Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Incident Response for Windows

You're reading from   Incident Response for Windows Adapt effective strategies for managing sophisticated cyberattacks targeting Windows systems

Arrow left icon
Product type Paperback
Published in Aug 2024
Publisher Packt
ISBN-13 9781804619322
Length 244 pages
Edition 1st Edition
Arrow right icon
Authors (2):
Arrow left icon
Anatoly Tykushin Anatoly Tykushin
Author Profile Icon Anatoly Tykushin
Anatoly Tykushin
Svetlana Ostrovskaya Svetlana Ostrovskaya
Author Profile Icon Svetlana Ostrovskaya
Svetlana Ostrovskaya
Arrow right icon
View More author details
Toc

Table of Contents (20) Chapters Close

Preface 1. Part 1: Understanding the Threat Landscape and Attack Life Cycle
2. Chapter 1: Introduction to the Threat Landscape FREE CHAPTER 3. Chapter 2: Understanding the Attack Life Cycle 4. Part 2: Incident Response Procedures and Endpoint Forensic Evidence Collection
5. Chapter 3: Phases of an Efficient Incident Response on Windows Infrastructure 6. Chapter 4: Endpoint Forensic Evidence Collection 7. Part 3: Incident Analysis and Threat Hunting on Windows Systems
8. Chapter 5: Gaining Access to the Network 9. Chapter 6: Establishing a Foothold 10. Chapter 7: Network and Key Assets Discovery 11. Chapter 8: Network Propagation 12. Chapter 9: Data Collection and Exfiltration 13. Chapter 10: Impact 14. Chapter 11: Threat Hunting and Analysis of TTPs 15. Part 4: Incident Investigation Management and Reporting
16. Chapter 12: Incident Containment, Eradication, and Recovery 17. Chapter 13: Incident Investigation Closure and Reporting 18. Index 19. Other Books You May Enjoy

Building the cyber threat landscape

In this section, we will explain the process of performing a unified cyber threat analysis while exploring its key factors and defining the next steps.

First, we need to define the list of key assets. EASM solutions may help to automate this process. Usually, you’ll require the following:

  • A list of public IP addresses of the infrastructure that have been exposed to the internet
  • A list of DNS zones both used internally (Active Directory domain) and externally (to publish their web resources over the internet)
  • Some organization-specific keywords that may help to identify all externally hosted assets

This will result in you identifying all the organization’s assets, such as exposed business applications, any vulnerabilities and misconfigurations in them, owned IP addresses and DNS zones, third-party solutions, exposed employees’ details, and their geography.

The next step is to gather CTI to build the cyber threat landscape. To start, you should choose the most valuable source of CTI. It may include cybersecurity vendors’ threat reports, purchasing access to the CTI platforms, subscribing to cybersecurity blogs and newspapers, or engaging CTI consultants. The more relevant feeds that are used, the better. However, it may lead to significant time and financial costs for the organization, something outside the scope of this book.

Once all the prerequisites have been met, you can proceed. The following example shows how to apply the CTI platforms to get a list of threat actors as quickly and efficiently as possible:

  1. Filter cyber threat actors by target region. Here, all regions of presence must be specified.
  2. Filter cyber threat actors by target industry while ensuring all sectors are mentioned.
  3. Filter by activity. The threat actor should be active. The trick here is that attackers may be inactive for a variety of reasons: some members of the group may have been arrested (Emotet, NetWalker in January 2021; Egregor, Cl0p in June 2021), the attackers’ infrastructure may have been identified and decommissioned by law enforcement (Hive), or they may have regrouped and joined other syndicates (REvil, DarkSide). An example of filtering is shown in Figure 1.2:
Figure 1.2 – Example of the threat actors in the cyber threat landscape after filtering by region and industry

Figure 1.2 – Example of the threat actors in the cyber threat landscape after filtering by region and industry

It is important to mention that some groups may be inactive for other reasons. For example, they might have identified the fact of disclosure and curtailed the activity to certain circumstances. When it comes to APTs, they may keep silent for a while until further directives arise. In such cases, they must still be considered in the cyber threat landscape but the priority of covering their TTPs may be lower compared to the active actors for the sake of consuming the resources of the cybersecurity team. When these cybercriminals become active again, the security team may act accordingly after CTI provider notification while following the same steps. However, this is not a call to action and is just one of the tips on how to build a process in cases of limited team resources.

Once the cyber threat actors list has been compiled, a strategic summary is created. Further actions include doing a deep dive into operational, technical, and tactical threat intelligence details.

This is where the cybersecurity team steps in. The next step is to learn the adversaries’ attack life cycle. Usually, vendors provide such information by mapping to well-known and industry-standard frameworks. Almost all cybersecurity companies provide MITRE ATT&CK® (see Figure 1.3) mapping; a few provide a detailed list of procedures that were observed during the attack:

Figure 1.3 – Example of a MITRE ATT&CK ® mapping for the threat actors in a cyber threat landscape

Figure 1.3 – Example of a MITRE ATT&CK ® mapping for the threat actors in a cyber threat landscape

However, not all these tactics apply to organizations’ infrastructure, particularly Windows systems. Keeping this in mind, we will focus more on how adversaries attack Windows infrastructures so that we can make them safer.

Let’s stop here for now and summarize this chapter.

You have been reading a chapter from
Incident Response for Windows
Published in: Aug 2024
Publisher: Packt
ISBN-13: 9781804619322
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image