The final phaseโerasing evidence. Attackers clear logs, hide files, and remove traces of their activity. As defenders, we need to detect this by monitoring unusual activity and restricting administrative access. This is where many attackers get caught.
05
COVERING TRACKS
After achieving his or her objectives, the attacker typically takes steps to hide the intrusion and possible controls left behind for future visits. This is the "get away clean" phase.
๐๏ธ
Log Deletion
Removing or altering system and application logs that record attacker activity
๐
File Hiding
Using hidden directories, file attributes, or rootkits to conceal tools and data
๐
Timestamp Manipulation
Changing file creation/modification dates to blend with legitimate files
๐งน
Clearing History
Removing command history, browser history, and recent file lists
๐ป
Rootkit Installation
Using rootkits to hide processes, files, and network connections
๐
Traffic Obfuscation
Encrypting or hiding command-and-control traffic
๐ก๏ธ DEFENSIVE MEASURES
Anti-malware - Detect and remove malicious software
Personal Firewalls - Block unauthorized outbound connections
Host-based IPS - Detect intrusion attempts
Restrict Admin Access - Limit local administrator rights
Alert on Unusual Activity - Monitor for anomalies
Know Your Network - Understand normal vs suspicious behavior
Critical Point: To detect track covering, security teams must know their network as well as attackers do.
Alert on any activity not expected based on normal business operations.