/
ランサムウェアの封じ込め

Inside the Investigation: Hunting Hackers Through the ‘Foundational Four’

It’s the middle of the night on the weekend, and you get a call. You’re needed immediately to respond to a crime scene, a break-in by unknown culprits.  

Imagine yourself as the lead detective called to help investigate this crime.

Where do you start? What clues do you look for? What questions do you ask? Who do you question? Which investigative tools should you use? Why did this crime even occur in the first place, and who is responsible?  

In digital investigations, the crime scene is the victim organization’s network and digital assets. In the wake of a cyber incident or breach, there may be obvious clues. In other times, there may appear to be none.  

However, even that can be a clue in itself. Lack of obvious clues may be an indication that you are dealing with professionals.  

Professionals are very good at cleaning up after themselves. They also sometimes plant decoys to deliberately point investigators in the wrong direction. That's why context is everything!

Attackers go through a series of steps and tactics with the aim of achieving their malicious aims. This means defenders must also apply counter tactics for effective response preparedness.  

In this blog series, we'll follow the executable shown below, which was reported as being run by a user in our organization. We'll then try to investigate what it did when it ran and determine whether its actions were good or bad.  

Screenshot of system updater

People, devices, networks, and data

Ultimately, the cyber world is about data. Data is often hosted on workloads (which we can loosely call servers for the purposes of this article).  

People or users have devices like laptops, smartphones, and tablets which connect over networks to access the data saved on the workloads.  

Four cybersecurity pillars

To access the data, they typically use applications running on their devices. Their devices connect over networks like Wi-Fi to the internet.  

In practice, consider a user who logs into a laptop, which then connects to Wi-Fi. The user then launches an email application to connect to their company’s email workload or server. The user (people) uses the laptop (device) to connect over a network (Wi-Fi) to get to the company email server (workload) to access email (data).

Follow the data

The motivation of defenders is to maintain the confidentiality, integrity, and availability of their data.  

There’s the popular saying to follow the money. The cyber equivalent is to follow the data.  

In the aftermath of an attack, you want to start by attempting to find the answers to the following key questions:

  • Incident: What happened?
  • Impact: What (or who) is affected?
  • Scope: Where is it happening?
  • Report: Findings and recommendations

However, in order to answer these questions successfully, we must have a guide on how to follow the data through the different paths and entities which may be relevant.  

In doing so, an important rule to remember is to remove any emotional attachment or preconceived notions. We only follow the evidence and, in that regard, context is everything!

In this particular incident under investigation, one observation from the user’s computer shortly after running the “system updater” executable was the following popup window:

Screenshot of administrator system updater

We will begin by looking at the context in terms of techniques that fall under indicators of attack versus indicators of compromise:

  • Indicators of attack (IoA): indicates an attack is being attempted or in progress. Here, suspicious patterns and behavor provide the indication. Examples are:
    • Phishing email  
    • Brute force login attempts
    • Unsolicited external Vulnerability scan
  • Indicators of compromise (IoC): evidence of an attack that has already happened. Here, known malicious behaviour or activity provides the indication such as:
    • Impossible travel login / Compromised Login
    • Known malware hash detection
    • Data transfer to known malicious IPs or URLs (exfiltration)

We will then proceed to standardize our approach through four categories of attention. I refer to this as the “F4” or the “Foundational Four”:

  1. File system (storage)
  2. Registry
  3. Memory (RAM)
  4. Network (communication path)

Under these foundational areas, we will be interested in the CRUD operations (create, read, update, and delete) associated with each to understand any malicious intent:

  • File system (storage)
    • Creating a new file: CreateFile()
    • Reading an existing file: ReadFile()
    • Writing to an existing file: WriteFile()
  • Registry
    • Opening a registry path
    • Reading registry key values
    • Deleting registry keys
  • Memory (RAM)
    • Creating a process
    • Creating threads
    • Writing into process
  • Network (communication path)
    • Creating a network socket
    • Binding
    • Listening
Task Manager screenshot

The image above shows an example of a combination of two of the Foundational Four detailed in a Windows operating system. It shows the relationship between memory and filesystem.

Next steps: tracing malware across the F4

In the rest of this blog series, we’ll follow the evidence using the four operations as the foundation to proceed.

We’ll want to understand how the file system was used. For example, dropped files or file operations on existing files, any registry key changes, process changes or manipulation in memory, and what network connections were made (and where did they go to or come from)?

We will then proceed to map any relationships between our payload under investigation and the Foundational Four areas.

Check back next month as we continue the investigation!

Want to get prepared for these kinds of attacks? Learn how the Illumio breach containment platform helps you contain the spread of malware and stop attackers from moving freely across your network.

関連トピック

関連記事

ランサムウェアを阻止するための脆弱性の評価
ランサムウェアの封じ込め

ランサムウェアを阻止するための脆弱性の評価

リスクベースの可視性をランサムウェアの保護、コンプライアンスなどに使用する方法
ランサムウェアの封じ込め

リスクベースの可視性をランサムウェアの保護、コンプライアンスなどに使用する方法

セキュリティリスクを特定し、ランサムウェアからの保護やコンプライアンスなどに必要な可視性を得る方法をご紹介します。

ランサムウェアがもたらす危害:ゼロトラストがリスク軽減に役立つ方法をご紹介します
ランサムウェアの封じ込め

ランサムウェアがもたらす危害:ゼロトラストがリスク軽減に役立つ方法をご紹介します

包括的な可視性に基づいて構築されたイルミオのゼロトラストセグメンテーションが、ランサムウェアリスクの軽減にどのように役立つのか。

サイバーセキュリティがAIに依存しすぎるのではないかと心配すべきか
サイバー・レジリエンス

サイバーセキュリティがAIに依存しすぎるのではないかと心配すべきか

AIが弱点であるにもかかわらずサイバーセキュリティに恩恵をもたらす理由と、AIの力と人間の知性を組み合わせることで、AIの過剰依存に対する懸念をどのように軽減できるかについての洞察を得てください。

AI の安全とセキュリティのためのセキュリティ実務者向けフレームワーク
サイバー・レジリエンス

AI の安全とセキュリティのためのセキュリティ実務者向けフレームワーク

セキュリティ専門家が先日開催された「AIセーフティサミット2023」で期待していた、AI セーフティに関する実践的なフレームワークを入手しましょう。

Assume Breach.
影響を最小限に抑えます。
レジリエンスを高めます。

ゼロトラストセグメンテーションについて詳しく知る準備はできていますか?