Attack Dissection

How to hunt from reports,...

Key thing is to understand, how attack works. Read an article, a blog post. Can you explain attack, what is the key evidence?

  • Explain the attack at functional level.

  • How attack helps attacked to achieve his goal(s).

  • How attack manifests in evidence.

  • Identify anomalies that might lead you to attack.

Good start could be MITRE ATT&CK, each attack has a lot of links to other sources that could be explored too.

Workflow

  1. Collect examples

  2. Identify Entities, Relationships and Steps

  3. Simulate the Attack

  4. Map Steps to Evidence

  5. Identify Anomaly Types

Step-by-step Process

Collect examples

Read article and make notes, annotations,... to highlight key things. You have to fully understand the attack. Do we have some link to MITRE ATT&CK? there is a lot of useful information.

Identify entities, relationships and steps

  • What kind of information are we able to find about tool/code used in the attack?

  • Where does the attacker have to be (in relation to the victim)?

    • interactive access

    • same network segment

    • remote access

    • ...

  • What doest the attacker have to know about the victim?

    • IP address

    • domain

    • username

    • password

    • software used

    • ...

  • What software must the victim be running

    • name

    • version

  • What ports must be open on the victim?

    • SMB

    • 80

    • ...

  • What settings must be enable/disabled on the victim?

    • UAC disabled

    • SMBv1 enabled

    • ...

  • What access will a successful attack provide?

    • RDP

    • command execution

    • DoS

    • ...

  • What informartion could be disclosed if successful?

    • memory

    • disk

    • network traffic

    • ...

  • Do not forget on OSINT, moreover Social media like Twitter is also good source of additional information.

Simulate attack

Use victims base image, capture traffic (including MITM) and do not forget on logs.

Full Simulation means that we execute the attack. Just be aware of malware executed in your lab environment - it is tricky (host has to be isolated, most likely on the fake Internet).

Link to Chris Long's Detection Lab

Artifact Replay inject logs from someone else's simulation into your detection systems.

Map steps (from simulation) to Evidence

Examine each step, write down notes (where artifacts might be left). For every step (attack breakdown) document what is the key evidence (logs, process created, network artifact,...).

Correlation evidence to expected anomaly types

Consider steps noted above, what could be the anomaly? What differs from usual behavior? These are the key things you should focus.

Focus on frequency of occurrence, improper timing, entity relationships and normal things in abnormal context.

Last updated