acccount.

    When you receive the Canary Token in your email, leave it there and don’t open it. If ever get an alert from that Canary Token, you’ll know someone is in your account.

    You may get an alert when your first email it to yourself. A lot of email providers scan attachments for malware and part of that process is to open the attachment to determine if it’s malicious. You can safely ignore that initial alert.

    You can also place Canary Tokens on network shares with interesting file names such as “salary information”, “annual bonus”, and anything else that sounds tempting enough for a hacker to open.

    Securing Everything After a Hacker

    Nuke your compromised accounts after they are hacked.

    In my work as a private investigator in Oklahoma City, I see a lot of cases like this. The challenge is that those that get hacked insist on trying to keep these compromised accounts and won’t take the necessary steps to secure them.

    My advice is to delete your information from all the online accounts after archiving what you need. When you set up new accounts be sure and use unique passwords for each one and enable multi-factor authentication.

    Have an incident response team or investigator perform forensics on your mobile devices, workstation, or laptop to ensure it’s not compromised.

    For organizations I recommend our incident response services here at Crossroads Information Security . For individuals, the best approach is to hire a private investigator skilled in computer forensics.