/
랜섬웨어 억제

Inside the Investigation: Hunting Hackers Through the ‘Foundational Four’

It’s the middle of the night on the weekend, and you get a call. You’re needed immediately to respond to a crime scene, a break-in by unknown culprits.  

Imagine yourself as the lead detective called to help investigate this crime.

Where do you start? What clues do you look for? What questions do you ask? Who do you question? Which investigative tools should you use? Why did this crime even occur in the first place, and who is responsible?  

In digital investigations, the crime scene is the victim organization’s network and digital assets. In the wake of a cyber incident or breach, there may be obvious clues. In other times, there may appear to be none.  

However, even that can be a clue in itself. Lack of obvious clues may be an indication that you are dealing with professionals.  

Professionals are very good at cleaning up after themselves. They also sometimes plant decoys to deliberately point investigators in the wrong direction. That's why context is everything!

Attackers go through a series of steps and tactics with the aim of achieving their malicious aims. This means defenders must also apply counter tactics for effective response preparedness.  

In this blog series, we'll follow the executable shown below, which was reported as being run by a user in our organization. We'll then try to investigate what it did when it ran and determine whether its actions were good or bad.  

Screenshot of system updater

People, devices, networks, and data

Ultimately, the cyber world is about data. Data is often hosted on workloads (which we can loosely call servers for the purposes of this article).  

People or users have devices like laptops, smartphones, and tablets which connect over networks to access the data saved on the workloads.  

Four cybersecurity pillars

To access the data, they typically use applications running on their devices. Their devices connect over networks like Wi-Fi to the internet.  

In practice, consider a user who logs into a laptop, which then connects to Wi-Fi. The user then launches an email application to connect to their company’s email workload or server. The user (people) uses the laptop (device) to connect over a network (Wi-Fi) to get to the company email server (workload) to access email (data).

Follow the data

The motivation of defenders is to maintain the confidentiality, integrity, and availability of their data.  

There’s the popular saying to follow the money. The cyber equivalent is to follow the data.  

In the aftermath of an attack, you want to start by attempting to find the answers to the following key questions:

  • Incident: What happened?
  • Impact: What (or who) is affected?
  • Scope: Where is it happening?
  • Report: Findings and recommendations

However, in order to answer these questions successfully, we must have a guide on how to follow the data through the different paths and entities which may be relevant.  

In doing so, an important rule to remember is to remove any emotional attachment or preconceived notions. We only follow the evidence and, in that regard, context is everything!

In this particular incident under investigation, one observation from the user’s computer shortly after running the “system updater” executable was the following popup window:

Screenshot of administrator system updater

We will begin by looking at the context in terms of techniques that fall under indicators of attack versus indicators of compromise:

  • Indicators of attack (IoA): indicates an attack is being attempted or in progress. Here, suspicious patterns and behavor provide the indication. Examples are:
    • Phishing email  
    • Brute force login attempts
    • Unsolicited external Vulnerability scan
  • Indicators of compromise (IoC): evidence of an attack that has already happened. Here, known malicious behaviour or activity provides the indication such as:
    • Impossible travel login / Compromised Login
    • Known malware hash detection
    • Data transfer to known malicious IPs or URLs (exfiltration)

We will then proceed to standardize our approach through four categories of attention. I refer to this as the “F4” or the “Foundational Four”:

  1. File system (storage)
  2. Registry
  3. Memory (RAM)
  4. Network (communication path)

Under these foundational areas, we will be interested in the CRUD operations (create, read, update, and delete) associated with each to understand any malicious intent:

  • File system (storage)
    • Creating a new file: CreateFile()
    • Reading an existing file: ReadFile()
    • Writing to an existing file: WriteFile()
  • Registry
    • Opening a registry path
    • Reading registry key values
    • Deleting registry keys
  • Memory (RAM)
    • Creating a process
    • Creating threads
    • Writing into process
  • Network (communication path)
    • Creating a network socket
    • Binding
    • Listening
Task Manager screenshot

The image above shows an example of a combination of two of the Foundational Four detailed in a Windows operating system. It shows the relationship between memory and filesystem.

Next steps: tracing malware across the F4

In the rest of this blog series, we’ll follow the evidence using the four operations as the foundation to proceed.

We’ll want to understand how the file system was used. For example, dropped files or file operations on existing files, any registry key changes, process changes or manipulation in memory, and what network connections were made (and where did they go to or come from)?

We will then proceed to map any relationships between our payload under investigation and the Foundational Four areas.

Check back next month as we continue the investigation!

Want to get prepared for these kinds of attacks? Learn how the Illumio breach containment platform helps you contain the spread of malware and stop attackers from moving freely across your network.

관련 주제

관련 기사

제로 트러스트 엔드포인트 보안을 통한 보안 침해 추정
랜섬웨어 억제

제로 트러스트 엔드포인트 보안을 통한 보안 침해 추정

엔드포인트 보안에 대한 기존 접근 방식으로는 충분하지 않은 이유와 Illumio Endpoint가 기존 탐지 도구를 어떻게 보완할 수 있는지 알아보십시오.

방화벽이 랜섬웨어 억제에 충분하지 않은 이유
랜섬웨어 억제

방화벽이 랜섬웨어 억제에 충분하지 않은 이유

방화벽이 위협에 대응하기에 너무 느린 이유와 마이크로세그멘테이션이 랜섬웨어 억제에 중요한 이유를 알아보십시오.

OT 보호에 레이어 7 딥 패킷 검사가 필요하지 않은 이유
랜섬웨어 억제

OT 보호에 레이어 7 딥 패킷 검사가 필요하지 않은 이유

제로 트러스트 세그멘테이션이 보안 침해 확산을 방지하는 데 더 나은 해답인 이유를 알아보십시오.

사이버 레질리언스의 기준은 무엇인가요?
사이버 레질리언스

사이버 레질리언스의 기준은 무엇인가요?

마이크로세그멘테이션에 기반을 둔 제로 트러스트 전략이 사이버 사고 발생 시 및 이후에 조직의 레질리언스를 어떻게 강화할 수 있는지 알아보십시오.

사이버 보안이 AI에 지나치게 의존하는 것을 걱정해야 할까요?
사이버 레질리언스

사이버 보안이 AI에 지나치게 의존하는 것을 걱정해야 할까요?

AI의 약점에도 불구하고 AI가 사이버 보안에 도움이 되는 이유와 AI의 힘을 인간의 지능과 결합하면 AI 과의존에 대한 두려움을 완화할 수 있는 방법에 대해 알아보십시오.

AI 안전 및 보안을 위한 보안 실무자의 프레임워크
사이버 레질리언스

AI 안전 및 보안을 위한 보안 실무자의 프레임워크

보안 전문가가 최근 개최된 AI Safety Summit 2023에서 발표하기를 바랐던 AI 안전에 관한 실행 가능한 프레임워크를 확인해 보세요.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?