In order to fight hackers, you need to know how they operate. What do they actually do?

Most hacks follow the Lockheed Martin Cyber Kill Chain, an intelligence framework developed to identify and prevent cyberattacks. The process begins with getting information about a potential target and ends with stealing valuable data. So what are the stages cybercriminals go through when hacking a system?

The Lockheed Martin Cyber Kill Chain

Although there are variations to the process, hackers typically follow the Lockheed Martin Cyber Kill Chain in their quest to find who to hack and to carry out an attack. The Kill Chain comprises of seven steps.

1. Hackers Research and Harvest Information

The first step in a cyberattack is reconnaissance—or scoping out the target. This typically involves collecting publicly available information about a potential target, including email addresses, social media usernames, and public records.

They may get this information from data leaks or by doing the grunt work if they are interested in a specific person. In the latter case, they may resort to more sophisticated methods like a Bluetooth attack or intercepting the network, also called a Man-in-the-Middle (MITM) attack. While the former requires the hacker to be in close proximity to the target, the latter can be done remotely using software or on-site by intercepting the victim's Wi-Fi.

The ultimate goal is to learn as much as possible about the targets, the devices they use, the devices' operating systems, and the services they use, among other things. The information they get here can help them find vulnerabilities.

2. Hackers Find the Tools Needed to Carry Out Attacks

This stage is called "weaponization" in the Cyber Kill Chain. Armed with information about their potential targets, hackers assemble the tools they'll need for the cyberattack. They may, for instance, create and hide malware in files that their target is likely to download.

You may think of this stage as going fishing. The gear you'll need to pack for fishing in a freshwater lake would be different from the gear you'll need for fishing out in the ocean. You would probably go with a different boat too.

3. Hackers Cast Their Net or Bait

Green Fish About to Eat the Fish Hook Wall Art

This stage is called "delivery" in the Kill Chain. This step involves tricking the target into downloading the malware—basically inviting the bad guys into the fortress.

One common way hackers do this is by sending emails containing malicious files. The delivery method may also be images hosting the malware, as seen when hackers exploited the James Webb telescope images to spread malware. SQL injection is another common way hackers deliver malware.

In any way, the goal is to get the target to download malware onto their device. The malware takes over from here: automatically extracting itself and injecting it into the system.

4. Malware Exploits a Vulnerability in the System

The malware takes over once it's on the target's computer. Certain background actions, like USB or Media Autoplay, can trigger the malware to automatically extract and run on the victim's device. This stage is called "exploitation".

5. Malware Does What It's Programmed to Do

This phase in the Kill Chain is called "installation". Once the malware gets into the system (or computer network), it silently installs in the background, usually without the victim's knowledge. Then, it begins to scan for vulnerabilities in the system that will grant the hacker higher admin privileges.

The malware also establishes a Command-and-Control System with the hacker. This system lets the hacker receive regular status updates on how the hack is progressing. To put it into perspective, imagine the Command-and-Control System as a high-ranking military officer who's actually a spy. The spy's position puts them in a place to access sensitive military secrets. This status also makes them primed to collect and send stolen intelligence without suspicion.

6. Hackers' Spy System Takes Over and Expands

A Woman Typing on the Keyboard

The malware at this stage does several things to establish its Command-and-Control System, also eponymous for the sixth stage in the Kill Chain. Typically, it continues to scan the system for vulnerabilities. It can also create backdoors hackers may use to enter the system if the victim discovers the entry point.

In addition, the system also looks for other devices connected to the compromised devices and infects those too. It's like when everyone at the office catches the common cold. If enough time passes, no one remembers who exactly started it.

7. Plunder, Destroy, Get Out

The final stage in the actual hacking process involves the cybercriminal using their elevated control of the victim's device to steal sensitive data like login details, credit card information, or files containing business secrets. A hacker may also destroy the files on the system, which is especially dangerous if the victim has no backup for data that was stolen and destroyed.

What Usually Happens After a Hack?

Person Paying Hacker's Ransom

In cases where a hacker has been stealthy about the attack, the victim may not realize it, thus giving the hacker a steady feed of material. On the other hand, if the victim realizes they've been hacked, they may remove the malware and close the backdoors they can find.

Some organizations destroy compromised devices just to be safe. They also start to neutralize the effect of the hack. For example, if a hacker breaches a bank's network and steals credit card information, the bank would immediately deactivate all compromised cards.

Meanwhile, for the hackers, the successful hack means payday. They may hold the victim to ransom, usually paid through untraceable payment methods. Another option is to sell the stolen data to other cybercriminals who may find uses for it; to, say, steal someone's identity, copy their business model, or pirate proprietary software.

You Can Prevent Hacking Attempts

Hackers use a number of ways to find potential victims. Some of these are passive and uncomplicated, while others are active and sophisticated. But don't panic. Safe online practices and limiting the information you share online can keep you from being a target. Also, cybersecurity best practices and tools like VPNs and anti-malware can protect you from attacks.