To begin with, there should be a cybersecurity strategy. The smart way to create such a strategy is to understand the current threats and the capabilities of adversaries and apply proactive measures to prevent cybersecurity incidents that an organization might face. For example, a small business such as a consulting company that works with small businesses would not expect an attack from state-sponsored groups to perform espionage with high confidence. Construction businesses will most likely face a ransomware attack, while telecom and government entities will likely face espionage attacks. We will discuss these in more detail later in this chapter.

Such a profile referring to the current and evolving state of cybersecurity risks of potential and identified cyber threats is provided in the unifying concept of cyber threat analysis. The unified cyber threat analysis process includes identifying external attack surfaces (all exposed digital assets) and cyber threat intelligence (CTI).

The external attack surface is a new term that combines all internet-facing enterprise assets, such as the infrastructure perimeter, the intellectual property hosted on other third-party services (including source code), project management, CRM systems, and more. Powered by CTI, it provides significant value to organizations to help them better manage their digital assets and give actionable insights into digital risks. Its verdicts are based on vulnerabilities, with improved severity scoring based on the available exploits and their application in cyberattacks, infrastructure misconfigurations, exposures, confirmed compromises, and leaks. However, this class of solutions does not solve the problem of obtaining information about cyber threats facing organizations. For example, the external attack surface management (EASM) solution provides information about current unpatched vulnerabilities or leaked credentials but does not explain current attacks that other organizations face. Thus, this data may feed user and entity behavioral analysis (UEBA) or trigger playbooks in security orchestration, automation, and response (SOAR) solutions, forcing a password reset or a ticket for the IT team to be created to patch vulnerabilities. However, it does not provide some valuable threat intelligence aspects, all of which we will cover later in this section. In addition, EASM may provide information about the source of the credentials leak specifying the malware family, but it won’t explain how to properly discover and mitigate it.

Next, CTI includes the following aspects that pose cybersecurity risks:

• Threat actors and their motivations
• Vulnerabilities
• Compromised and leaked accounts
• Malware
• Tools
• Attack tactics, techniques, and procedures
• Indicators of compromise (IoCs)

Compared to the EASM, threat intelligence provides a complete overview of all these aspects without being tied to the specifics of a particular organization.

Cybersecurity vendors generate and fuel this knowledge database through incident response engagements, observing adversaries’ attack life cycles and motivations, and everything else we have discussed already. In addition, experts perform post-analysis by identifying the threat actor’s infrastructure, which is used to conduct attacks on their victims, leverage open source intelligence research (OSINT), generate patterns to track activity, predict future campaigns, and secure their clients from ongoing attacks.

Three different models explain the different levels of threat intelligence:

Table 1.1 – Threat intelligence tiered models – comparison

For the sake of atomicity, let’s proceed with a four-layered model:

Table 1.2 – Semantics of the different CTI levels

To summarize, the levels of CTI provide answers to the following questions:

• The who and why – strategic CTI
• The how and where – operational CTI
• The what – tactical and technical CTI

At this stage, you might be wondering how you can apply this knowledge to protect organizations.

Well, the answer to the question is a little intricate, but we can break it down step by step.

To start, the technical layer of threat intelligence should not consume a lot of time and must be automated at the implementation phase by the vendor and in-house security team, as shown in the following table:

Table 1.3 – Tactical CTI consumption

Tactical threat intelligence is consumed by security analysts to help them hunt down threats, enhance their detection logic, and better respond to them. Techniques and procedures should be used in the threat-hunting process, something we’ll cover later in this book. Generally, there are two types of procedures: generic and tailored to specific threat actors where they’re used in a specific attack. Hunting for tailored procedures usually results in a small number of search hits that can be easily discovered by the analyst. Generic procedures are tougher to spot as many legitimate or business-specific software may use the same methods to operate. For example, discovery techniques such as cmd.exe triggering commands such as net use and net user is one of the most frequently seen procedures during normal activity in big environments, and in 99.9% of cases, they are innocent.

Operational threat intelligence is consumed by cybersecurity team leads and security analysts who are performing regular threat hunting as they analyze threat actors’ campaigns.

