 |
 |
 |
|
|
|
 |
Hacker traffic over time is broken into three phases scanning, exploiting, or pilfering. Every hacker attack involves all three of these activities.
Scanning is the act of profiling the target, identifying assets and vulnerabilities. A fair number of products and organizations ignore this activity. Scanning happens every day. Network and host scanning occurs on a daily basis. Recording this activity is not practical. However, this data is important. It completes the picture of the hacker’s activity. It illustrates intent and their focus. This is evidence that may be used when legally pursuing a hacker.
Exploiting is using a system vulnerability to gain access to restricted resources. Hackers craft exploits to be as small as possible. This is done to reduce the footprint to sensors and analysts. CND Products focus on the exploit. All manufacturer’s are guilty of advertising their ability to stop new attacks with updated signatures. Updated signatures do a good job of identifying the latest attacks.
Pilfering is all activity that occurs after the exploitation. This includes a fair number of activities ranging from stealing data to modifying data. Typically, this is when a hacker is detected.
A graph of this activity resembles the letter “U”. The Y axis is the amount of data. The X axis is time. A hacker scans the systems which generates a large amount of data for the left side of the “U”. Then the hacker exploits the system at the bottom of the “U”. This is a small piece of data comparatively. Then the hacker pilfers the system to complete the right side of the “U”.
 |
 |
 |
 |
|
 |