So far, parts I and II of this series have been published, and at this point, there’s something that we really haven’t talked about.
That is, the “So, what?”. Who cares? What are the benefits of understanding human behavior rendered via digital forensics? Why does it even matter?
Digital forensics can provide us insight into a threat actor’s sophistication and situational awareness, which can, in turn, help us understand their intent. Are they new to the environment, and trying to get the “lay of the land”, or are their actions extremely efficient, and do they appear to be going directly to the data they’re looking for, as if they have been here before or had detailed prior knowledge?
Observing the threat actor’s actions (or the impacts thereof) helps us understand not just their intent, but what else we should be looking for. For example, observing the Samas ransomware threat actors in 2016 revealed no apparent interest in data collection or theft; there was no searching or discovery, no data staging, etc. This is in contrast to the Non-PCI Case from my previous blog post; the threat actor was apparently interested in data, but did not appear to have an understanding of the infrastructure they’d accessed (searching for “banking” in a healthcare environment).
Carrying this forward, we can then use what we learn about the threat actor, by observing their actions and impacts, to better understand our own control efficacy; what worked, what didn’t, and what can work better at preventing, or detection and responding to, the threat actor?
This article has been indexed from Windows Incident ResponseRead the original article: