CYBER ATTACK INVESTIGATION
What is a Cyber Attack?
A cyber attack is:
- a deliberate exploitation on computer systems, technology-dependent enterprises and networks
- the use of malicious code to alter legit computer code, logic or data (which does not belong to the attackers)
- a digital exploit which results in disruptive consequences such as for example data-breaches
- a cyber attack is related to all sorts of cybercrimes, data theft and identity theft.
- a cyber attack can be associated with cyberwarfare or cyberterrorism
- performed by APT groups, state actors or independent operators / unknown organizations
What are the targets of a potential Cyber Attack?
- computer networks
- computer information systems
- any type of internet connected electronic device
- computer infrastructure
- critical infrastructure
- data centers
- personal computers
Types of cyber attacks
There are many types of cyber attacks. Here is a non exhaustive list:
- Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks
- TCP SYN flooding or SYN attack
- Teardrop attack
- Smurf attack
- Ping-of-death attack (PoD)
- Botnets or bots
- Man-in-the-middle (MITM) attack
- Janus attack
- Fire brigade attack
- Session hijacking
- IP spoofing
- Replay attack / playback attack
- Phishing attack
- Spear phishing attack
- Drive-by download attack – Water hose technique
- Password attack / password cracking
- Brute force attack / brute force cracking
- Dictionary attack
- SQL injection attack
- Cross-site scripting (XSS) attack
- Eavesdropping attack
- Passive eavesdropping attacks
- Active eavesdropping attacks
- Birthday attacks
- Trojan horse
- Backdoor Trojan
- Downloader Trojan
- Info-stealer Trojan
- Remote access Trojan (RAT)
- Data-sending Trojan
- Destructive Trojan
- Proxy Trojan
- Crypto Trojan
Computer Viruses & Worms
- Logic bomb, slag code or malicious logic
- Dropper / virus droppers
- Macro viruses
- Polymorphic viruses
- Stealth viruses
- Crypto viruses
- Crypto worms
- Crypto ransomware or encryptors will encrypt your files and data. you need a decryption key to access your data.
- Lockers will lock you out of your computer. Files & applications are not accessible. Ransom demand is requested via lock-screen with a countdown clock.
- Scareware will claim false positives and requests money.
- Doxware or leakware will threaten you to distribute your data online unless you pay
- RaaS (Ransomware as a Service) is a complex malware system that uses anonymous command and control centers to distribute ransomware & collect the ransom payment.
Other Malicious Software and cyber pestilence
- Malicious software
- Certain Freeware (what info does it take from you?)
- Online Fraud
- Social Engineering
- Zero day attacks
- Malware attack
Red Flags of a potential Cyber Attack. Suspicious symptoms & indicators.
The red flags depend on the type of cyber attack. These are the 1st elements to investigate and keep track of.
- what happened?
- how did it happen?
- what was the effect?
- did you notice anything beforehand? If not, why not?
- what countermeasures did you (not) deploy?
- are you listening to your staff & employees? what do they report?
- can you detect a denial of service (DoS) and distributed denial of service (DDoS) attack?
- symtoms that you are under a cyber attack could be:
- increase of pop-ups in browser windows
- sudden crashes and/or stalling of systems
- breach of computer network, data leaking out
- too many users (IP numbers) on your network (as compared to your internal staffs)
- unknown processes and programs running on your computers
- phishing emails & suspicious attachments
- email hacking
- malicious links in SMS or chat messages
- suspicious and infected pdf-files in whatsapp messages
- too many unknown contacts in your whatsapp or messenger
- software running in irratic ways
- users resisting to update software and systems
- social engineering attempts
Cyber Attack Investigation Process
This can be a very complex and time or resource-consuming process. It’s not just a matter of checking the “most wanted” list of cybercriminals… Many times cyber attacks are done by trained cyber criminals or other bad actors, who are masters in obfuscation, misinformation, disinformation techniques, which makes it hard or impossible to attribute a cyberattack to a specific person or group. Meaning it’s not simple or straightforward, which makes a professional independent cyberattack investigation even more valuable.
Action plan during Cyber Attack Investigation – the process
- analysis and recovery of critical forensic data
- investigate all networks & devices involved in the attack (enumeration, inventory)
- determine how & when the interactions occurred
- get a full understanding of what happened
- understand why it happened
- document when it happened – timeline and chronology
- who performed the cyber attack?
- how the cyber attack was done?
- what was the cyber kill chain?
- who are the primary and secondary victims?
- did the counter measures kick in?
- was the cyber attack detected in time? if no detection, why not?
- was there any internal involvement at play? (sabotage, insider-threats?)
- have the targeted digital assets been recovered?
- did the recovery strategy and SOP work in the reality?
- what are the damages (short term, mid-term, long-term)
- what is the total cost of the cyber attack?
- how to prevent a future similar attack?
- protection and detection to put in place
During and After a cyber attack and/or cyber crime investigations we work closely together with:
- Criminal justice agencies
- National security agencies
- Other Private security agencies
- White Hat Hackers
- Cyber Security Specialists
- Industry groups
- Other relevant authorities or entities