Cyber Attack Investigation
CYBER ATTACK INVESTIGATION
What is a Cyber Attack?
A cyber attack is:
- deliberate exploitation of computer systems, technology-dependent enterprises, and networks
- the use of malicious code to alter legit computer code, logic, or data (which does not belong to the attackers)
- a digital exploit that results in disruptive consequences such as for example data-breaches
- a cyberattack is related to all sorts of cybercrimes, data theft, and identity theft.
- a cyber attack can be associated with cyber warfare or cyberterrorism
- performed by APT groups, state actors, or independent operators / unknown organizations
You can read more about Cyber Attacks here:
CISCO
A cyberattack is a malicious and deliberate attempt by an individual or organization to breach the information system of another individual or organization. Usually, the attacker seeks some type of benefit from disrupting the victim’s network.
CISCO Cyber Attack Definition
CheckPoint
A cyber attack is an assault launched by cybercriminals using one or more computers against a single or multiple computers or networks. A cyber attack can maliciously disable computers, steal data, or use a breached computer as a launch point for other attacks. Cybercriminals use a variety of methods to launch a cyber attack, including malware, phishing, ransomware, denial of service, among other methods.
CheckPoint Cyber Attack Definition
CSIS
https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
IBM
In addition to cybercrime, cyber attacks can also be associated with cyber warfare or cyberterrorism, like hacktivists. Motivations can vary, in other words. And in these motivations, there are three main categories: criminal, political and personal.
Cyber Attack – IBM Definition
Unisys
https://www.unisys.com/glossary/cyber-attack/
WikiPedia
“A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, society, or organizations, and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon.”
Cyber Attack WikiPedia Definition
Rapid7
https://www.rapid7.com/fundamentals/types-of-attacks/
Fortinet
https://www.fortinet.com/resources/cyberglossary/types-of-cyber-attacks
Upguard
https://www.upguard.com/blog/cyber-attack
Imperva
https://www.imperva.com/learn/ddos/ddos-attacks/
PortSwigger
https://portswigger.net/daily-swig/cyber-attacks
What are the targets of a potential Cyber Attack?
- computer networks
- computer information systems
- any type of internet-connected or electronic device
- computer infrastructure
- critical infrastructure
- data centers
- personal computers
Types of cyber attacks
There are many types of cyberattacks. Here is a non-exhaustive list:
- Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks
- TCP SYN flooding or SYN attack
- Teardrop attack
- Smurf attack
- Ping-of-death attack (PoD)
- Botnets or bots
- Man-in-the-middle (MITM) attack
- Janus attack
- Fire brigade attack
- Session hijacking
- IP spoofing
- Replay attack/playback attack
- Phishing attack
- Spear phishing attack
- Drive-by download attack – Water hose technique
Password Hacking
- Password attack/password cracking
- Brute force attack/brute force cracking
- Dictionary attack
- SQL injection attack
- Cross-site scripting (XSS) attack
- Eavesdropping attack
- Passive eavesdropping attacks
- Active eavesdropping attacks
- Birthday attacks
Trojan Horses
- Trojan horse
- Backdoor Trojan
- Downloader Trojan
- Info-stealer Trojan
- Remote access Trojan (RAT)
- Data-sending Trojan
- Destructive Trojan
- Proxy Trojan
- Crypto Trojan
- Ransomware variants
Computer Viruses & Worms
- Logic bomb, slag code, or malicious logic
- Dropper/virus droppers
- Macro viruses
- Polymorphic viruses
- Stealth viruses
- Crypto viruses
- Crypto worms
Ransomware & Ransomware Attacks
- Crypto ransomware or encryptors will encrypt your files and data. you need a decryption key to access your data.
- Lockers will lock you out of your computer. Files & applications are not accessible. Ransom demand is requested via lock-screen with a countdown clock.
- Scareware will claim false positives and requests money.
- Doxware or leak-ware will threaten you to distribute your data online unless you pay
- RaaS (Ransomware as a Service) is a complex malware system that uses anonymous command and control centers to distribute ransomware & collect the ransom payment.
Other Malicious Software and cyber ‘pestilence’
- Malicious software
- Adware
- Certain Freeware
- Pitchware
- Spyware
- Online Fraud
- Social Engineering
- Zero-day attacks
- Malware attack
RED FLAGS
Red Flags of a potential Cyber Attack.
Suspicious symptoms & indicators.
The red flags depend on the type of cyber attack. These are the 1st elements to investigate and keep track of.
- what happened?
- chronology of facts, incidents, based on verifiable and relevant reports
- how did it happen? documentation of the cyber kill chain that was used.
- what was the effect?
- damage report, the current state of digital assets
did you notice anything beforehand? If not, why not?- early indicators, warning system.
- what countermeasures did you (not) deploy?
- are you listening to your staff & employees? what do they report?
- can you detect a denial of service (DoS) and distributed denial of service (DDoS) attack?
- symptoms that you are under a cyber attack could be:
- increase of pop-ups in browser windows
- sudden crashes and/or stalling of systems
- breach of computer network, data leaking out
- too many users (IP numbers) on your network (as compared to your internal staff)
- unknown processes and programs running on your computers
- phishing emails & suspicious attachments
- email hacking
- malicious links in SMS or chat messages
- suspicious and infected pdf-files in WhatsApp messages
- too many unknown contacts in your WhatsApp or messenger
- software running in erratic ways
- users resisting updating software and systems
- social engineering attempts
Cyber Attack Investigation Process
This can be a very complex and time or resource-consuming process. It’s not just a matter of checking the “most wanted” list of cybercriminals… Many times cyber attacks are done by trained cyber criminals or other bad actors, who are masters in obfuscation, misinformation, and disinformation techniques, which makes it hard or impossible to attribute a cyberattack to a specific person or group. Meaning it’s not simple or straightforward, which makes a professional independent cyberattack investigation even more valuable. It’s important to understand and document the “cyber kill chain“.
Action plan during a Cyber Attack Investigation
- analysis and recovery of critical forensic data
- investigate all networks & devices involved in the attack (enumeration, inventory)
- determine how & when the interactions occurred
- get a full understanding of what happened
- understand why it happened
- document when it happened – timeline and chronology
- of who performed the cyber attack?
- how the cyberattack was done?
- what was the cyber kill chain?
- who are the primary and secondary victims?
- did the countermeasures kick in?
- was the cyber attack detected in time? if no detection, why not?
- was there any internal involvement at play? (sabotage, insider threats?)
- have the targeted digital assets been recovered?
- did the recovery strategy and SOP work in reality?
- what are the damages (short term, mid-term, long-term)
- what is the total cost of the cyberattack?
- how to prevent a future similar attack?
- protection and detection to put in place
During and After a cyber-attack and/or cybercrime investigations we work closely together with:
- Criminal justice agencies
- National security agencies
- Other Private security agencies
- White Hat Hackers
- Cyber Security Specialists
- Industry groups
- Other relevant authorities or entities