Incident Response for Windows E-Book

Incident Response for Windows

Adapt effective strategies for managing sophisticated cyberattacks targeting Windows systems

Anatoly Tykushin

Svetlana Ostrovskaya

Incident Response for Windows

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Prachi Sawant

Book Project Manager: Ashwini C

Senior Editor: Sujata Tripathi

Technical Editor: Yash Bhanushali

Copy Editor: Safis Editing

Proofreader: Sujata Tripathi

Indexer: Hemangini Bari

Production Designer: Aparna Bhagat

DevRel Marketing Coordinator: Marylou de Mello

First published: August 2024

Production reference: 1240724

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK

ISBN 978-1-80461-932-2

www.packtpub.com

To my mother and father, Natalia and Vladimir, for setting up my life path, and to the memory of my granddad, Anatolii Mikheev, for his inspiration and demonstration of what is a true commitment to the job. To my love, for supporting me throughout this fascinating endeavor.

– Anatoly Tykushin

Foreword

This book delves into the dynamic field of incident response in Windows, distinguishing itself by moving beyond conventional frameworks to explore the multifaceted nature of real-world cyber incident scenarios. Unlike most literature, which adheres to existing methodologies, this book emphasizes the necessity for incident response specialists to operate with autonomy, continually applying new methods in a dynamic cyber world.

Authored by Svetlana Ostrovskaya and Anatoly Tykushin, experienced practitioners, this book draws on insights from over 30 diverse incident response cases that often challenge standard processes. It underscores the importance of understanding the varied tactics, techniques, and tools employed in actual attacks to tailor incident response effectively. You will find linked stories of real-world incident responses and learn how seasoned experts managed to help organizations restore attack kill chains, find and restore evidence, trace threat actor activity, identify vulnerabilities and blind spots exploited by threat actors, take action to expel them from compromised networks, regain control, and prevent future attacks.

Further enriching this approach, the authors illustrate how integrating cyber threat intelligence data can enhance incident response strategies. This integration aids in attributing attacks, anticipating the attacker’s next moves, and thereby accelerating and refining the incident response. Good cyber threat intelligence can help you understand potential incidents even before they start, while IoC enrichment streamlines the detection and tracing of threat actors.

This book also explores the critical role of threat hunting as an essential component of incident response for teams tackling complex security breaches within large-scale infrastructures. Based on cyber threat intelligence and expert knowledge, you can build the right hypotheses to detect elements that are overlooked by the standard approach, find more evidence, and ensure that maximum knowledge is gleaned from the incident response to develop effective protection strategies.

Additionally, this book covers crucial aspects related to incident management and case management, as well as how to draw conclusions and lessons learned to prevent future incidents.

Targeted at those with foundational knowledge, this book is not a beginner’s guide but a resource aimed at developing a robust base for future response strategies. Svetlana Ostrovskaya and Anatoly Tykushin have a wealth of experience in dealing with cybercrime, providing training in incident response, and safeguarding organizations against cyber threats.

Dmitry Volkov

CEO and co-founder of Group-IB

Contributors

About the authors

Anatoly Tykushin is a services director at Group-IB with 6 years of experience in digital forensics, incident response, compromise assessment, and threat hunting. He has created several DFIR training programs in incident response and network forensics, written several blog posts, and contributed to threat research reports. Outside of DFIR, he has a background in IT administration and DevOps, microcontroller unit development in C, and ASM.

I would like to thank my colleagues over my career at Group-IB for fueling me with passion and interest for the field of DFIR, and Svetlana Ostrovskaya for supporting me in the difficult challenge of creating this book. It was a great pleasure to work together. Also, I have a special gratitude for my granddad, who has written more than 100 books, monographies, and research papers over his 50-year career at one of my homeland’s leading architecture and construction universities. Finally, I want to thank Roman Rezvukhin, Head of Malware Analysis and Threat Hunting at Group-IB, who has shared awesome insights about several aspects, which created a solid foundation for this book, making it more insightful and useful for our readers.

