Recently I’m becoming more and more interested in cyber threat intelligence. I even started preparing for GCTI certification. CTI uses models and chains, you may have heard about the Diamond Model and Cyber Kill-Chain. Incident response has its own lifecycle – from preparation and identification to recovery and lessons learnt. Digital forensics has a certain process as well: collection, examination, analysis, reporting.
Let’s focus on the Cyber Kill-Chain. It’s used for identification and prevention of cyber intrusions and describes 7 stages of a cyber attack: reconnaissance (and precursors), weaponization, delivery, exploitation, installation, command and control, actions on objectives. Analyzing this model I came to an idea that it should be a model/chain/lifecycle for doing live response/forensics. So I decide to Google for any suitable
models/chains/lifecycles and… found nothing. So I tried to invent my own.
When do we do incident forensics? Of course, sometimes during incident response, especially dealing with something new. Proper identification is the key to successful containment and eradication, so doing forensics, at least express forensics, is a good idea. Also we do incident forensics as part of digital forensics services, for example, for law enforcement, when we receive an HDD, for example, and follow the process – image it, examine, analyse findings, reconstructing the incident and write the report.
As the Cyber Kill-Chain has 7 defined stages, the process or lifecycle of doing forensics to reconstruct the incident, in my opinion, can also have a number of stages. In the lifecycle I developed I focused on 5 stages:
Evidence of Initial Compromise. It may be a drive-by download, so you can find some useful artifacts in user’s web-browsing activity, it may be high-class (or not) spear-phishing email crafted by a new APT, so you can find artifacts pointing to recent documents opened by the user, it may be an RDP bruteforce attack on a server, so you may find good artifacts in the event logs, or the host can be compromised during lateral movement using, for example, PsExec and harvested credentials.
Evidence of Execution. Nowadays we have a lot of them. Some artifacts are with us for years, like Prefetch files and UserAssist, some are quite new, for example, BAM/DAM keys and Windows Timeline. You may want to find evidence of execution not for malware only, but also for any other software used or potentially used by the adversary, for example, for reconnaissance, lateral movement or data exfiltration.
Evidence of Achieving Persistence. If you ever seen MITRE Framework or read Hexacorn’s blog, you should know – there are tons of different persistence mechanisms used by threat actors, from trivial run keys and startup folders to relatively advanced like WMI.
Evidence of Lateral Movement. In most cases adversaries try to move laterally throgh the network after the initial compromise, because it’s hardly possible to compromise the final target. If a finantially motivated APT wants to steal money from a bank, it usually use spear-phishing to get access to a regular user’s computer, and than elevates privileges and laterally move through the network to get to the final target. You may want to look in event logs, registry and file system for evidence of using RDP, , network shares, PsExec, WMI, etc.
Evidence of Actions on Objectives. You can find a lot on this stage. For example, Cobalt Gang almost always created Support452 account, you can analyze NTUSER.DAT and quickly see that it was used for lateral movement and reconnaissance. The whole case may start from finding ZIP-archives with the contents of Documents folder in a very or not so unusual place. Or you can find evidence of execution of a network scanner on a host where it normally can’t be executed.
Here is what we got:
Of course, it’s not a good idea to focus on the first stage when you begin your analysis, you can use any stage as the pivot point, it depends on your initial findings.
What do you think? Ping me on Twitter.