- November 11, 2020
Threat investigation is a complex process consisting of threat hunting and subsequent analysis of the discovered data. It can help you paint the whole picture about the attack and make sure that no similar attacks will ever happen in the future.
Threat hunting is a process of proactively searching for threats that already compromised your infrastructure. Threat hunting should start with hypothesis – who compromised us and how. Without forming a hypothesis, threat hunting is like finding a needle in a haystack. The hypothesis should be formed based on threat intelligence and a detailed knowledge of your company.
For example, if your business assets contain COVID-19 related research data, you can search for IOC (indicators of compromise) belonging to the APT29.
The investigation should not end with detecting the incident. Each malicious file should be analyzed to uncover the full extent of the incident. Malware analysis can reveal the capabilities of the malware, including the ways it gains persistence. It can speed up the incident response process, as well as make sure that the threat will not resurface later. Analyzing malicious files can be also used to discover the origin and the motivation behind the attacks.
There are two ways to analyze malware. Dynamic analysis is performed by running the sample in a sandboxed environment and either observe system changes using automated tools or manually debug the malware. Static analysis consists of analyzing the code of the malware without running it.
Malware often features techniques aimed to prevent analysis. Malware can detect various strings belonging to sandbox environments to prevent dynamic analysis and can also attach debugger to itself to prevent debugging. Skilled malware researchers can bypass those techniques and analyze even the most advanced malware samples.
The information learnt during the investigation can be used to improve detection, mitigation and thus preventing again in the future.
Online workshop Threat Investigation – A drama in four acts, will guide you through the investigation of four real-world cyber-attacks with threat hunting and analysis of malicious files on real samples.