I would also like to thank the Packt team for providing us with the opportunity to publish the book and for their support and guidance throughout the writing process.

Svetlana Ostrovskaya is a practicing specialist in digital forensics and incident response at Group-IB. She is the author of DFIR training programs and cybersecurity crisis management workshops, and the author and co-author of blog posts, articles, and books on information security, computer forensics, and incident response.

I would like to express my gratitude to Anatoly for his passion and dedication in creating this book. It was a great pleasure to work together.

I would also like to thank the Packt team for providing us with the opportunity to publish the book and for their support and guidance throughout the writing process.

About the reviewer

Simone Marinari, incident response lead at Cyberoo, began as a system administrator and transitioned to cybersecurity roles after gaining a strong IT background. With experience as a senior system engineer at a bank, and later as a senior system and security engineer at a software house, he managed projects, responded to cyber attacks, and hardened infrastructures for clients. Prior to joining Cyberoo, Simone also served as a senior associate at Kroll’s EMEA Cyber Risk Practice. In Kroll’s DFIR team, he specialized in handling APT and major cyber incidents. In addition, Simone was also part of Kroll US Malware Analysis Group (MAG), where he analyzed malware samples collected by the security firm during worldwide cyber incidents.

Shivakumar Munuswamy is a cybersecurity professional with 26 years of experience in the IT field. Based in Gothenburg, Sweden. He is currently a Cybersecurity Incident Response Manager at Enterprise Services Sverige AB (DXC Technology), specializing in tools like Microsoft Defender and CrowdStrike Falcon. With prior roles at Capgemini Sweden AB and Tech Mahindra Ltd, he has a strong background in major incident management. Shivakumar holds a Bachelor's in Computer Application from Sikkim Manipal University and certifications from ISC2, Microsoft, and CompTIA. Fluent in English, Hindi, Marathi, and Tamil, he is dedicated to enhancing organizational cybersecurity.

I am deeply grateful to my mentors Ken Stoke, Rajeev Velagapudi, Prem Rawat, Himanshu Upadhaya, and Anshukant Pandey for their invaluable guidance, support and collaboration throughout my career. Lastly, I extend my heartfelt appreciation to my family for their unwavering support and understanding, which has allowed me to pursue my passion in cybersecurity.

Michael Gough (CISSP) is a Malware Archaeologist (MalwareArchaeology.com), Blue Team defender, Threat Hunter, Incident Responder, Information Security professional and logoholic. He loves logs as they can reveal Who, What, Where, When and How an incident happens if properly configured. He developed several freely available Windows logging cheat sheets to help the security industry understand Windows logging, including where to start, what to set, and what to look for. These cheat sheets cover Windows systems as well as Splunk, Crowdstrike Logscale and MITRE ATT&CK. He is the co-developer of two Windows incident response LIve-IR tools - LOG-MD and File-MD malicious discovery tools which harvest critical malicious Windows artifacts.

After serving as Vice President of ISSA Austin and leading BSides Austin from a handful of attendees to a four-conference entity in Texas before retiring, it has been a pleasure to watch our successors take the reins and succeed what we started to provide educational conferences to and for the community. I take great pride in helping to educate the community and next generation of information security professionals.

Table of Contents

Preface

Part 1: Understanding the Threat Landscape and Attack Life Cycle

1

Introduction to the Threat Landscape

Getting familiar with the cyber threat landscape

Types of threat actors and their motivations

APTs

Cybercriminals

Hacktivists

Competitors

Insider threats

Terrorist groups

Script kiddies

Wrapping up

Building the cyber threat landscape

Summary

2

Understanding the Attack Life Cycle

Phase 1 – gaining an initial foothold

Gaining access to the network

Establishing a foothold

Network discovery

Phase 2

Key assets discovery

Case study

Network propagation

Case study

Phase 3

Data exfiltration

Impact

Case study

Summary

Part 2: Incident Response Procedures and Endpoint Forensic Evidence Collection

3

Phases of an Efficient Incident Response on Windows Infrastructure

Incident response roles, resources, and problem statements

Preparation and planning – developing an effective incident response plan

Detection and verification – identifying, assessing, and confirming cybersecurity incidents targeting Windows systems

