Hacker Lifecycle Phase 5: Covering Tracks - IncMan SOAR’s Elimination Mechanisms

Back to all articles

IncMan SOAR Elimination Mechanisms

We have finally made it to the concluding phase within the Hacker lifecycle known as ‘Covering Tracks’. If a hacker has made it this far, rest assured they will be taking every precautionary measure necessary to ensure that they cannot be traced back to the first step of their exploit. We will be highlighting a few of the major aspects of the ‘Covering Tracks’ phase along with how our flagship SOAR solution, IncMan SOAR, can assist in the identification and elimination of the threat actor or actors for that matter.

Since the rise in the black market, it has become very lucrative and easy-to-navigate the once very difficult methods used to obtain information such as Personal Identifiable Information (PII) or Protected Health Information (PHI), which can now be accomplished through a few mouse clicks. Script kiddies and novice hackers can pull off all of the hacker phases that we have previously mentioned with very little knowledge on the aspects behind the hack. However, we have progressed beyond this and now have state-sponsored actors that run 24x7 operations to incorporate the skills that we have written about in this hacker series. These state-sponsored hacking organizations have unlimited funding, resources, and the latest and greatest in technology that will be needed to accomplish their goal.

The following listed steps illustrate the standard operating protocol to infiltrate/own a system:

Covering Tracks

The most obvious reasoning behind this phase as the phase title states ‘Covering Tracks’ is to cover their tracks. The majority of this is done through rootkits which we will be addressing shortly. Once there has been an indicator of compromise on a system or asset, there is going to be a notable amount of logs and residual artifacts that will be used to validate the compromise and assist in the triage process. Covering up these tracks of logs and other artifacts will be key to maintaining access and preventing the identification of a potential advanced persistent threat.


Rootkits can be defined as a combination of several malware families used in conjunction to assist in a system hack. An example of a particular rootkit for this use case will include a rootkit containing vulnerability scanning tools, log deletion or modification tools, and firewall rule manipulation applications. Additionally, uniquely developed scripts could be included in these rootkits to include network mapping, password brute-force crackers, and user profile creators.

Rootkits were traditionally designed to be used by Linux systems. However, as the success rate in hacking Windows Operating Systems has grown exponentially, rootkits are now being developed specifically to address this. The following rootkits were explicitly designed for Windows:

How IncMan SOAR’s Runbooks Assist in Combating Against Covering Tracks

Once an alert or indication of compromise has been generated by one of the security devices within your organization’s network, IncMan SOAR will initiate its security orchestration, automation and response processes. Depending on the potential compromise in question will dictate which particular Runbook IncMan SOAR you will choose to enact. This distinct scenario involves covering tracks and installing rootkits which are in line with suspicious network activity.

The illustration below is an example of a potential Runbook that could be used in a situation such as this. Here are a few of the steps that could be included in the Runbook but by no means is it exhaustive as that would span far beyond the scope of this blog:

  • Initiate a thorough network scan to include a listing of all open ports and running IPs on all assets

  • Implement an audit on all user accounts with a focus on those with an administrative account

  • Identify compromised assets and segment the asset from the rest of the network

  • Restore compromised asset and validate full remediation and removal of any residual malicious artifacts

In Summary

This concludes our series on the five stages of the Hacker lifecycle. Phases including reconnaissance, gaining access, and maintaining access each require special skill sets that for the majority of novice hackers, they are unwilling to strive for, but there is an increasing number of professional hackers among us who do wish to go this far. This is one of the fundamental reasons as to why cybersecurity attacks are occurring every day causing astronomical damages and devastating reputations indefinitely.

The negative attributes are evident and have been clearly expressed throughout this series. However, the positive aspects are that it takes a lot of skill and ingenuity to become a hacker regardless of intent. The lack of skilled cybersecurity professionals in the industry has created a void that may never be filled. Therefore, the opportunities and possibilities are endless for cybercriminals to conduct nefarious acts for their personal needs.

If you would like to see IncMan SOAR in action and learn how it can identify and eliminate a number of different threat actors you can request a personalized demo with one of our specialists today.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo