“The Art of Cyberwarfare” Notes
The Art of Cyberwarfare: An Investigator’s Guide to Espionage, Ransomware, and Organized Cybercrime by Jon DiMaggio is an instructive guide to nation-state, criminal, and advanced ransomware cyber threat actors. The first half gives an overview and history of advanced cyber ops, and the second half explains how to investigate, analyze, track, and attribute. It includes many real-world examples and tools. Neither half dives very deep.
My notes follow.
This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.
Nation-State Attacks
China engages in IP theft and espionage to increase its political standing.
Russia conducts espionage and uses malware, disinformation, and cyber-deflection campaigns to achieve military and political goals. It targets financial institutions for retribution and to cause economic disruption in targeted nation.
Iran conducts espionage and sabotage to achieve political, religious, military dominance in Middle East. It uses cyber ops to track and spy on its citizens. It steals from financial institutions to fund its nuclear program and other functions, as it’s sanctioned. It seeks to look powerful and retaliate against alleged ops from the US and its allies. It primarily uses contractors.
North Korea steals from financial institutions to fund its nuclear program and other functions, as it’s heavily sanctioned. It’s motivated to attack other countries because of sanctions and restrictions imposed on it. It also uses cyber ops to develop military, economic, and intelligence-gathering capabilities. It seeks to look powerful and retaliate against alleged ops from the US and its allies.
Election Hacking
Likely the same nation-state attacker attacked elections in Ukraine in 2014, US in 2016, France in 2017.
One government accusing another government of hacking draws attention to intelligence capabilities of accusing government, and causes political tensions.
Adversaries and Attribution
Hacktivists
- Often politically or religiously motivated.
- Attacks usually have personal aims.
- Have many followers who can participate in attacks.
- Sophistication varies widely.
- Often use DDoS attacks.
- Commonly try to publicly embarrass target by publicly posting stolen data.
- Often deface websites to embarrass target and spread propaganda.
Cybercrime
- Financially motivated.
- Often target retail and consumer finance industries.
- Often use social engineering to gain initial access.
- Tend to use commodity malware, but may modify it, or purchase or develop custom malware. Malware usually not as advanced as espionage actors.
- Use malware to steal credentials, demand ransom, compromise retail POS systems.
- Sell services (hacking as a service, malware as a service, IaaS, botnets).
Cyber espionage
- Goal is to steal sensitive info (intellectual property, internal communications, etc.) to gain geopolitical advantage.
- Typically conducted by nation-states.
- Present greatest level or risk because attacks are usually advanced, long-term, persistent, so difficult to defend against.
- Typically better funded than other threat actors.
- Have access to custom, sophisticated malware.
- Able to frequently change or expand cyber infrastructure and tools.
- Often have access to zero-day exploits.
- Frequently recon, then use spear-phishing to deliver malware and access targeted networks.
- Often use watering-hole attacks.
“Dark Web” refers to websites not indexed by most search engines, inaccessible without special encryption applications or protocols. “Darknet” refers to encrypted networks; infrastructure that Dark Web runs on.
If after analysis you’re not able to classify threat, analyze activity and identify IoCs to link similar instances. Classify based on behavior and tactics. Cluster those with similar activities and behaviors into buckets for later attribution. Monitor and compare tactics with other activities to identify similarities and link attacks.
Attribution process
- Gather supporting data: Gather attributable data (relevant data about infrastructure, malware, persona, targeting data). Conduct OSINT to supplement data gathered from attack.
- Assess: Process and analyze data to assess threats and create visualizations. Track attacker activities and timeframes by analyzing log timestamps. Conduct time-zone analysis (document exact time each event occurred to see when attacker was active, to narrow down their time zone). Analyze malicious binaries for interesting strings (e.g., file paths, aliases, usernames), language settings.
- Hypothesize: Examine big picture and brainstorm attribution hypotheses.
- Challenge/defend: All parties involved in attribution meet to debate, evaluate, rank hypotheses from strongest to weakest.
- Confidence assessment: Conduct confidence assessment of top-ranked hypothesis.