Incident detection

Incident verification

Incident classification

Incident analysis and containment – investigating and stopping the spread of cyberattacks

Incident analysis

Incident containment

Eradication and recovery – removing the intrusion signs and getting back to normal

Eradication

Recovery

Summary

4

Endpoint Forensic Evidence Collection

Introduction to endpoint evidence collection

Collecting data from the endpoints

Non-volatile data collection

Memory collection

Network traffic collection

Scaling forensic evidence collection

Summary

Part 3: Incident Analysis and Threat Hunting on Windows Systems

5

Gaining Access to the Network

Exploiting public-facing applications

External remote services

Spear phishing attacks

Drive-by compromise

Other initial access techniques

Summary

6

Establishing a Foothold

Methods of post-exploitation

Maintaining persistent access on Windows systems

Event logs

Windows registry

Filesystem metafiles

Other sources

Understanding C2 communication channels

Summary

7

Network and Key Assets Discovery

Techniques to discover the Windows environment

Case 1 – ransomware operators

Case 2 – classic, financially motivated groups

Case 3 – corporate espionage

Detecting discovery

Using specialized programs

Using system utilities

Accessing specific locations and files

Interim data exfiltration

Summary

8

Network Propagation

Lateral movement in the Windows environment

Detecting lateral movement

Remote services

Software deployment tools

Lateral tool transfer

Internal spear phishing

Cyclicity of intermediate stages

Summary

9

Data Collection and Exfiltration

Types of data targeted by attackers

Techniques to perform data collection

Techniques to perform data exfiltration

Detecting data collection and exfiltration

Summary

10

Impact

Types of impact

Impact assessment

Immediate impact

Mitigating the impact

Technology

People

Processes

Summary

11

Threat Hunting and Analysis of TTPs

An overview of threat hunting

Leveraging cyber threat intelligence

Hunting for threats on Windows systems

Anomaly detection – spotting intrusions in Windows environments

Building a threat hunting practice – roles and skills

Summary

Part 4: Incident Investigation Management and Reporting

12

Incident Containment, Eradication, and Recovery

The prerequisites and process of incident containment

Prerequisites of incident containment

Planning incident containment

The process of incident containment

The prerequisites and process of incident eradication

Prerequisites and process of incident recovery

Preparing incident remediation playbooks

Summary

13

Incident Investigation Closure and Reporting

Incident closure

Gap analysis

Incident documentation

IR technical summary report

IR executive summary report

Acquisition forms

Chain-of-custody forms

Lessons learned

External cybersecurity incident escalation channels

Summary

Index

Other Books You May Enjoy

Preface

The complexity and impact of cybersecurity threats continue to evolve, underscoring the importance of effective incident response for IT professionals. This book provides real-world examples and state-of-the-art practices that are crucial for developing the mindset of an adept incident responder. It offers a structured cybersecurity framework focused on critical Windows domains, which enables readers to learn not just how to react to incidents but also how to analyze and remediate them effectively.

This book is designed to provide readers with the contextual understanding, practical skills, and strategic insights necessary to excel in the field of cybersecurity, particularly in managing and mitigating incidents on Windows systems. It offers detailed discussions on every phase of the incident response process, from detection to recovery, and covers tools, techniques, and strategies essential for managing incidents in Windows-based environments.

As you progress through this book, you will gain insight into how to approach cybersecurity incidents not just with technical tools, but with a strategic framework that prioritizes comprehensive threat analysis and systematic response planning. Regardless of whether you are an IT professional, a business leader, or a novice in the field of cybersecurity, this book aims to enhance your understanding of and capabilities in incident response, setting a new benchmark in your professional journey.

