When leaving a system, taking steps to make it impossible or too difficult to trace an attack back to the adversary.
Once an attacker has gained access to your system, it is in the attacker’s best interest to make sure nobody realizes what’s happening. Attackers leave digital footprints: breadcrumb trails that defenders could follow to catch them and stop the hack. A sophisticated hacker will destroy this breadcrumb trail as as best as they can, for as long as they can.
An IP address is one way that an attacker could be caught. Attackers have several methods to hide their IP: they can use proxies, VPNs, or they could spoof their IP address to appear as if they are somebody else. By changing or hiding their real IP address, attackers become harder to track and identify.
System-generated logs are another way hackers can be caught. A large enterprise system would have many systems, each with their own automated logging system, creating vast amounts of data that investigators could comb through for evidence. A hacker with the right admin privileges could modify or delete these system logs and erase huge chunks of their digital footprints.
One of the most famous computer worms ever, Stuxnet, went above and beyond with covering its tracks. Stuxnet, which targeted a nuclear facility in Iran, gathered video camera footage from CCTVs watching the nuclear reactor. The Stuxnet malware made the reactor unstable, and as the nuclear reactor began to melt down, Stuxnet fed the stable camera footage to the surveillance team. Even as the nuclear reactor melted down, all the video camera feeds looked completely normal.