Phase 1 - Reconnaissance
Business Risk - To see if someone is watching and responding. Could be future point of return when noted for ease of entry for an attack when more is known on a broad scale about the target.
Passive reconnaissance involves monitoring network data for patterns and clues.
Examples include sniffing, information gathering etc.
Active reconnaissance involves probing the network to detect
location of routers
details of operating systems and services
Phase 2 - Scanning
Scanning refers to pre-attack phase when the hacker scans the network with specific information gathered during reconnaissance.
Business Risk - 'High' - Hackers have to get a single point of entry to launch an attack and could be point of exploit when vulnerability of the system is detected.
Scanning can include use of dialers, port scanners, network mapping, sweeping, vulnerability scanners etc.
Phase 3 - Gaining Access
Gaining Access refers to the true attack phase. The hacker exploits the system.
The exploit can occur over a LAN, locally, Internet, offline, as a deception or theft. Examples include stack-based buffer overflows, denial of service, session hijacking, password filtering etc.
Influencing factors include architecture and configuration of target system, skill level of the perpetrator and initial level of access obtained.
Business Risk - 'Highest' - The hacker can gain access at operating system level, application level or network level.
Phase 4 - Maintaining Access
Maintaining Access refers to the phase when the hacker tries to retain his 'ownership' of the system.
The hacker has exploited a vulnerability and can tamper and compromise the system.
Sometimes, hackers harden the system from other hackers as well (to own the system) by securing their exclusive access with Backdoors, RootKits, Trojans and Trojan horse Backdoors.
Hackers can upload, download or manipulate data / applications / configurations on the 'owned' system.
Phase 5 - Covering Tracks
Covering Tracks refers to the activities undertaken by the hacker to extend his misuse of the system without being detected.
Reasons include need for prolonged stay, continued use of resources, removing evidence of hacking, avoiding legal action etc.
Examples include Steganography, tunneling, altering log files etc.
Hackers can remain undetected for long periods or use this phase to start a fresh reconnaissance to a related target system.