Attack styles vary widely:
Some hackers prepare far in advance of an attack. They gather small bits of information and methodically carry out their hacks. These hackers are the most difficult to track.
Other hackers — usually the inexperienced script kiddies — act before they think through the consequences. Such hackers may try, for example, to telnet directly into an organization’s router without hiding their identities. Other hackers may try to launch a DoS attack against a Microsoft Exchange server without first determining the version of Exchange or the patches that are installed. These hackers usually are caught, or at least blocked.
Malicious users are all over the map. Some can be quite savvy based on their knowledge of the network and of how IT and security operates inside the organization. Others go poking and prodding around into systems they shouldn’t be in — or shouldn’t have had access to in the first place — and often do stupid things that lead security or network administrators back to them.
Although the hacker underground is a community, many of the hackers — especially advanced hackers — don’t share information with the crowd. Most hackers do much of their work independently in order to remain anonymous.
Whatever approach they take, most malicious attackers prey on ignorance. They know the following aspects of real-world security:
The majority of computer systems aren’t managed properly. The computer systems aren’t properly patched, hardened, or monitored. Attackers can often fly below the radar of the average firewall or intrusion prevention system (IPS). This is especially true for malicious users whose actions are often not monitored at all while, at the same time, they have full access to the very environment they can
Most network and security administrators simply can’t keep up with the deluge of new vulnerabilities and attack methods. These people often have too many tasks to stay on top of and too many other fires to put out. Network and security administrators may also fail to notice or respond to security events because of poor time and goal management.
Information systems grow more complex every year. This is yet another reason why overburdened administrators find it difficult to know what’s happening across the wire and on the hard drives of all their systems. Virtualization, cloud services, and mobile devices such as laptops, tablets, and phones are making things exponentially worse.
Time is an attacker’s friend — and it’s almost always on his or her side. By attacking through computers rather than in person, hackers have more control over the timing for their attacks:
Attacks can be carried out slowly, making them hard to detect.
Attacks are frequently carried out after typical business hours, often in the middle of the night, and from home, in the case of malicious users. Defenses are often weaker after hours — with less physical security and less intrusion monitoring — when the typical network administrator (or security guard) is sleeping.