Who this book is for

This book is designed primarily for IT professionals, including Windows IT administrators, cybersecurity practitioners, and incident response teams. It is especially relevant for security analysts, system administrators, and network engineers tasked with securing Windows systems and networks. SOC teams will find this resource invaluable for managing and responding to cybersecurity incidents in a Windows-based environment.

Additionally, this book serves as an essential tool for students and researchers focused on incident response and cybersecurity within Windows environments. Business owners and executives interested in bolstering their incident response strategies for Windows-based IT infrastructure will also benefit from the insights provided.

Readers are expected to possess a basic understanding of Windows operating systems, network configurations, and foundational cybersecurity concepts. This includes familiarity with malware identification, network security, threat intelligence, and the essentials of security operations and incident response. Knowledge of common security controls, such as antivirus software, endpoint detection and response agents, firewalls, and intrusion detection systems is assumed.

Ideally, you should have a keen interest in cybersecurity and a strong desire to learn how to effectively detect, respond to, and mitigate security incidents in a Windows environment. This book aims to deliver practical guidance, best practices, and case studies to enhance the incident response capabilities of IT professionals and teams operating in Windows environments.

What this book covers

Chapter 1, Introduction to the Threat Landscape, provides an overview of the cybersecurity threat landscape, including an analysis of the types of threats that organizations face, the different motivations and goals of threat actors, and the potential impact of cyber attacks on businesses, including financial losses, reputational damage, and legal consequences.

Chapter 2, Understanding the Attack Life Cycle, provides a comprehensive overview of the typical phases of a sophisticated cyber attack with Windows systems in scope. It provides a detailed account of the various stages involved in the attack, from initial reconnaissance and infiltration to data exfiltration and impact. Furthermore, it examines the tactics and techniques employed by threat actors at each stage of the attack, including their operator activities, malware, and dual-use tools used.

Chapter 3, Phases of an Efficient Incident Response on Windows Architecture, presents an overview of the various stages involved in an effective incident response process. It outlines a step-by-step approach to incident response, including preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.

Chapter 4, Endpoint Forensic Evidence Collection, addresses the various methodologies employed for the acquisition of forensic evidence from Windows OS-driven endpoints within the context of an incident response investigation. It covers best practices for the preservation and analysis of the collected evidence, including the creation of forensic images, maintenance of a chain of custody, as well as utilization of specialized tools for analysis.

Chapter 5, Gaining Access to the Network, provides an overview of the initial access techniques and the investigation methods employed to identify any breaches. It also examines the external attack surface and the factors that may facilitate a threat actor’s ability to breach the infrastructure perimeter. Furthermore, it describes the forensic artifacts that may contain such evidence and the analytical approach typically employed to analyze them.

Chapter 6, Establishing a Foothold, provides guidance on the determination of the extent of the attacker’s activity on the system. It encompasses various methods employed by adversaries for the establishment of a foothold and provides the requisite tools and techniques for the investigation and response to these stages of attacks.

Chapter 7, Network and Key Assets Discovery, addresses the phase of the attack life cycle that occurs after the attacker’s successful establishment of a foothold within the target system. This section provides an overview of the techniques employed by adversaries to identify and map the Windows environment, including the discovery and mapping of active hosts, the construction of a network topology map, and the identification of key assets. Additionally, it provides guidance on the detection and investigation of discovery activities.

Chapter 8, Network Propagation, addresses the phase during which adversaries discovered the network and identified potential targets for lateral movement. This section provides an overview of the techniques employed by attackers to move laterally, execute their tools, maintain infrastructure-wide persistence, compromise new credentials, and prepare for the final stages of the attack. Additionally, readers will gain insights into the detection and response strategies that can be employed in this stage.

