An Attacker’s Perspective

Something I’ve thought about quite often during my time in DFIR is the threat actor’s perspective…what is the attacker seeing and thinking during their time in an infrastructure. As a DFIR analyst, I don’t often get to ‘see’ the threat actor’s actions, at least not fully. Rather, my early perspective was based solely on what was left behind. That’s changed and expanded over the years, as we’ve moved from WinXP/2000/2003 to Win7 and Win10, and added some modicum of enterprise capability by deploying EDR. During the better part of my time as a responder, EDR was something deployed after an incident had been detected, but the technology we deployed at that time had a targeted “look back” capability that most current EDR technologies do not incorporate. This allowed us to quickly target the few systems that the threat actor actually touched (in one case, only 8 out of 150K endpoints), and then narrow down those systems to the 1 or 2 nexus systems for a more detailed examination. This led to us ‘seeing’ the impact or results of actions taken by the threat actor, but what we didn’t have insight into was their perspective during their actions…why did they go left instead of right, or why did they apparently target one ‘thing’ instead of another?

EDR did allow us to capture things like the command line used to archive collected data, as well as the password, so that when we recovered the archives, we could open them and see what data was stolen. While that did provide some insight, it still didn’t give us the attacker’s perspective as they sought that data out.

During an active IR, attribution is most often a distraction. Early on in the IR, you very often don’t have enough data to differentiate the threat actor (sometimes you might…), and for the attribution to be valuable, it needs to be able to inform you of the most likely places to look for intrusion data; when the threat actor gets to this point, what do they do? Turn left? Turn right? What do they pivot to based on previous intrusion data? However, during this time, you need to resist developing tunnel vision. Even after the IR is complete and you have a full(er) picture that includes attribution, it’s often difficult to really get the perspective of the threat actor; after all, I’m a white American male, the product of a public school education and military experience…without a great deal of training and education, how am I going to understand the political an

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Windows Incident Response

Read the original article:

Liked it? Take a second to support IT Security News on Patreon!
Become a patron at Patreon!