Hacker Lifecycle Phase 4: Maintaining Access - IncMan SOAR’s Protective Mechanisms

Back to all articles

maintaining access

Following on from my last three blogs in this hacker lifecycle series, we will now venture into the fourth phase, known as ‘Maintaining Access’. A hacker has gone through a lot of trouble and time to gain access into a system by various methods previously mentioned in my prior posts. Therefore, they will do anything and everything within their power to maintain this access. The principal method to keep this access is through specially crafted rootkits that will enable communication into the organization's internal network.


Regrettably, if an organization experienced data breach, the threat actor will be able to complete many illegal activities. A few of these actions will include being able to traverse networks, identify essential data locations, escalate privileges, and install numerous forms of malware families like rootkits.

Oftentimes the objective of the compromise is not always for monetary reasons. Sometimes it is to discredit an individual or organization, such as with the Sony hack that happened several years ago. Luckily today organizations have amazing security tools at their disposal and I will illustrate how with DFLabs’ IncMan SOAR solution, tools can integrate and work seamlessly together as one to solve these problems.

Maintaining Access

Being able to maintain entrance into a system could be one of the most difficult and arguably the most important aspects out of all the hacker phases. Considering that a lot of hard work and effort has gone into gaining access into the system it would be very disheartening to be identified and then blocked from the network. The hacker will have lost all of their time, energy, and resources that were spent to gain access into that network. Not to mention the possible repercussions connected to the illegal actions that have been done.


Rootkits provide the greatest means when it comes to maintaining access. Uniquely crafted rootkits that have been developed and installed on the infected host will provide the hacker with the best opportunity to achieving their goal. Statistically, rootkits have proven to be the most successful malware tool to use when it comes to Advanced Persistent Threats (APT) and maintaining access to a system.

Having admittance into database locations and certain repositories may grant the hacker with information pertaining to PII, proprietary and intellectual information, trademark secrets, and source codes affiliated with different types of programs or applications the company has developed. Therefore, depending on the motives of the hacker maintaining access produces many possibilities.

IncMan’s SOAR Technology Defending Against Maintaining Access

DFLabs’ patent-pending Dual-Mode Orchestration technology relies on two main components, Playbooks and Runbooks, to sustain and enhance security orchestration and automation capabilities. For each industry or organization, the Playbook and Runbook that will be created and used during a certain incident type will be based on the requirements of the incident and the needs of the organization. However, here are a few universal actions that can be applied to its linear logic Playbooks and conditional logic Runbooks.


Aside from the normal actions included in the end-to-end process of an incident response lifecycle, a couple of explicit actions that could be included in the detection and containment phases might include:

  • Fashion SIEM alerts that will identify any deviations from normal business operations baselines. This will include the exfiltration of data during non-normal working hours

  • Create rules that will generate alerts indicating that specific directories or files are being accessed by users without proper clearance or approval

  • Habitual audits on new and old user account that have been created including admin accounts


Uniquely crafted Runbooks should be developed in the event that there has been a suspected threat actor breaching the environment. Without going into too much detail on what specific actions that should be taken for this distinct compromise, here are a few recommendations of what to include during the implementation and development of definite runbook for this attack type:

  • Initiate detailed scans on the system’s processes of the suspected compromised asset to determine any abnormal processes

  • Conduct special scans that will look for any types of malware families associated with rootkits

  • Isolate and segregate host that have been identified as being compromised from the rest of the network

  • Execute a File Integrity Monitoring audit to determine whether or not any classified information has been accessed or exfiltrated

An example of a Runbook that has all the included steps mentioned, along with a few other necessary steps may look something similar to the illustration below:tLmxFYyfBVul3bZ6rd7kVQtNQAjm9qQQptIWLwayMx2fn2SQ3j5oMrqiAEbPg-G_yWmEktv3YTPRxoXAdPkg9ydmeprUVE61cunqAJYACa1XwXa4y4qhUnDXIzl_Atj8TYLMDnR3

In Conclusion

Maintaining access is paramount to a successful breach of an asset. Much time and resources have been dedicated along with a significant amount of risk being taken to get to the point of gaining access and maintaining access. Additionally, hackers will do anything and everything necessary to try to maintain their access without being flagged and while also avoiding any legal punishment. Additionally, hackers also have to compete with very sophisticated tools and security technologies that prevent such nefarious actors from being able to accomplish their mission of hacking into a system.

Incorporating the security orchestration and automation responses brought forth by IncMan SOAR’s integrations, Playbooks, and Runbooks we can quickly acknowledge Indicators of Compromise (IOC). Once these IOCs’ have been acknowledged, the required actions necessary to defend against these attack types will initiate actions correlated with detection, containment, and remediation.

Keep an eye out for my final blog post in the series that will address the ‘Covering Tracks’ stage of the hacker lifecycle and conclude the five phases.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo