Inside the Investigation: Hunting Hackers Through the ‘Foundational Four’

It’s the middle of the night on the weekend, and you get a call. You’re needed immediately to respond to a crime scene, a break-in by unknown culprits.  

Imagine yourself as the lead detective called to help investigate this crime.

Where do you start? What clues do you look for? What questions do you ask? Who do you question? Which investigative tools should you use? Why did this crime even occur in the first place, and who is responsible?  

In digital investigations, the crime scene is the victim organization’s network and digital assets. In the wake of a cyber incident or breach, there may be obvious clues. In other times, there may appear to be none.  

However, even that can be a clue in itself. Lack of obvious clues may be an indication that you are dealing with professionals.  

Professionals are very good at cleaning up after themselves. They also sometimes plant decoys to deliberately point investigators in the wrong direction. That's why context is everything!

Attackers go through a series of steps and tactics with the aim of achieving their malicious aims. This means defenders must also apply counter tactics for effective response preparedness.  

In this blog series, we'll follow the executable shown below, which was reported as being run by a user in our organization. We'll then try to investigate what it did when it ran and determine whether its actions were good or bad.  

People, devices, networks, and data

Ultimately, the cyber world is about data. Data is often hosted on workloads (which we can loosely call servers for the purposes of this article).  

People or users have devices like laptops, smartphones, and tablets which connect over networks to access the data saved on the workloads.  

To access the data, they typically use applications running on their devices. Their devices connect over networks like Wi-Fi to the internet.  

In practice, consider a user who logs into a laptop, which then connects to Wi-Fi. The user then launches an email application to connect to their company’s email workload or server. The user (people) uses the laptop (device) to connect over a network (Wi-Fi) to get to the company email server (workload) to access email (data).

Follow the data

The motivation of defenders is to maintain the confidentiality, integrity, and availability of their data.  

There’s the popular saying to follow the money. The cyber equivalent is to follow the data.  

In the aftermath of an attack, you want to start by attempting to find the answers to the following key questions:

• Incident: What happened?
• Impact: What (or who) is affected?
• Scope: Where is it happening?
• Report: Findings and recommendations

However, in order to answer these questions successfully, we must have a guide on how to follow the data through the different paths and entities which may be relevant.  

In doing so, an important rule to remember is to remove any emotional attachment or preconceived notions. We only follow the evidence and, in that regard, context is everything!

In this particular incident under investigation, one observation from the user’s computer shortly after running the “system updater” executable was the following popup window:

We will begin by looking at the context in terms of techniques that fall under indicators of attack versus indicators of compromise:

• Indicators of attack (IoA): indicates an attack is being attempted or in progress. Here, suspicious patterns and behavor provide the indication. Examples are:
  
  • Phishing email  
    
  • Brute force login attempts
  • Unsolicited external Vulnerability scan
• ‍Indicators of compromise (IoC): evidence of an attack that has already happened. Here, known malicious behaviour or activity provides the indication such as:
  
  • Impossible travel login / Compromised Login
  • Known malware hash detection
  • Data transfer to known malicious IPs or URLs (exfiltration)

We will then proceed to standardize our approach through four categories of attention. I refer to this as the “F4” or the “Foundational Four”:

1. File system (storage) ‍
2. Registry ‍
3. Memory (RAM) ‍
4. Network (communication path)

Under these foundational areas, we will be interested in the CRUD operations (create, read, update, and delete) associated with each to understand any malicious intent:

• ‍File system (storage)
  
  • Creating a new file: CreateFile()
  • Reading an existing file: ReadFile()
  • Writing to an existing file: WriteFile() ‍
• ‍Registry
  
  • Opening a registry path
  • Reading registry key values
  • Deleting registry keys ‍
• ‍Memory (RAM)
  
  • Creating a process
    
  • Creating threads
  • Writing into process ‍
• ‍Network (communication path)
  
  • Creating a network socket
  • Binding
  • Listening

The image above shows an example of a combination of two of the Foundational Four detailed in a Windows operating system. It shows the relationship between memory and filesystem.

Next steps: tracing malware across the F4

In the rest of this blog series, we’ll follow the evidence using the four operations as the foundation to proceed.

We’ll want to understand how the file system was used. For example, dropped files or file operations on existing files, any registry key changes, process changes or manipulation in memory, and what network connections were made (and where did they go to or come from)?

We will then proceed to map any relationships between our payload under investigation and the Foundational Four areas.

Check back next month as we continue the investigation!

Want to get prepared for these kinds of attacks? Learn how the Illumio breach containment platform helps you contain the spread of malware and stop attackers from moving freely across your network.