Strategic threat intelligence usually focuses on decision-makers such as chief information security officers (CISOs), chief information officers (CIOs), and chief technology officers (CTOs). This empowers the CISO/CIO and any cyber executive to have a technical and tactical understanding. They may use it to identify the risk to the organization and define changes that can be made in investments in cybersecurity or the corporate culture, such as cybersecurity awareness.

The result of applied cyber threat analysis is the cyber threat landscape. Several factors influence the landscape for a specific entity, such as geography, industry, organization size, contracts, possession of valuable data for attackers, and publicity.

Moreover, the threat landscape might change over time due to different events:

• Newly discovered vulnerabilities have been publicly available exploits after a short period and the product vendor isn’t notified of this. It’s important to note that these vulnerabilities are related to public-facing applications (including security controls) or office applications (for example, the Follina – CVE-2022-30190 remote code execution vulnerability in Microsoft Office or the CVE-2023-23397 vulnerability in the Microsoft Outlook mail client).
• A global shift in the consumer and business market. The more users there are, the higher the probability of a successful attack and more potential victims.
• New trends in the IT sector: software development, data processing, delegating data to third parties (for example, cloud computing), and a wider use of shared libraries from package repositories.
• Global events such as the COVID-19 pandemic, which forced organizations to make major changes to their infrastructure to support remote work.
• Military or political conflicts.

At this stage, we are ready to deep dive into the different types of threat actors and their motivations.

Cybersecurity vendors, law enforcement agencies, and regulators all around the globe stick to the following classification of threats:

• APTs
• Cybercriminals
• Hacktivists
• Competitors
• Insider threats
• Terrorist groups
• Script kiddies

Let’s take a closer look at each.

APTs

There are two types of APT groups: nation-state and non-nation-state.

Nation-state groups are also classified as APTs; we will describe their key differentiators shortly. Nation-state threat actors’ main motivation is data. They conduct espionage to steal intellectual property, spy on the targets, and gather state secrets and other confidential information. In some cases, they disrupt business or demand some ransom but are still founded by government authorities.

Note

For more details, please read the Microsoft threat research about MuddyWater cooperating with another cyber threat actor (https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/). Earlier, we looked at the main motivations of state-sponsored APT threat groups. However, there are a few exceptions. Lazarus, the North Korean nation-state group, is mainly motivated by financial gain (https://securelist.com/lazarus-trojanized-defi-app/106195/ and https://www.group-ib.com/resources/research-hub/lazarus/).

Not all nation-state groups are sophisticated. Some of them may use script-kiddie-level techniques that are usually easily detected by security controls but will be ignored by in-house cybersecurity teams due to their lack of skills.

Non-nation-state threat actors are also considered APTs but they are not founded by government authorities. They are also called cyber-mercenaries or hack-for-fire since they offer their hacking services to the highest bidder, often conducting cyberattacks, espionage, or other malicious activities on behalf of clients, which can include other criminals, businesses, or even nation-states. As an example, RedCurl’s threat actor campaigns’ main goals were to steal confidential corporate documents such as contracts, financial documents, records of legal actions, and personal employee records. This was a clear indicator that RedCurl’s attacks might have been commissioned for corporate espionage.

The following are some key features of APTs:

• Persistence: APTs are known for their long-term approach to cyberattacks, maintaining a presence in the target’s network for extended periods to gather information, execute attacks, or achieve other objectives. This persistence allows them to explore the target’s systems and networks, stealthily exfiltrate data, or stage future attacks.
• Sophistication: APT groups typically possess advanced technical capabilities and use sophisticated TTPs in their operations. They can craft custom malware, leverage zero-day vulnerabilities, and utilize advanced evasion techniques to avoid detection and maintain access to their targets.
• Operational security (OPSec): This refers to the practices, methods, and techniques that these threat actors employ to maintain their covert activities and minimize the risk of detection. APTs typically have strong OPSEC practices, which makes it difficult for organizations and security researchers to detect, analyze, and attribute their attacks.

  Some common OPSEC practices for APTs are as follows:

  • Use of encryption: APTs often use strong encryption for their communication channels and data exfiltration to prevent interception and analysis.
  • Command and Control (C2) infrastructure: APTs utilize diverse and robust C2 infrastructures, often relying on multiple C2 servers, domain generation algorithms, or decentralized communication methods such as peer-to-peer networks or social media platforms to maintain control over their operations.
  • Proxy networks and virtual private networks (VPNs): APTs may use proxy networks, VPNs, or other anonymizing services to hide their true location and obfuscate their activities.
  • Custom and advanced malware: APTs often develop custom malware or use advanced variants of known malware families to evade detection by antivirus and security solutions.
  • Living off the land: APTs may use legitimate tools, processes, or applications present in the target’s environment to blend in with normal activities, making it more difficult to distinguish their actions from legitimate activities.
  • Code obfuscation and anti-analysis techniques: APTs often employ code obfuscation, packing, or other anti-analysis techniques to make it more difficult for security researchers to reverse-engineer and analyze their malware.
  • Cleaning up traces: APTs take steps to clean up traces of their activities, including clearing logs, overwriting data, or deleting temporary files, to minimize the chances of detection and maintain persistence.
  • Updating TTPs: APTs adapt their TTPs in response to changing security environments, making it harder for organizations to develop effective countermeasures.
  • Compartmentalization: APTs often compartmentalize their operations, with different groups or individuals responsible for different aspects of an attack. This can make it difficult for security researchers to gain a comprehensive understanding of the APT’s objectives, infrastructure, and capabilities.
  • Targeted social engineering: APTs may conduct extensive reconnaissance and use targeted social engineering techniques, such as spear-phishing, to carefully select and compromise their targets without raising suspicion.
  • Resources: APTs are often well-funded, with significant resources at their disposal. This funding allows them to invest in the development of advanced tools and maintain operational infrastructure. The backing of nation states or other powerful organizations can provide APTs with the resources necessary to carry out large-scale, long-term campaigns.
  • High-level objectives: APT groups typically have strategic objectives that align with the interests of their sponsors, which are often nation states. These objectives may include cyber espionage, intellectual property theft, disruption of critical infrastructure, or undermining geopolitical rivals.
  • Stealth and patience: APTs prioritize remaining undetected in their target’s networks, often using covert communication channels and blending in with legitimate traffic. They are patient, taking time to learn the target’s environment and waiting for the opportune moment to strike or exfiltrate data.
  • Highly targeted attacks: APTs typically focus on specific high-value targets, such as governments, large corporations, critical infrastructure, or research institutions. They conduct extensive reconnaissance to understand the target’s network and security posture, tailoring their attack methods to maximize success.
  • Adaptability: APTs are highly adaptable and able to modify their TTPs in response to changing environments, security measures, or detection efforts. This adaptability makes them challenging to identify and defend against.
  • Advanced social engineering: APTs often use sophisticated social engineering techniques to gain initial access to a target’s network, such as spear-phishing campaigns with highly customized and convincing messages. They may conduct extensive research on their targets to craft highly effective lures.

Note

As an example, the nation-state-sponsored group APT29 disabled mailbox audit logging to hide their access to emails and other activities from a compromised account.

Cybercriminals

By the end of the 2010s, financial crimes faced a dramatic issue in monetizing their activities as financial institutions significantly improved their security postures, which increased the cost of attacks. Moreover, SWIFT payments are easy to track, require a lot of effort in terms of money laundering, and have greater risks and commissions split across different parties (for example, mule services). Under these circumstances, threat actors started searching for various methods of downsizing the attack period, its complexity, and how easy it was to collect money from victims. The idea was extremely easy – why would the victims not pay a ransom demand to the threat actor themselves rather than searching for a way to transfer money from their accounts? For example, they could heavily impact the business – disrupt business processes, exfiltrate sensitive information, and more. Such an idea made for a sensational shift in the cyber threat landscape as ransomware gangs took the floor. We will discuss ransomware and other cyberattacks in this section.