Chapter 9, Data Collection and Exfiltration, addresses the final phases of the attack life cycle, during which attackers attempt to gather sensitive data from the compromised system and exfiltrate it to a remote location. Readers will gain insights into the various techniques that attackers employ to collect and exfiltrate data from the victim environment. Additionally, the chapter will discuss the different types of data that adversaries target, including personally identifiable information, financial data, and intellectual property.

Chapter 10, Impact, is concerned with the final phase of the incident response process, during which responders must assess the damage caused by the attack and determine the extent of the impact on the affected systems and data. You will learn about the different types of impact that an attack can have, as well as various methods and metrics that can be employed to assess its extent.

Chapter 11, Threat Hunting and Analysis of TTPs, is devoted to the proactive techniques and tools that organizations can utilize to identify and prevent cyber attacks before they gain sufficient presence. This chapter covers a number of topics, including the application of threat intelligence, the use of anomaly detection, and the utilization of known threat actor tactics, techniques, and procedures (TTPs) to identify potential security threats.

Chapter 12, Incident Containment, Eradication, and Recovery, outlines the essential steps that must be taken once an incident has been identified and confirmed. It commences by emphasizing the importance of isolating the affected systems in order to prevent further damage and to halt the attacker’s progress. This chapter then presents various techniques for removing the attacker’s presence from the systems and returning the systems to normal operation while minimizing the risk of attack repetition.

Chapter 13, Incident Investigation Closure and Reporting, is dedicated to the significance of effective incident investigation and management, as well as the various aspects of the reporting process. You will gain insights into the importance of maintaining accurate and timely documentation throughout the incident response process, from initial identification of a potential security incident to final resolution and recovery.

To get the most out of this book

This book is designed to serve as both a comprehensive guide and a practical resource for those involved in managing cybersecurity incidents in Windows environments.

To fully benefit from the book, it is recommended that you actively engage with each chapter, relate the content to your own experiences, and make use of the practical exercises and case studies to deepen your understanding and refine your incident response skills.

Participation in online discussions, conferences, and professional networks is encouraged in order to facilitate the sharing of ideas and insights, thus promoting learning and enabling one to remain abreast of the latest developments in the field.

The integration of these approaches into your daily activities is expected to significantly enhance your capacity to manage and respond to cybersecurity incidents within a Windows environment.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, registry keys, folder names, filenames, file extensions, pathnames.

Here is an example: “The following screenshot shows an example of using wmic and process call create to execute code on a remote host.”

A block of code is set as follows:

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold.

Here is an example: “Create Account and Valid Accounts are very popular techniques that can be used for persistence.”

Note

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Incident Response for Windows, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application. 

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781804619322

Part 1: Understanding the Threat Landscape and Attack Life Cycle

This part provides an in-depth analysis of the cybersecurity threat landscape, highlighting the diverse threats that organizations currently face. It delves into the motivations and objectives of different threat actors and discusses the significant impacts of cyber attacks, including financial losses, reputational damage, and legal ramifications. Furthermore, it provides a comprehensive breakdown of the phases of a sophisticated cyber attack targeting Windows systems, detailing each stage, from the initial reconnaissance and infiltration to data exfiltration and the final impact.

This part contains the following chapters:

1

Introduction to the Threat Landscape

Most of the attacks (more than 90% according to GROUP-IB’s global experience) targeting organizations’ networks are run against Windows environments. It derives from the market dominance of the Microsoft Windows operating system, familiarity for most users in the world, software diversity in terms of it supporting a vast range of applications, backward compatibility, which makes it tough to eliminate several severe cybersecurity issues that were discovered in the past, and a bunch of legacy systems that don’t support the latest versions of these operating systems.

