Obviously if you have been hacked and have ransomware that is too late to know that you have been hacked:
I would like to discuss how we can find out if hackers are altering your files or are looking around in your network. There are several ways to explain what is happening when a criminal hacker is trying to attack your machines. Usually it starts with reconnaissance of your computers, online profile and other system methods.
The cybersecurity industry has created something called the Cyber Kill Chain which explains this phenomena(how does a criminal hacker attack you). CSOonline explains it a little… But Cyber Kill Chain was created by Lockheed Martin, a defense contractor with defense terminology.
Advanced (targeted) Persistent(month after month) Threat (person with intent, opportunity and capability)
The cybersecurity industry is obsessed with this Cyber Kill Chain – why? because the explanation is a good method of detailing the steps an attacker uses to find a way into your network.
If you think about it there must be a way for us to explain how an attacker attacks, so that we can look and find this attack.
I tried to use less technical terms with my SVAPE & C diagram using the Mandiant attack analysis of the Chinese hackers.
Scan Vulnerability Analysis – Penetrate Exploit and Control – i.e. SVAPE & C
The portion of criminal attack we want to dissect is the Penetrate and Exploit. In other words, recon has already been done, vulnerabilities analyzed, and reviewed.Or as in the Cyber Kill Chain, somewhere between delivery, exploitation, and installation.
Now the attacker is actually trying to take over the machine, by exploiting the system somehow.
What is it that we are looking for? If a system is being altered by a human being the event logs will also be altered. So keeping an eye on event logs is a good idea.
But if this attack is by an automated program (bot or virus or other malware) then the event logs will only be changed if the bot decides to do this, so likely the bot needs to send information back to the programmer at some point (information like cc numbers, health info, whatever data that you keep on your computer).
How do these criminal hackers attack your computers?
It turns out they use the same techniques as people in DEFCON 25 would (latest convention in Las Vegas). So you can browse through the media server to see what the presentations were.
I like the Leveraging-Powershell-Basics by Carlos Perez
In this presentation the theme is to run little known commands using Powershell which you have to be looking for when trying to find hackers in your network.
The Powershell commands can perform many things for the hackers, and to find out whether commands are run you must turn on advanced auditing enabled, some command line jiu-jitsu is also required. Hackerhurricane Blog discusses the commands and settings in Win7 and Windows 2008 and later.
So the key is to find what the hackers do and then try to detect these types of actions. But then there is another issue, including making sure there are people to modify the scripts to detect the criminal hackers.
Target had the methods(detection) but failed in personnel to act on the detection, because one has to find the real problem within the many false positives.
Most important there must be a will to defend and act.
Contact Us to review your plans, we can audit your defensive plans.
