The steps of a cyber criminal

Some cyber crime requires criminals to have high-level information security and technology skills to achieve the goal of a full data breach. In a world of virtual reality where it seems the sky’s the limit, it would stand to reason that bad actors would target businesses with the most valuable data.

But cyber criminals, much like common thieves searching for items to steal from unlocked homes, are looking for targets of opportunity they can easily hack without causing much alarm.

These are the steps of a cyber criminal.


With information security improving in recent years, it’s become harder for criminals to target specific people and businesses because most infosec defenses are fairly strong and tough to infiltrate. Instead, Darek Dabbs, chief information officer for Sera-Brynn, says illicit hackers now focus on luring employees and businesses into their web through phishing scams, email attachments, and poisoned html links.

“Cyber criminals realize firewalls and external defenses are fairly strong,” Dabbs says. “The weak points are the humans and vulnerable end point workstations humans utilize.”

Most hackers exploit weak security in software products such as Adobe Flash, Java and Internet Explorer to compromise workstation computers through a video or website infected with a virus or malware.

Scanning and gaining access

Once a bad actor has gained access to an individual employee’s computer, the next step is figuring out what type of security privileges the computer’s user has and how to gain more access to the business’ servers.

These bad actors, Dabbs says, immediately gain whatever permissions that specific user has on the computer. If the user is not an administrator, the hacker will set out to exploit another internal computer with the hopes of getting an escalation of security privileges to obtain administrative access.

In some cases, the criminal may run covert internal network scans to determine the security accesses of other computers in the network. In other cases, such as with Windows computers, Dabbs says they may look at active and past network connections without a scan to find other, more desirable work stations or servers to target.

A lack of updates and security patches can make it easy for hackers to exploit weaknesses to gain higher levels of privileges.

“They want to get administrative access so they can essentially own the entire network,” Dabbs says.

At the highest level of administrative access, Dabbs says it’s likely an intruder will be able to bypass a majority of all security defenses that may be configured on a company’s computers or network.

Maintaining access

Once an intruder is in, they’re in. Dabbs says the singular goal at that point is to maintain access. Some criminals may download and install a remote access tool (RAT). A skilled hacker may use a program that won’t trigger antivirus or malware detection. Sometimes they use tools already used by the organization to maintain access and avoid raising alarm.

“By using a tool familiar to the organization to remotely access the network, an attacker can avoid detection because it looks normal to security sensors,” Dabbs says.

And once they’ve comfortably infiltrated a company’s servers, criminals then start their real work – stealing information.

“The goal is to profit and make money,” Dabbs says. “Usually, they’re not doing it just because they can.”

Often hackers search for sensitive data to either hold for ransom or sell on the underground market. Credit card numbers, social security numbers and healthcare information are all high value targets for hackers.

Clearing their tracks

Outside of the obvious danger of a data breach, the real threat from cyber criminals come once they know they’ve been caught. They’ll stay comfortably embedded in a business’ servers playing a “cat and mouse game,” Dabbs says, as long as they can get away with it.

Once they’ve been found out, an unprepared company could be at its most vulnerable.

“If a cyber intruder thinks they’ve been caught,” Dabbs says, “they could go nuclear and destroy the network before a professional can shut them out.”

These nefarious hackers can come from anywhere in the world: Africa, Europe, South America – you name it. And, Dabbs says, a hacker from say, Europe, targeting an American company could make the data breach appear domestic even though it originated in Belarus or Belgium.

That could make it hard to detect the hacker, let alone trace the breach back to where it originated from.

The trick is to never let it get to that point.

“Preparation is key – plan how your business will respond to an incident, know the data that is critical to your business, and protect it accordingly. Understanding the risk if you lose various types of data is key is prioritizing security spending.” he says.