We (the authors) have been involved in hundreds of incident response engagements in many organizations on many continents of all sizes in a variety of industries, including government, the financial sector (banks, brokers, and cryptocurrency exchange), pharmacies and healthcare, critical industries, retail, construction, IT, and more, with different levels of cybersecurity maturity: where there were no cybersecurity teams to companies with huge security operations center (SOC) teams with dedicated roles covered by professionals with 10+ years of experience, automations and worked out like a Swiss watch. There is no silver bullet but there are some best practices that can be implemented to reduce – but not eliminate – cybersecurity risks.

This chapter explores the intricate web of threat intelligence levels, which can help organizations identify and categorize potential cyber threats targeting their Windows systems. In terms of all threat intelligence levels, we will discuss how they contribute to an organization’s overall cybersecurity posture.

We will also examine the main types of threat actors, their motivations, and the tactics they employ when targeting organizations with Windows environments.

Additionally, we will present real-world use cases that highlight the importance of understanding the cyber threat landscape, illustrating how organizations can proactively identify vulnerabilities, prioritize risks, and prepare for developing effective countermeasures for their Windows systems.

This chapter will cover the following topics:

Let’s take a look!

Getting familiar with the cyber threat landscape

To begin with, there should be a cybersecurity strategy. The smart way to create such a strategy is to understand the current threats and the capabilities of adversaries and apply proactive measures to prevent cybersecurity incidents that an organization might face. For example, a small business such as a consulting company that works with small businesses would not expect an attack from state-sponsored groups to perform espionage with high confidence. Construction businesses will most likely face a ransomware attack, while telecom and government entities will likely face espionage attacks. We will discuss these in more detail later in this chapter.

Such a profile referring to the current and evolving state of cybersecurity risks of potential and identified cyber threats is provided in the unifying concept of cyber threat analysis. The unified cyber threat analysis process includes identifying external attack surfaces (all exposed digital assets) and cyber threat intelligence (CTI).

The external attack surface is a new term that combines all internet-facing enterprise assets, such as the infrastructure perimeter, the intellectual property hosted on other third-party services (including source code), project management, CRM systems, and more. Powered by CTI, it provides significant value to organizations to help them better manage their digital assets and give actionable insights into digital risks. Its verdicts are based on vulnerabilities, with improved severity scoring based on the available exploits and their application in cyberattacks, infrastructure misconfigurations, exposures, confirmed compromises, and leaks. However, this class of solutions does not solve the problem of obtaining information about cyber threats facing organizations. For example, the external attack surface management (EASM) solution provides information about current unpatched vulnerabilities or leaked credentials but does not explain current attacks that other organizations face. Thus, this data may feed user and entity behavioral analysis (UEBA) or trigger playbooks in security orchestration, automation, and response (SOAR) solutions, forcing a password reset or a ticket for the IT team to be created to patch vulnerabilities. However, it does not provide some valuable threat intelligence aspects, all of which we will cover later in this section. In addition, EASM may provide information about the source of the credentials leak specifying the malware family, but it won’t explain how to properly discover and mitigate it.

Next, CTI includes the following aspects that pose cybersecurity risks:

Compared to the EASM, threat intelligence provides a complete overview of all these aspects without being tied to the specifics of a particular organization.

Cybersecurity vendors generate and fuel this knowledge database through incident response engagements, observing adversaries’ attack life cycles and motivations, and everything else we have discussed already. In addition, experts perform post-analysis by identifying the threat actor’s infrastructure, which is used to conduct attacks on their victims, leverage open source intelligence research (OSINT), generate patterns to track activity, predict future campaigns, and secure their clients from ongoing attacks.

