Digital forensics can provide us insight into a threat actor's sophistication and situational awareness, which can, in turn, help us understand their intent.
Observing the threat actor's actions helps us understand not just their intent, but what else we should be looking for.
Observing the Samas ransomware threat actors in 2016 revealed no apparent interest in data collection or theft; there was no searching or discovery, no data staging, etc.
Well, we've known for some time that there's really no single actor or group that focuses solely on one type of target.
What we learned by looking across those multiple attacks allowed us to identify other potential targets, as well as respond to and shut down some attacks that were underway; we saw that the threat actors took an average of 4 months to go from initial access to deploying the ransomware.
There may be times when a threat actor's activities are unfettered; they proceed about their actions without being inhibited or blocked in anyway.
They aren't blocked by EDR tools, nor AV. From these incidents, we can learn a good deal about the threat actor's playbook, and we may see how it evolves over time.
There may be times where the threat actor encounters issues, either with security tooling blocking their efforts, or tools they bring in from the outside crashing and not executing on the endpoint.
It's during these incidents that we get a more expansive view of the threat actor, as we observe their actions in response to stimulus.
In one instance, the Crowdstrike agent stopped the threat actor's process, and their reaction was to attempt to disable and remove Windows Defender.
We saw threat actors on endpoints monitored by the Crowdstrike agent doing queries to see if Carbon Black was installed.
In another instance, we observed the threat actor land on a monitored endpoint, and begin querying other endpoints within the infrastructure to see if they were running the Falcon agent.
The threat actor then moved to one of the endpoints that did not have an agent installed.
The interesting thing about this was that when they landed on the monitored endpoint, we saw no commands run nor any other indication of the threat actor checking that endpoint for the agent; it was as if they already knew.
Even without EDR or AV blocking the threat actor's attempts, we may still be able to observe how the threat actor responds to stimulus.
I've seen more than a few times where a threat actor will attempt to run something, and Windows Error Reporting kicks off because their EXE crashes.
In other instances, I've seen commands fail, and the threat actor try something else.
I've also seen tools crash, and the threat actor take no action.
Seeing how a threat actor responds to the issues they encounter, watching their behavior and whether they encounter any issues, provides significant insight into their intent.
There are other aspects of an attack that we can look to to better understand the threat actor.
This Cyber News was published on windowsir.blogspot.com. Publication date: Wed, 10 Jan 2024 22:13:05 +0000