Ransomware

According to the vast majority of cybersecurity vendors, ransomware is a primary threat facing private and, increasingly, public sector organizations. This type of threat actors’ main motivation is financial gain. The ransom amount varies greatly, depending on the type of victim. In the case of a simple user, the range will be 500 to 1,000 US dollars. When it comes to organizations, the price depends on the revenue and threat actor appetites. It usually starts from $5,000 and can sometimes reach up to £100,000,000. All ransoms are demanded in cryptocurrencies such as Bitcoin and Ethereum, and sometimes in Monero. After receiving the payment, most adversaries send either a key for decryption or a decryptor tool. However, there are always exceptions to the rules: no one can guarantee the honesty of the attackers or the correct implementation of the encryption algorithm. We have been engaged in several cases when even a threat actor failed to decrypt the data using the correct key. At the same time, there is almost zero chance to decrypt data without paying a ransom. Law enforcement agencies or cybersecurity vendors may gain access to the key database stored on the C2 servers of threat actors, there might be a mistake in the encryption algorithm’s implementation, secrets aren’t managed securely, or there isn’t an offline backup of the most crucial data.

The median detection window for ransomware attacks in 2022-2023 stands at around 4-9 days according to different vendors and their observations (https://cloud.google.com/security/resources/m-trends and https://www.group-ib.com/landing/hi-tech-crime-trends-2023-2024/). In many cases, detection happens after discovering the impact caused by the attack. The attack timeline varies, depending on the complexity and level of attack automation. There are dozens of research papers, trend reports, and even books related to this topic that have been published in the past years. For now, let’s learn how to classify ransomware attacks.

First, we have automated attacks and malware bundles. These are spread across hundreds or thousands of malicious websites via file hosting services, fake updates, Trojanized applications, or mass spear-phishing campaigns that are sent to tens to hundreds of thousands of users. Here are the most recent articles describing malicious campaigns:

• https://www.group-ib.com/blog/malware-bundles/: This article describes the spread of a malware bundle containing information stealers such as RedLine, AZORult, Vidar, Amadey, Pony, qbot (that is, QakBot), Raccoon stealer, remote access Trojans such as AsyncRAT, Glupteba, njRAT, and nanocore, and other payloads such as miners, keyloggers (HawkEye) and ransomware (DJVU/STOP). Figure 1.1 explains the malware bundle packaging mechanism. The ransom demands in such cases rarely exceed $1,000. However, the key risk is hidden in compromising all the stored credentials and leaving a backdoor that could later be used by other threat actors to run more sophisticated attacks that target not only individuals but the organization. We have observed similar infections on IT administrators’ corporate devices. Once, there was a sale on a dark web forum offering access to the backdoor of an IT administrator’s device that served more than 50 banks in the MEA region for $20,000. At the end of the day, the attack was averted through a joint effort with FinCERTs and potentially affected customers. The following figure shows an example of malware bundle packaging:

Figure 1.1 – Malware bundle packaging example

• Dharma ransomware (https://www.trendmicro.com/en_us/research/19/e/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities.html) was spread via spear-phishing emails as a malicious attachment. It mimicked an AV uninstaller tool and encrypted files on the endpoint and encrypted files on the compromised host.

A more sophisticated type of attack is human-operated ransomware. These attacks are conducted by full-fledged, well-organized teams with well-developed task delegation, thorough testing and standardization of the attack process, and scrupulous team selection. They provide clear terms of partner programs for outsourcing certain tasks, such as using initial access brokers, who provide them with access to the compromised organization’s networks (for example, IcedID, QakBot, BazarLoader, Emotet, TrickBot, Dridex, Hancitor, ZLoader, and SocGholish) purchase compromised credentials available on dark web forums, and use pentesters for privilege escalation and preparation for enterprise-wide ransomware deployment or negotiators to agree on the ransom demand. Such attacks include human interaction while gaining ultimate access and preparing for enterprise-wide ransomware deployment. This includes creating a domain group policy object (GPO), attaching shared storage with virtual machine disks, or preparing SSH access for VMWare ESXi nodes. There are two significant trends in human-operated ransomware:

• In 2014, Iranian threat group SamSam introduced a trend in human-operated attacks called Big Game Hunting
• Starting in 2017, a ransomware called BitPaymer, associated with a cybercrime group called Evil Corp, gained popularity while following a similar approach to SamSam
• Starting in 2019, there has been a rise in Ransomware-as-a-Service (RaaS) programs