Three different models explain the different levels of threat intelligence:

Strategic

Strategic

Strategic

Operational

Operational

Operational

Tactical

Tactical

Technical

Table 1.1 – Threat intelligence tiered models – comparison

For the sake of atomicity, let’s proceed with a four-layered model:

Layer

Description

Strategic

Executive summary about attackers by activity, country, and industry while considering their motivations, goals, and trends

Operational

A summary of current and impending attacks from various adversaries, as well as vulnerabilities exploited in the recent breaches

Tactical

The tactics, techniques, and procedures (TTPs) of threat actors most frequently based on the MITRE ATT&CK ® matrix; exploited vulnerabilities

Technical

IoCs, detection rules (YARA-, SIGMA-rules), and compromised user accounts

Table 1.2 – Semantics of the different CTI levels

To summarize, the levels of CTI provide answers to the following questions:

At this stage, you might be wondering how you can apply this knowledge to protect organizations.

Well, the answer to the question is a little intricate, but we can break it down step by step.

To start, the technical layer of threat intelligence should not consume a lot of time and must be automated at the implementation phase by the vendor and in-house security team, as shown in the following table:

Type

Action

IoCs

Feeding SIEM or other security controls such as NGFW, AV, EDR, sandboxes, DLP, and email security solutions for automated blocking and prevention, as well as alert triggering, which involves including the severity level to attract the security team’s attention.

Detection rules (YARA-, SIGMA- rules)

YARA rules can be used for one-time or triggered proactive scans, or for custom detections (if the implemented technology capability exists) in AV, EDR, and malware detonation solutions (sandbox). SIGMA rules can be implemented in SIEM detection logic or for the one-time scans of telemetry in EDR.

Compromised user accounts

Feeding privilege access management (PAM) systems or UEBA for resetting access or a password change by the end user.

Triggering a compromise assessment across identified compromised users’ devices to find traces of malware infection or other techniques for credential exposure and remediate it.

Exploited vulnerabilities

Immediately scanning the attack surface and patching.

If there’s a zero-day or one-day vulnerability without a patch available, a workaround can be implemented to reduce the risk of compromise.

Table 1.3 – Tactical CTI consumption

Tactical threat intelligence is consumed by security analysts to help them hunt down threats, enhance their detection logic, and better respond to them. Techniques and procedures should be used in the threat-hunting process, something we’ll cover later in this book. Generally, there are two types of procedures: generic and tailored to specific threat actors where they’re used in a specific attack. Hunting for tailored procedures usually results in a small number of search hits that can be easily discovered by the analyst. Generic procedures are tougher to spot as many legitimate or business-specific software may use the same methods to operate. For example, discovery techniques such as cmd.exe triggering commands such as net use and net user is one of the most frequently seen procedures during normal activity in big environments, and in 99.9% of cases, they are innocent.

Operational threat intelligence is consumed by cybersecurity team leads and security analysts who are performing regular threat hunting as they analyze threat actors’ campaigns.

Strategic threat intelligence usually focuses on decision-makers such as chief information security officers (CISOs), chief information officers (CIOs), and chief technology officers (CTOs). This empowers the CISO/CIO and any cyber executive to have a technical and tactical understanding. They may use it to identify the risk to the organization and define changes that can be made in investments in cybersecurity or the corporate culture, such as cybersecurity awareness.

The result of applied cyber threat analysis is the cyber threat landscape. Several factors influence the landscape for a specific entity, such as geography, industry, organization size, contracts, possession of valuable data for attackers, and publicity.

Moreover, the threat landscape might change over time due to different events:

At this stage, we are ready to deep dive into the different types of threat actors and their motivations.

Types of threat actors and their motivations

Cybersecurity vendors, law enforcement agencies, and regulators all around the globe stick to the following classification of threats:

Let’s take a closer look at each.

APTs

There are two types of APT groups: nation-state and non-nation-state.

Nation-state groups are also classified as APTs; we will describe their key differentiators shortly. Nation-state threat actors’ main motivation is data. They conduct espionage to steal intellectual property, spy on the targets, and gather state secrets and other confidential information. In some cases, they disrupt business or demand some ransom but are still founded by government authorities.

