CTI Driven Investigation (Phishing Deadend)

Cyber Threat Intelligence (CTI) can be used not only for prevention and remediation, it can also guide an investigation. Understanding the attackers tactics and techniques can guide the investigation. Ten years ago I was investigating an APT that had access to the enterprise for an extended period of time, but was unable to ascertain the exact date of initial compromise. It wasn’t until investigating one of the Security Engineers that I found a phishing email that was part of the investigation several years earlier. Through threat intelligence I was able to attribute the APT actions to that phishing email. 

What does this mean to threat intelligence and incident investigation? It was probably an avoidable situation, but how? We can, by understanding not only what we have collected as part of the investigation, but also the context of the attack. We will use a basic phishing example, to explain this approach.

Phishing attacks are part of the Initial Access tactic. Confirmation that initial access activities were successful of that activity cannot be limited to just a quick alert validation from the endpoint. The investigation needs to include the scoping of the incident across the enterprise, which should include: 1) search of all email boxes for the email, 2) identification of the attachment on any endpoints or file stores, 3) any other associated communications from the source address. 

Pivoting from that Initial Access, the investigation should look for confirmation for tactics prior to and after the initial access. For instance, the investigation should include Reconnaissance activities such as network traffic from the domain or IPs, or other email traffic from the domain. 

The initial reaction to investigating a phishing email includes looking for Execution either as an endpoint alert or user action on the file or link included in the email. It is not always the case that the Execution would be caught because of control gaps or defense evasion measures. The investigation should also consider other readily available telemetry on tactics such as Defense Evasion (T1562), Discovery (File Discovery: T1083), and Credential Access (Unsecured Credentials: T1552). These can all be correlated in the SIEM or manually investigated by the SOC analysts. 

Being thorough in the investigation is critical, because in some cases gaps or incompleteness can lead to a compromise that lasts several years. Security operations analysts should be encouraged to correlate and contextualize to understand the lifecycle of the possible attack. In ideal scenarios, the planning and playbook development would work to not only collect information about a given event or alert, but also the context in the attack lifecycle using threat intelligence.