CYBER THREAT ARTICLE - RANTINGS OF A CYBER SECURITY ANALYST (SEPTEMBER EDITION)
Rantings of a Cyber Security Analyst - (September Edition)
Who, What, When, Where, Why & How. The Five Ws and one H are questions whose
answers are considered basic in information-gathering. As quoted from multiple sources,
they are often mentioned in journalism, research, and police investigations. According to
the principle of the Five Ws and one H, a report can only be considered complete if it
answers these questions starting with an interrogative word: -
- Who is it about?
- What happen?
- When did it take place?
- Where did it take place?
- Why did it happen?
- How did it happen?
Each question should have a factual answer and importantly, none of these questions
can be answered with a simple "yes" or "no".
In Cyber Security, I feel the above concept needs to be applied to events. Many times, I
am called in to assist to investigate on an incident and most of the time, the details of the
logs were ignored or were not further investigated.
Imagine a scenario where you hear someone continuously jiggling the door handle of
your home. Would you react or just think your door and lock is working and preventing
the person from entering and just ignore this? You would want to know who this person is,
why is this person trying to enter and what is he trying to do.
Let me use a breach that I recently investigated, where a company was hit with
ransomware and called in for assistance, as an example. As with all such breaches, it is
understandable that it is a stressful situation to be in and being swarmed with statements
like “the product failed me” is not a great feeling.
The first lead in my investigation was the endpoint security logs itself. Prior to the
encryption
phase, there were detection of tools like PsExec and Mimikatz. These were blocked, but
going with the Five Ws and one H, I dug into this detection, found the time stamp, and
noticed the tools were detected on C:\Users\Administrator\Pictures\
Now, if the internal security team were investigating, this should raise red flags. Even
though the threat at that time was blocked, why were these tools dropped into that
folder? Who was it who dropped these tools into this folder? Was it really a legitimate
user
of the Administrator profile? Looking at when> this happened with the time stamps, it
happened at 6am, before any IT staff was on site. So of course, the next questions would
be how> it is possible for someone to be using the Administrator account and how was this
done remotely.
As this customer did not have any XDR or EDR tools at that point of time, I had to manually
go through the Windows Event Logs and hoped the threat actor has not wiped them.
Fortunately, they were not wiped and through significant manual sieving of the logs, it
was found that Remote Desktop Protocol was used to access the server and was also
used to laterally move to other servers.
Not going to share the rest of the investigation, but this should be clear that asking
questions helps with investigations. XDR are just tools to help answer these questions
quickly through queries to the entire environment.
Just from this initial, high-level investigation, we identified the Administrator credential was
compromised and the servers had RDP enabled.
In fact, threat actors are, in a way, using the same Five 5s and one H concept in their
attacks.
Why is my payload being blocked? What> type of privileges do I have? Where>
are the
payloads being blocked? How do I overcome this control? When should I execute the
activities to not arouse suspicion?
On the defender side, the same concept also applies for incidents, not just breaches.
Take for example, you noticed the server security is blocking PowerShell execution and
this process is spawned from sqlservr.exe. Instead of answering “yes, the threat is
blocked”, start asking questions. How is this possible? What is this server, and
does it require
MSSQL? Why is this database public facing?
All these questions eventually help close the security gaps, identifying unpatched systems,
servers with unnecessary services or access and so on. Of course, to be fair, on the vendor
side of things, there must be improvements to assist on filtering out the noise and
presenting detections that should be investigated.
However, it must be noted that the investigation still needs to be done by the security
team. Products are not able to magically investigate and produce the results for you. Like
a crime investigation, the investigator must collect leads, but it is up to the investigator to
see if these leads are part of the case, when do these leads fit into the timeline of the
crime and build the complete investigation.
Without asking questions, the team will never learn about the weaknesses or risks the
environment has. Simply restoring systems after a breach without going through the Five
Ws and one H will simply lead to a repeated breach which could have even worst
outcomes on the next attack
Let’s start asking questions and stop ignoring the “door jiggles”. Having a static approach
to security is not going to cut it against dynamic adversaries.
Biography
Harvey Goh
Harvey Goh is a cyber security specialist having been in the cyber security industry for over 15
years as technical personnel. Currently he is working as part of Sophos’ Managed Threat Response
team. He is also a member of AiSP CTI SIG, EXCO and volunteer at CSCIS CTI SIG.
Views and
opinions expressed in this article are my own and do not represent that of my places of work.
While
I make every effort to ensure that the information shared is accurate, I welcome any comments,
suggestions, or correction of errors.