- Document results: Record attribution assessment and confidence rating in attacker’s threat profile. Communicate analysis results.
Don’t use same name for malware and group that uses it, as multiple groups can use malware, and groups can change which malware they use.
Time-zone analysis
- Collect attack activity details from system, network, security device logs. Document exact time each attack event occurred in victim’s network (e.g., credential collection, network and vulnerability scanning, CLI or PowerShell use). Record malware compile times.
- Plot data on graph (times of activity broken out by hour, day, week, month). Overlay graph across time zones hour by hour to find 8–9 hr window of consistent activity that may represent typical workday schedule. Consider work days and holidays in suspected country.
Don’t assume domains hosted on same IP address belong to the same attacker. If an IP address hosts multiple malicious domains simultaneously, and IP address doesn’t belong to a web host, that’s a stronger link, though still not enough evidence for attribution.
Don’t use domains registered by brokers in attribution. Indicators of brokers: lack of WHOIS privacy, over 50 domains registered, registrant’s physical address is associated with many domains.
Don’t attribute based on publicly available hacking tools, as anyone can use them.
“When in doubt, split it out.” If unsure of attribution, don’t attribute, but split out or keep activity separate and track it as independent attacker. With more data over time you can associate or disassociate attribution to another known threat group or create a new one. It’s easier to merge 2 groups later than to break a single group into 2.
Malware Distribution and Communication
Sender’s email address is typically in multiple fields, including From, Sender, X-Sender, Return-Path. If address in these fields varies, email is likely fraudulent.
Originating IP field doesn’t help with large hosted email providers like Gmail and Microsoft, but can help for email hosted by organizations. Check WHOIS, do reverse DNS lookup to see domains hosted on IP address.
X-mailer field can be helpful in case sender uses unusual email client.
If multiple emails have same Message-ID, they’re likely forged.
If Message-ID and Reply-To ID are same, the email is fraudulent.
Tracking Date field over time can help attribute region from which emails are being sent.
If domain was registered shortly before start of malicious campaign, it suggests attacker registered domain.
Legitimate websites are often hosted either on web server with many other domains or on corporate infrastructure with domains all associated with same company. Attackers sometimes host only their own domains, not wanting to share IP space with other infrastructure.
If domain was changed from parked to live shortly before start of malicious campaign, it suggests attacker registered domain.
Legitimate and malicious developers frequently reuse code, so malware patterns alone aren’t enough evidence for attribution. But if you find advanced but rare or unknown malware, you can have higher confidence.
Open Source Threat Hunting
OPSEC
- Separate system or VM
- Browser with no attributable extensions
- VPN
Infrastructure enumeration tools
- Farsight DNSDB (paid): passive DNS (free to researchers)
- PassiveTotal (free, paid): passive DNS, domain registration records, other infrastructure data
- DomainTools (free, paid): domain registration and IP resolution data
- Whoisology (free, paid): current and historical domain registration records
- DNSmap (free): CLI tool to discover subdomains
Malware analysis tools
- VirusTotal (free, paid): malware repo, historical IP address resolution data, PCAPs.
- Hybrid Analysis (free, paid): malware repo, dynamic analysis.
- Joe Sandbox (free, paid): malware repo, ability to query CLI parameters, static analysis.
- Hatching Triage (free, paid): especially useful for ransomware.
- Cuckoo Sandbox (free): local tool to execute malware in VM, monitor it, and document changes it makes; can decode or decrypt encrypted and encoded binaries.
NerdyData indexes website source code. Search malicious code to see what sites contain it.
deeponionweb.com: info on Dark Web criminal markets.
Investigation tracking
- ThreatNote (free): open source, local TIP; centralized platform to collect and track cyberattack-related content and events; has ability to track threat groups and associated IoCs.
- MISP (free): open source, local TIP.
- Analyst1 (paid): TIP; can ingest threat feeds, reports, and IoCs and use AI to correlate and organize data; can create threat actor profiles.
- DEVONthink (paid): academic research tool to store web pages, emails, documents, attack diagrams, PDFs, notes; allows you to tag, organize, filter data.
Recon frameworks
- Recon-ng (free): identify public-facing infrastructure, existing subdomains, email addresses, protocols and ports in use, technologies and OSs used in target environment.
- TheHarvester (free): gathers info about infrastructure, email, companies.
- SpiderFoot (free, paid): query tool that integrates with other tools such as VirusTotal and Hybrid Analysis; has passive search, IPv6 infrastructure enumeration.
- Maltego (free, paid): visual data analysis tool that integrates with other tools such as VirusTotal.
Analyzing a Real-World Threat
Imphash (import hash): value calculated for all library DLLs used in PE executable and its import functions usage in executable; can be used to digitally fingerprint executables.
Appendix A: Threat Profile Questions
- Do third-party names exist for group you’re profiling? Learn from profiles others have created.
- What type of attacks has group conducted?
- What type of malware does group use? Is it publicly available or custom-developed? If developed by attacker, is it unique to one group or used by several? Is second-stage malware used?
- What is timeline of activity?
- What vulnerabilities (CVEs) does attacker exploit? Are zero-day exploits used? Is zero-day unique to this group or used by several?
- Is digital certificate used to sign malware? Who is signer?
- Is malware found in public malware repos? If so, compare compile time and submission date to timeline of your attack. Do compiled timestamps appear legitimate, or forged?
- Does attacker use encryption keys/passwords in malware?
- Once on a network, what are TTPs used to escalate privileges or conduct lateral movements? What tools does group use to do this? Are they custom developed or publicly available?
- What industries are targeted? Were any targets breached? If you have target list, where did it come from?
- Does group use spear-phishing? If so, what are themes and lures? Do you have any spear-phishing emails for analysis?
- Is there a pattern/relationship to infrastructure used (e.g., IP address or domain email originated from)?
Did group create spear-phishing sender address or use compromised legitimate account? If sender address is spoofed, is persona related to a real person? Is there relationship/association between spoofed persona and target? - Does group use domains or IP addresses for C&C infrastructure?
- Does group have way to organize exfiltrated data? Look for campaign codes or identifiers within malware or exfiltrated data. Does attack use subdomains with a theme designed to spoof target or associated industry?
Questions about C&C domains
- Are domains created and registered by attacker, or is legitimate infrastructure compromised and used in attack?
- Are any domains hosted with dynamic DNS services?
- If registered by attacker, does group use adversary-created email address, or privacy protection?
- Are there any other domains registered with same registrant info?
- Does group use subdomains? If so, is there theme/pattern?
- What IP address is hosting domain?
- What other domains are being hosted on same IP address at same time as C&C domain? You may find additional attacker infrastructure.
- Have any of C&C domains been seen in use by other threat groups or malware?
- Is domain hosted on hosting server or on dedicated IP address?
Questions about C&C IP addresses
- Who owns or leases IP address?
- Where is IP address located?
- Are there any domains hosted on IP address?
- Has there been other malicious activity associated with infrastructure?
- If more than one IP address is used, are they related (e.g., same subnet lease owner, same ISP)?
Appendix B: Threat Profile Template Example
- Overview: Summarize group’s activity. Highlight important info about group. Include date of first activity and any names group is known by.
- Delivery: Detail attack vectors used by group. Describe any unique attributes used in delivery (e.g., theme to spear-phishing emails, persona group uses).
- Tools and Malware: Describe tools and malware group uses.
- Operations: Describe previous operations or campaigns attribute to group. Describe motivation behind attacks. Describe any unique attributes to campaigns (e.g., major change in TTPs or targeting).
- Targets: Explain primary targets (industries, organizations, individuals, or systems). Describe any relationships between targets (e.g., shared business lines, professional affiliations). Describe any specific geographical region attacker targets.
- Infrastructure: Document themes in C&C domain names used, patterns in infrastructure used, preferences in ISPs or registrars.
- Exploits: If attacker has access to zero-day exploits, document when they were first used and vulnerabilities exploited. If they don’t use zero-days, describe exploits they use.
- Attribution Theory: Document attribution theory. Provide high-level details about strong attribution points found during investigation.