It will soon be Easter, and the Easter egg hunts will be starting up all over again. Just as the Easter bunny leaves clues and tracks, attackers also leave their traces in your network. It is important to preserve as many of these traces as possible in the run-up to an attack, to enable you to track down the attacker more quickly in the event of a serious incident. In my blog post, find out what precautions you can take to be as efficient as possible when it comes to following the traces.
Easter is almost upon us, and at home, my 3 ½-year-old is obsessed with the Easter Bunny: How does the Easter Bunny get into the house even through locked doors? Does he bring just one Easter egg or will there be several - or will he even take my beloved dummy away with him? Even in the perfect world my son inhabits, an Easter bunny can be seen as a potential threat actor.
I think back fondly to my own childhood. Back then, every child made an Easter nest which the Easter Bunny then filled up with eggs overnight and hid somewhere. On rainy days it was inside the house and, on fine days, outside in the garden. It was also strange thing, but our parents always knew where the Easter Bunny had hidden the Easter egg nests. We were supposed to look for “tracks”, such as paw prints in the snow (sometimes there really was still snow at Easter), bent dandelion flowers (when the snow was gone) or other clues. Over time, we got better and better at tracking. This way, the “Threat Actor” Easter Bunny could be tracked down by collecting clues, or at least the “Easter egg” he had planted there.
An attacker always leaves a trace
These days, I don’t hunt for Easter egg nests, I search for malware, and I no longer read tracks in the snow, I find attacker traces in forensic artefacts. When we search for an attacker‘s traces in a network as part of an incident response, it is primarily done at the endpoints. This is where we are most likely to find traces of the attacker. Of course, we also use various network artefacts, such as firewall or proxy logs, to search for C2 communications or evidence of data exfiltration. However, the attacker leaves most of the traces where the attack happens – that is, on the endpoint.
Every attacker leaves behind traces here, whether it is an automated or opportunistic attack, such as the large-scale hafnium attacks in recent weeks, or a long-planned attack by a nation-state actor. The trick is to distinguish between normal user and system behaviour and attacker activity. This can be a major challenge in very large, diverse or confusing environments. It is particularly difficult where a developer has local administrator rights in his development system, because in that case, a lot of things can look like an attack.
Where we often track down the Threat Actor
Fortunately, there are artefacts, or logs where we almost always find traces of the attacker, so this is where we start searching first.
- Antivirus logs: It could be a central AV log or the MS Defender log on the endpoint. As simple as it may sound, many attackers make mistakes and, sooner or later, they are also noticed by an AV solution. That's why this is often the first place I check for traces.
- PowerShell logs: Very often, attackers use the powerful Windows Powershell to reload programmes, perform lateral movements or control entire hosts. There are also various attacker tools that are based on Powershell or use it extensively (Powershell Empire, Cobalt Strike, etc.). A base64 string in the Powershell logs is used by an attacker in 90% of cases.
- Login (Security) or RDP logs: Attackers often use the Remote Desktop Protocol (RDP) to move laterally within the network. This gives a good overview of where the attacker jumped from and to, or in the case of the security log, whether there were attacking user accounts by brute force. The problem with the security log is that it rotates very quickly, especially on Active Directory domain controllers.
If we are unable to track down the attacker at these locations, we dig deeper. We analyse a range of forensic artefacts for traces of the attacker. These include any event logs, various registry hives, file system artefacts, recent memory images, etc. However, in order to ensure that these traces are available in the event of an incident, it makes sense to think in advance about what these artefacts are for your own company.
Safeguarding the traces before the snow melts
When we went on Easter egg hunts when I was young, it was always lucky if the snow hadn't melted yet. Then it was much easier for us to find the tracks of the “Easter Bunny”. To prevent the snow from melting in your vicinity, we recommend you take the following precautions:
- Store important logs such as AV, proxy, VPN and firewall logs centrally and keep them for at least 6 months.
- Store the security logs of at least the Active Directory domain controller centrally.
- In the event of an incident, these logs should be backed up immediately. It is best to do this before you call us.
- Unite all the system logs (application, system, security, task manager, Powershell and RDP logs) in a central location.
- Think about ways to forensically secure a system (snapshot via VMDK, for example).
- Ideally, you will have already rolled out an EDR system that records the most important traces on the system and analyses them centrally.
A cyberattack can strike your company at any time, not just at Easter. That's why it's so important to quickly recognise attacks and their traces and to react immediately to them. Our Incident Response Retainer creates the optimal conditions for us to provide you with quick, efficient and effective support in the event of a cyberattack. You will have our cyber security experts available to you 24/7. Learn more about our Incident Response Retainer now and don't give the attackers a chance.
The more attacker traces you can find in the run-up to an incident, the faster we will find the “Easter bunny” or the attacker and the “Easter eggs” they have planted. On that note, I wish you and your family a happy Easter and I hope your children find the clues quickly.