There are many arguments about whether human-operated ransomware attacks are considered sophisticated. Cl0p (FIN11), FIN12, BlackCat, Black Basta, LockBit, AvosLocker, Royal Ransomware, and others aggregated thousands of successful attacks on their victims using tailored approaches to key targets. Many RaaS operators used to recruit new affiliates on underground forums. However, in 2021, they started doing this more privately to complicate the jobs of security researchers and law enforcement in terms of tracking them. They invest a lot in developing tools for hybrid infrastructures (Windows, Linux, macOS, VMWare, and others). In addition, they deploy guidelines for new teams to follow the steps from the initial foothold to preparing for an enterprise-wide ransomware deployment. A conti ransomware case that was quite interesting was the one where one of the group members leaked their guides to the public, which allowed many cybersecurity researchers and vendors to understand their structure and methods in more detail. To hide their activity, such actors utilize dual-use tools to mimic IT administrators’ activities and perform deep gap analysis, which is followed by various defense evasion techniques such as impairing defenses by blinding or uninstalling AV and EDR solutions. In some cases, ransomware reboots the endpoint into safe mode to ensure no security products interfere with the encryption process.

When it comes to extortion techniques, most groups use double extortion by demanding a ransom payment for data decryption and exfiltrating sensitive data by exposing a small part of it on their data leak site (DLS). A new trend set by LockBit in 2022 opened a world of opportunities to put more pressure on the victim to pay a ransom by launching a distributed denial of service (DDoS) attack against it. The ransom was tied to the organization’s revenue, which was usually gained from B2B databases containing company contacts and intelligence, or cyber insurance levels.

Other financially-motivated groups

Such groups usually have unique monetization strategies directly enabled by data theft. They often steal financial data or files related to a company’s point-of-sale (POS) systems, ATMs, remote banking services, payment card data, and general financial transaction processing systems. They also demonstrate the capability to deploy custom-developed tools and utilities that have been crafted to support their goals in victim environments. Like APTs financially motivate threat actors, they have extended dwell times and evolving TTPs so that they can conduct attacks. Of course, this may vary, depending on the group’s objectives. Silence, FIN13, FIN6, FIN7 (before they shifted their focus to ransomware), FIN8, FIN13, MoneyTaker, CobaltGroup, and Buhtrap are good examples of this class of threat actors.

Some groups (for example, Buhtrap) target accountants and lawyers by either infecting web resources these employees use in their professional activities or conducting SEO-poisoning attacks (https://www.crowdstrike.com/cybersecurity-101/attack-types/seo-poisoning/) and spreading infected office documents via several templates. As a result of the attack, they successfully compromise digital certificates, submit rogue payments that pass all checks, and proceed with processing. In some campaigns, it was observed that attackers were injecting invisible iframes into the web page of the bank and seamlessly replaced payment information, which also resulted in rogue payments being confirmed by the accountants.

Another type of financially motivated group with a lower attack complexity level is business email compromise (BEC). Overall, such actors practice phishing, social engineering, and business email compromise scams to deceive their targets and steal money or sensitive information. It starts with a phishing attack or a valid account being purchased from initial access brokers. This results in them logging in to the mailbox, at which point they can reroute the communication channel between parties to the fake email accounts impersonating each party, thus implementing a man-in-the-middle (MiTM) attack via email and then guiding a victim to change the recipient’s bank account details and making a money transfer. We won’t cover such types of attacks in this book as they have never been seen targeting Windows systems in their attacks before.

More sophisticated attacks included compromising SWIFT and other regional-specific financial messaging platforms by submitting malicious transaction files or details at various gateways (for example, FIN7, FIN8, and Lazarus). One of the most notable cases was an attack on the Central Bank of Bangladesh by Lazarus (https://www.group-ib.com/blog/lazarus/). It usually starts with spear-phishing or exploiting vulnerabilities at an external attack surface while performing a deep dive into the victim’s network (mostly at the IT segment), utilizing a mix of living-off-the-land techniques and customized backdoors and discovering a path to the target network segment, gaining full visibility into their operations, preparing for the impact, and then implementing it. These attacks may last for years before they achieve their goal. However, thanks to huge efforts by the financial sector, regulators, and law enforcement agencies, the costs of these have attacks increased dramatically and their efficiency has been reduced. This has led to ransomware being used by most financially motivated groups.

Hacktivists

Hacktivists are individuals or groups that use cyberattacks as a form of protest, to promote a particular cause, or to gain attention for their beliefs. They often target organizations they perceive as corrupt or unjust. Hacktivists are hacker groups that work together anonymously to achieve a certain objective. They use hacking and other cyber techniques to promote their beliefs, raise awareness, or influence public opinion. Examples of such techniques include DDoS attacks (https://www.group-ib.com/blog/middle-east-conflict-week-1/), website defacing, and leaking confidential information and publishing it on social networks or as web resources. Such campaigns usually occur during wars, revolutions geopolitical conflicts, and social movements. Their attack techniques are usually not sophisticated, they exploit public-facing vulnerabilities, find common misconfigurations, or use weak authentication to perform brute-force or password-spraying attacks to gain access to the web interface of a web resources’ content management systems (CMSs). When hacktivist groups work together, they may perform a DDoS attack. In some cases when a DDoS attack happens, a hacktivist group may claim responsibility for it, but they don’t provide any proof.

Competitors

These include rival organizations or businesses that engage in cyber espionage or other malicious activities to gain a competitive advantage in the marketplace. They usually perform passive attacks by eavesdropping, utilizing shared platforms, or using other publicly available information. The active phases of their attacks include social engineering and the use of insiders. They are extremely careful in terms of NDA violation and try to avoid their rivals’ infrastructure manipulation as this may lead to their activity being exposed. For example, a microfinance institution uses a common shared database of credit bureaus, SMS gateways, and MQL platforms. Their competitors may spot any activity on the organization’s end and send an offer to the customer with better terms. From our experience, such attacks are extremely tough to investigate as there is usually a lack of data flow management, visibility, commercial secrets hygiene, and involvement of multiple third parties with limited responsibility. Moreover, employees may use their devices, SIM cards, or social media accounts to perform multiple business-related activities. Once they are suspected, the organization must have solid evidence to acquire these devices for forensic investigation; otherwise, it may lead to disrupting employees’ loyalty and causing them to search for new jobs.

Insider threats

These are individuals within an organization who misuse their authorized access to systems or data, either intentionally or unintentionally. They can cause significant damage due to their knowledge of the organization’s internal structure and security measures. As discussed previously, they may cooperate with competitors and be guided by them. In some cases, insiders get paid by cybercriminals (https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/) to download and run some malware or disclose some infrastructure details, as well as share credentials. From an incident investigation perspective, it is quite complicated to prove that a user has done this due to a lack of digital hygiene knowledge, not due to them getting paid by other parties. In addition, once cybercriminals or APTs have gained an initial foothold, they try to compromise the privileged accounts of IT administrators and utilize them in the attack. From our experience, cybersecurity divisions are willing to become suspicious about some employees when no evidence can prove employees’ innocence. Once, we were involved in a business email compromise incident that targeted internal employees and some external customers. The employer escalated the case to law enforcement agencies and made formal accusations against an employee. Fortunately, the initial access was identified, and it proved to be a massive campaign from an unknown gang. Further cooperation with law enforcement agencies led to the group being spotted. The final report was used by attorneys; it proved the innocence of the employee and the case was closed.

On the contrary, there was a case where a FIN actor conducted a targeted spear-phishing campaign against a company IT administrator who was familiar with cybersecurity concepts. Despite this, they opened the email on their corporate device, downloaded the attachment, and executed it. This eventually led to a successful attack and the withdrawal of several million dollars. Upon initial analysis of this attachment, it became apparent that it was Cobalt Strike malware. The Department of Cybersecurity decided to launch a criminal case against an employee, which resulted in their arrest on suspicion of assisting the attackers.

There was also a case where an employee, when they moved to a competitor, took a customer database that was stored in a cloud database. The investigation was complicated by the fact that the employees were working from personal Google accounts, personal smartphones, and a corporate laptop. The NDA agreement did not prohibit the use of personal devices, and the exit procedure didn’t include any device checks for the remaining commercial secrets. In addition, no legal documents were signed. After discovering the leak in the customer database (a competitor began contacting VIP customers and offering them better terms), an internal investigation was conducted, which found that the employee didn’t access corporate data after being terminated and that the IT department hadn’t restricted the ex-employee’s access to the database. As a result, everyone knew the person was guilty, but there was no legal reason to hold them accountable.

