Pluralsight blog Where devs, IT admins & creative pros go for news, tips, videos and more.
Supercharge your skills with expert-authored tech & creative training. Unlimited. Online. Get it now →
November 15, 2012

Ethical Hacking: Why Hackers Cover Their Tracks


Watch these Ethical Hacking videos, and you’ll understand skills like network sniffing, social engineering, hijacking, and more. With these tactics of ethical hacking you’ll learn security techniques through the mind of an attacker.


It may seem kind of obvious, but hackers don’t like going to jail. Most people don’t. They know any evidence that they leave behind is a potential liability for staying out of jail in the future.
Certainly any evidence that they leave behind allows the administrator to understand what happened. It allows the administrator to analyze the attack.

Which systems where compromised, how the attacker got in, what the vulnerabilities where. An attacker typically wants to leave those vulnerabilities in place. He wants the administrator to be unable to apply patches, close ports or change passwords. He doesn’t want him to understand where the attack came from.

Hide the Attack from Administrators

First and foremost in that space is insuring that the administrator doesn’t know where the attack came from if in fact they find out the attack happened at all.

The best way or the best effect of track covering is to hide the fact that the attack happened in the first place. The administrators simply don’t know what happened.

The best kind of ethical hacking report is one where the entire IT staff shows up to hear the results and they expect the results to be, “Couldn’t get in. No effect, you know everything stopped me.” The actual results are, “Look at all the information I have. Look at where I broke in and what I compromised. And yes here’s how I hid the fact that I attacked in the first place. And here’s how I covered up all the evidence and erased all trace of me being there.”

That’s the best kind of ethical hacking report to deliver because it’s the most surprising and usually results in the biggest change to the defense of a company. They usually take it much more seriously if the compromise shows up that way.

Limit Target’s Ability to Respond

Certainly an attacker or a nefarious intruder wants to spread confusion and wants to make sure that the target doesn’t get a chance to respond in a timely way, or at all.

The goal is to hide the attack, the methods of the attack or the attack at all, so that even if the target finds out that the attack happened they may not be able to respond to it. They may not be able to figure which ports where compromised. They may not be able to figure out what malware is actually infecting their systems, which systems are infected and so forth. That’s the best kind of nefarious attack because that means that either the entire organization has to decide “Let’s do security again from scratch” or they’re going to have to wait until another attack to gather better evidence.

Waiting around for another attack is obviously a recipe for disaster. For an attacker it’s a recipe for further compromise.

Typically covering tracks is a combination of processes. It can be defined as two main categories. The first is identifying the systems that are likely to reveal evidence of the attack and likely to actually either carry the evidence themselves or report the evidence out. Then, the systems will either avoid or erase the evidence. You should avoid leaving it in the first place. Usually that’s absolutely the best way: no tracks means no tracks. No evidence there means you don’t have to worry too much about whether the evidence got picked up quickly or whether it’s analyzed, because there is no track to analyze.

In many cases, that’s not possible, and I’ll show you where in a moment. In the cases where it’s not possible to completely avoid leaving a track, the best solution is to just simply cover them up as best you can, (and I’ll show you techniques for that, as well).

As an ethical hacker, you want to know which kinds of systems (and these aren’t specific versions, operating systems or applications. These are general categories of systems that you need to be concerned about when you’re conducting an attack), will preserve evidence or may not preserve evidence.

Attack Systems

First of all, attack systems, (or the systems that you actually compromise), are obviously going to have the capability to store some information. Intrusion detection systems, firewalls, honeypots, are kinds of intermediate security focused devices that are designed to actually set off alarms, notify folks and preserve that evidence.

Log Collection Systems

There are also log collection systems. These are kind of multipurpose because some of them are used for administration, while some of them are actually used for security log collection and event collection. It doesn’t really matter which is which in this particular case because the techniques are the same for both.

The attack systems, when you’re attacking a system, presents a situation where it is almost impossible to completely avoid leaving evidence. In fact, in a lot of cases, you don’t really need to avoid leaving evidence because it’s pretty easy to erase the evidence that you’re going to leave, as long as you leave it in a careful process, or a careful fashion. I’m going to show you a couple of really good examples of both easy avoidance of some evidence building in the first place, and then removing most of the rest of it just manually.

Intrusion Detection Systems

You’ve already learned about intrusion detection systems, firewalls and honeypots. The only way to avoid leaving evidence is simply to avoid them entirely. Stay away from all of these systems. Don’t get anywhere near them or try to compromise them. Typically, don’t try to attack them.

Why? Because they’re all designed to sound the warning bells, bang a gong and get an administrator involved as quickly as possible. The moment you touch them you may be setting off alarms. I’ll go into specifics on those in a moment.

Log collection systems are typically difficult, if not impossible, to avoid entirely. The best approach is to minimize the exposure you have to these and then plan on going back and cleaning up logs or log entries as they’re collected in the future.

About the Author

has worked in the IT field for more than 20 years. He is an award-winning author, public speaker, and instructor on a variety of technology topics including security, virtualization, cloud computing, wireless and wired networking, and IT lifecycle processes. His operations experience includes managing the Xbox LIVE operations team, the largest cloud computing operations team in the world, and consulting on operations efficiency with countless clients around the world. Mike has published several books (including two for O’Reilly) and numerous papers. He is a frequent conference speaker and classroom instructor on IT operations, computer security, and technology frameworks. Mike holds a number of certifications and accreditations including Certified Information Systems Security Professional (CISSP) practitioner and instructor.

Author's Website: