I have written in past articles on what to look out forif your machine is hacked and how we can triage and manage vulnerability in a graceful manner, and in retrospect, I find there is something missing in them - this article should help the readers appreciate the threats better. Without knowing the threat source, we will likely see a recurrence of similar incidents and hacks. I doubt you want that to happen.
The detection and response approach is going to drain our limited resources and we will remain passive and reactive. Firefighting is not sustainable in the long run. Hackers gain the upper hand and race ahead of us beyond our detection. A robust incident response plan is needed but we need to know our foe better otherwise the containment and recovery will continue to incur a huge cost and take a longer time to recoup our losses.
Nip the bud - Identify the nemesis
An automated response does not help to know your foe better. We can outsource experts to assess the threat but can we do anything ourselves as a first cut analysis?
We can and we need to act faster. Be able to anticipate the hacker's next move. Put in effective preventive controls to block off attacks and hacking attempts. Once bitten twice shy. Know the threat better and you can gain back the upper hand.
There are good articles and discussions in EE on useful forensic tools. But instead of jumping into getting the tools and hunting down the threat trail, we need to plan how to approach this otherwise we be hunting blindly and wasting time. Start with the end in mind.
Adopt the 4Ws and 1H approach
This (see image below) is a common way to direct assessment. It is not scientific. And simple enough for anyone to ask the right question and self-discovery the threat trail systematically.
Who are they - Is it a machine or a real user? Current landscape has evolved with deceiving trail using compromised machines to do the dirty work on behalf of the hacker (sometimes called botmaster). Audit trails (event) and logs (with IP addresses, account, hostname etc) are useful to hunt down the source of an attack. This is assumed the necessary audit logs are enabled.
Where do they come from - Is it from the intranet or from another external network? This is useful information as possible if it is an intranet trail, it may be an insider doing or a compromised machine that is taken over. Hunting down reviewing the Syslog and net flows from the SIEMS and log repository is inevitable. Often remote connection will be a glaring indicator too.
What do they want - Wear the black hat. Look out for anomalies. A surge of traffic would mean destructive intent to bring down a service like launching DDoS attack on your website. Beware of the smokescreen to divert the rescue team attention as the trail can be misleading. An indicator of compromise (IOCs) like the Common vulnerability enumerations (CVEs), multiple failed logins and odd or non-peak hours activity serves as possible hunting trails.
When did they start and How did impact others - Using the 3Ws, you are already hunting down the trail but to make sure we are on the right track, it is better we take some time to establish the chain of events. It keeps our focus in our investigation. Try to identify the first instance of the anomaly or the earliest of the multiple bad events or IOCs that has occurred leading to the damages. Trace close to past related events especially on those administrator activities including unexpected server reboots and error happening during scheduled downtime hours.
With this approach, it is still hazy to piece the puzzle pieces together. Ultimately the end goal is to build a threat profile so as to give us (as defender) a good sense of the adversary. Reporting is sharpened. Management can make an informed decision with the nuanced threat analysis done.
Looking through a Threat Risk TABLET - the single pane of glass
Ideally, such tablet should exists with ready correlated trails stitch together to reveal our nemesis behind the scene. Augment our analysis and presentation by modeling the threat actor and risk impact in a structured and tailor a suitable threat profile. Below is one visualization that may serve as a starter to develop your own threat profile that can take the form of an intelligence card or dashboard.
Know the threat model - STRIKE.
The threat actor would be versatile and adopt different objective to execute their kill chain on the victim. For example,
Know the threat dynamic - TABLET.
The threat risk can be dissected to build a threat profile to help to understand and augment assessment of the Ws and H.
STRIKE out the non relevant traces and table them down into a profile fitting of the threat actor. Take a proactive stance by understanding the modus operandi as we can plan out active defense - laying "decoys" or planting "traps" as deceptive measures to sharpen our saw towards implementing an effective preventive and protective measures.
Reflection in summary
Take through the management using the Threat Risk TABLET. Impress upon the effort in joining the dots. Story telling build rapport and allows quick understanding of the situation. Importantly, it also aids you to justify why technical expertise matters but nothing beats knowing for yourself since it is your own home ground. Stay proactive and agile as we race beyond complacency to keep pace with the ever evolving threat landscape . Firefighting is not going to win you the battle. To safeguard your home ground, we need to win the war against these threats.
The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.