You might be wondering how these cases are relevant to this book, but we will use their lessons learned to explain the investigation process and other important steps every organization should take to secure its data from threat actors, especially in Windows environments.

Terrorist groups

These are extremist organizations that use cyberattacks in support of their ideological goals. They don’t possess the same level of sophistication as nation-state APT groups, but they can still cause significant harm. Their goals are to perform website defacement, DDoS attacks, data breaches and leaks, cyber espionage, sabotage and disruption, radicalization, and social media manipulation.

Script kiddies

These are inexperienced or unskilled individuals who use pre-made tools, scripts, or exploits to conduct cyberattacks. They typically lack the technical knowledge to create attack methods and often target systems with known vulnerabilities. Their main motivation is to gain experience, build their portfolio, and attempt to join more mature cybercrime syndicates.

Organizations with an average level of cybersecurity can easily resist these types of attackers because their methods are easily detectable, lack uniqueness, and are not targeted. Most techniques can be prevented with security controls. Analysts must ensure that their attacks have been mitigated and they have no other foothold.

There was a case when two cybercriminals worked together on an attack and successfully encrypted a logistics company by putting all of Microsoft Hyper-V’s virtual machine disks into one VeraCrypt container. They contacted their victim, offering to provide a container decryption key and secret. However, it didn’t work, so they requested access to the dedicated server that held the container via a remote administration tool and tried to decrypt it themselves. But this also failed. The initial access vector was external remote services, RDP published to the outside with weak authentication (an 8-digit password for the local administrator and no brute-force protection). Attackers used their personal computers from home while not considering the use of public proxy, VPN, TOR, or hosting provider’s VPS/VDS. Once this was escalated to law enforcement and some joint investigation was conducted, they were caught and arrested.

The lesson to be learned here is that every attack should be properly investigated by professionals as they may identify the threat actor’s maturity, find their mistakes, and proceed with law enforcement agencies to make our cyberspace a little safer.

Wrapping up

With that, we have discussed various threat actor types and their key motivations. Looking at the different levels of maturity of attackers revealed that it is sufficient to implement basic best practices to prevent their attacks. For example, installing an antivirus (AV), running regular vulnerability scans with a proper patch management process, checking for compromised credentials on EASM and acting accordingly, securing email with anti-spam and sandbox solutions, implementing strong password policies and running continuous cybersecurity hygiene exercises with employees, and having proper incident response plans, even for low-mature cybersecurity teams, may prevent script kiddies, terrorist, hacktivists, and some competitor attacks. APTs and cybercrime threat actors can easily bypass this cybersecurity posture and will require significantly more effort from the cybersecurity team and organization management.

The following are some key lessons learned for organizations:

• There should be an inventory of key assets and business processes, as well as a thorough understanding of the data flow.
• The cyber threat landscape is a continuous process and requires dedicated resources or regular engagements to be kept up to date.
• It is critical to perform regular gap analysis while focusing on security control coverage, lack of visibility, proper incident response procedures, and mitigation strategies.
• There should be a proper external attack surface management process that covers all vulnerabilities that have been discovered and patched promptly and ensures no credentials are exposed or haven’t been resolved and that no explicit resources are exposed to the internet.
• There are no silver bullets that can ensure 100% protection from cyber threats, such as installing AV or EDR and relying on automated cyber-attack prevention.
• Intelligence-driven incident response and cybersecurity strategies are more cost and time-efficient than other approaches, providing valuable insights that enable organizations to have better defenses.

To summarize, by understanding the maturity level of attackers, the degree of sophistication of their attacks, and their motivations, we can better understand the purpose and contents of the threat landscape and begin to build a relevant one for our organization.

In this section, we will explain the process of performing a unified cyber threat analysis while exploring its key factors and defining the next steps.