Note

For more details, please read the Microsoft threat research about MuddyWater cooperating with another cyber threat actor (https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/). Earlier, we looked at the main motivations of state-sponsored APT threat groups. However, there are a few exceptions. Lazarus, the North Korean nation-state group, is mainly motivated by financial gain (https://securelist.com/lazarus-trojanized-defi-app/106195/and https://www.group-ib.com/resources/research-hub/lazarus/).

Not all nation-state groups are sophisticated. Some of them may use script-kiddie-level techniques that are usually easily detected by security controls but will be ignored by in-house cybersecurity teams due to their lack of skills.

Non-nation-state threat actors are also considered APTs but they are not founded by government authorities. They are also called cyber-mercenaries or hack-for-fire since they offer their hacking services to the highest bidder, often conducting cyberattacks, espionage, or other malicious activities on behalf of clients, which can include other criminals, businesses, or even nation-states. As an example, RedCurl’s threat actor campaigns’ main goals were to steal confidential corporate documents such as contracts, financial documents, records of legal actions, and personal employee records. This was a clear indicator that RedCurl’s attacks might have been commissioned for corporate espionage.

The following are some key featuresof APTs:

Some common OPSEC practices for APTs are as follows:

Note

As an example, the nation-state-sponsored group APT29 disabled mailbox audit logging to hide their access to emails and other activities from a compromised account.

Cybercriminals

By the end of the 2010s, financial crimes faced a dramatic issue in monetizing their activities as financial institutions significantly improved their security postures, which increased the cost of attacks. Moreover, SWIFT payments are easy to track, require a lot of effort in terms of money laundering, and have greater risks and commissions split across different parties (for example, mule services). Under these circumstances, threat actors started searching for various methods of downsizing the attack period, its complexity, and how easy it was to collect money from victims. The idea was extremely easy – why would the victims not pay a ransom demand to the threat actor themselves rather than searching for a way to transfer money from their accounts? For example, they could heavily impact the business – disrupt business processes, exfiltrate sensitive information, and more. Such an idea made for a sensational shift in the cyber threat landscape as ransomware gangs took the floor. We will discuss ransomware and other cyberattacks in this section.

Ransomware

According to the vast majority of cybersecurity vendors, ransomware is a primary threat facing private and, increasingly, public sector organizations. This type of threat actors’ main motivation is financial gain. The ransom amount varies greatly, depending on the type of victim. In the case of a simple user, the range will be 500 to 1,000 US dollars. When it comes to organizations, the price depends on the revenue and threat actor appetites. It usually starts from $5,000 and can sometimes reach up to £100,000,000. All ransoms are demanded in cryptocurrencies such as Bitcoin and Ethereum, and sometimes in Monero. After receiving the payment, most adversaries send either a key for decryption or a decryptor tool. However, there are always exceptions to the rules: no one can guarantee the honesty of the attackers or the correct implementation of the encryption algorithm. We have been engaged in several cases when even a threat actor failed to decrypt the data using the correct key. At the same time, there is almost zero chance to decrypt data without paying a ransom. Law enforcement agencies or cybersecurity vendors may gain access to the key database stored on the C2 servers of threat actors, there might be a mistake in the encryption algorithm’s implementation, secrets aren’t managed securely, or there isn’t an offline backup of the most crucial data.

The median detection window for ransomware attacks in 2022-2023 stands at around 4-9 days according to different vendors and their observations (https://cloud.google.com/security/resources/m-trends and https://www.group-ib.com/landing/hi-tech-crime-trends-2023-2024/). In many cases, detection happens after discovering the impact caused by the attack. The attack timeline varies, depending on the complexity and level of attack automation. There are dozens of research papers, trend reports, and even books related to this topic that have been published in the past years. For now, let’s learn how to classify ransomware attacks.

First, we have automated attacks and malware bundles. These are spread across hundreds or thousands of malicious websites via file hosting services, fake updates, Trojanized applications, or mass spear-phishing campaigns that are sent to tens to hundreds of thousands of users. Here are the most recent articles describing malicious campaigns: