This weekend, in my midnight forays on Twitter (I do sleep, just not when you think I do), I discovered these graphs. As they say, a picture is worth a thousand words. These are worth far more because they visually represent high-level concepts on attackers and hunting. All credit goes to Jack Crook @jackr on Twitter, whose site is findingbad.blogspot.com. We know how this game is played, that the attackers have been living in our networks far longer than we realized. Defence isn’t passive. It can’t be. We need to be actively monitoring all the things. We need to be expanding the Cyber Kill Chain past the perimeter and into the depths of our realm, to play this game of cat and mouse.
I’ve been pursuing my love of threat intel over these past months, and shared my learnings via talks at my local DC416 chapter, and then – fireworks and music – at Wall of Sheep at Defcon this year. OMG! Reading Jack’s work just fires up my urge to learn more, and these depictions show what I want to say so very well.
“Enumeration”. Per Jack
Enumeration is an attacker need. They need to know where they are, where they can go, where’s the data they’re after.
“Credentials”. Jack says
Attackers need credentials if they’re going to move laterally within your network. Here’s some ideas to go digging for.
“Powershell”. Jack adds
Here are some additional things to think about when looking at Powershell
And I saved the best for last! How will they execute?
Process execution is an attacker need. There’s opportunities for developing creative ways to find when malicious.
Thank you, Jack, for sharing this wisdom. And thank you for reading!