At Critical Start we use a concept called the Defendable Network and map organizations to SecCon levels designed to give companies a chance against threat actors of varying skill levels.  We group threat actors skill levels into:

  • Untrained Attacker (just gets lucky)
  • Novice Attacker
  • Intermediate (using automated tools mostly)
  • Advanced
  • Expert

Phineas Fisher is a Blackhat hacker and gave a step by step explanation of how he compromised The Hacking Team.  From Phineas, “The Hacking Team was a company that helped governments hack and spy on journalists, activists, political opposition, other threats to their power, and occasionally on actual criminals and terrorists.” In his explanation, he describes how he avoids detection.  We’ve modified and tweaked a few things, but view the list below on how to avoid detection as a hacker.  This is useful because it shows the methods that an expert attacker will use to avoid detection.  Most breaches occur via novice and intermediate skill level attackers – a little scary!

How to Avoid Detection When Hacking
  1. Encrypt your hard disk. VeraCrypt is an open source project that replaced TrueCrypt.  VeraCrypt is described as the “Open source disk encryption with strong security for the Paranoid”.  If the police arrive to seize your computer, it means you’ve already made a lot of mistakes, but it’s better to be safe.
  2. Use a desktop operating system designed to be run as a virtual machine with all traffic routed through Tor.  This virtual machine should be installed inside the encrypted volume you created above.  I would recommend Whonix.  “Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible. With Whonix, you can use applications and run servers anonymously over the internet. DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP.” A comparison of features and other tools available can be found here.
  3. NEVER DO ANYTHING PERSONAL FROM WHONIX.  Any type of normal computer usage could potentially be correlated back to you.
  4. Don’t hack directly from Tor exit nodes. They’re on blacklists as well as being slow.  Plus they can’t receive connect-backs required for reverse shells. Tor provides anonymity to connect to your real hacking infrastructure (clean domain names for command and control, stable servers to receive reverse shells, and compromised servers to keep other domains/IP secret).  You will being using a low bandwidth text interface (SSH) between you and your hacking infrastructure, which has a great high bandwidth connection to your targets.
  5. Collect some anonymous bitcoin to use if you need to purchase anything (like a virtual private server, anonymous VPN connection, domain registration services, etc.).  Don’t do something silly like use your personal credit card for ANYTHING that is even a degree of separation involved with your hacking activities.
  6. Even when ensuring all traffic is going over Tor, it’s better to use an Internet connection that can’t be tied to your name or address.  Use a cantenna to “borrow” the Internet connection of someone else.  Tor isn’t a panacea. Law enforcement can correlate the times you’re connected to Tor with the times your hacker handle is active. Also, there have been successful attacks against Tor.


Cross posted from Quora at