First, we need to define the list of key assets. EASM solutions may help to automate this process. Usually, you’ll require the following:

• A list of public IP addresses of the infrastructure that have been exposed to the internet
• A list of DNS zones both used internally (Active Directory domain) and externally (to publish their web resources over the internet)
• Some organization-specific keywords that may help to identify all externally hosted assets

This will result in you identifying all the organization’s assets, such as exposed business applications, any vulnerabilities and misconfigurations in them, owned IP addresses and DNS zones, third-party solutions, exposed employees’ details, and their geography.

The next step is to gather CTI to build the cyber threat landscape. To start, you should choose the most valuable source of CTI. It may include cybersecurity vendors’ threat reports, purchasing access to the CTI platforms, subscribing to cybersecurity blogs and newspapers, or engaging CTI consultants. The more relevant feeds that are used, the better. However, it may lead to significant time and financial costs for the organization, something outside the scope of this book.

Once all the prerequisites have been met, you can proceed. The following example shows how to apply the CTI platforms to get a list of threat actors as quickly and efficiently as possible:

1. Filter cyber threat actors by target region. Here, all regions of presence must be specified.
2. Filter cyber threat actors by target industry while ensuring all sectors are mentioned.
3. Filter by activity. The threat actor should be active. The trick here is that attackers may be inactive for a variety of reasons: some members of the group may have been arrested (Emotet, NetWalker in January 2021; Egregor, Cl0p in June 2021), the attackers’ infrastructure may have been identified and decommissioned by law enforcement (Hive), or they may have regrouped and joined other syndicates (REvil, DarkSide). An example of filtering is shown in Figure 1.2:

Figure 1.2 – Example of the threat actors in the cyber threat landscape after filtering by region and industry

It is important to mention that some groups may be inactive for other reasons. For example, they might have identified the fact of disclosure and curtailed the activity to certain circumstances. When it comes to APTs, they may keep silent for a while until further directives arise. In such cases, they must still be considered in the cyber threat landscape but the priority of covering their TTPs may be lower compared to the active actors for the sake of consuming the resources of the cybersecurity team. When these cybercriminals become active again, the security team may act accordingly after CTI provider notification while following the same steps. However, this is not a call to action and is just one of the tips on how to build a process in cases of limited team resources.

Once the cyber threat actors list has been compiled, a strategic summary is created. Further actions include doing a deep dive into operational, technical, and tactical threat intelligence details.

This is where the cybersecurity team steps in. The next step is to learn the adversaries’ attack life cycle. Usually, vendors provide such information by mapping to well-known and industry-standard frameworks. Almost all cybersecurity companies provide MITRE ATT&CK® (see Figure 1.3) mapping; a few provide a detailed list of procedures that were observed during the attack:

Figure 1.3 – Example of a MITRE ATT&CK ® mapping for the threat actors in a cyber threat landscape

However, not all these tactics apply to organizations’ infrastructure, particularly Windows systems. Keeping this in mind, we will focus more on how adversaries attack Windows infrastructures so that we can make them safer.

Let’s stop here for now and summarize this chapter.

In this chapter, we explored the various aspects of the complex and ever-evolving world of cyber threats. We began by discussing the different threat intelligence levels, which help organizations understand and categorize the types of information available for protecting their assets. This includes strategic, operational, tactical, and technical intelligence, each serving a unique purpose in the overall cybersecurity posture.

Next, we delved into the main types of threat actors and their motivations. By understanding their objectives and tactics, organizations can better prepare themselves to counter potential attacks.

Then, we presented some use cases that highlighted the importance of comprehending the cyber threat landscape and demonstrated how organizations can leverage this knowledge to proactively identify vulnerabilities, prioritize risks, and develop effective countermeasures.

Lastly, we outlined the process of building a cyber threat landscape, which involves defining the scope, identifying threat actors, gathering intelligence, analyzing threats and vulnerabilities, and prioritizing risks.

This systematic approach allows organizations to stay informed about the latest threats and ensure that their security measures remain effective in the face of ever-changing cyber risks of modern sophisticated attacks, especially those targeting Windows systems.

In the next chapter, we will cover various aspects of the cyber attack life cycle that align with our sophisticated attack kill chain, including gaining an initial foothold, network propagation and data exfiltration, and the impact from the threat actor’s perspective. We will also explain how to leverage operational, tactical, and technical threat intelligence in preparing for the emerging cyber threat landscape and developing the most productive and sustainable incident response process.