One of the most important objectives during a large-scale breach investigation is determining the scope and extent of threat actor activity in the compromised environment. Understanding how the actor progressed through the cyberattack lifecycle and establishing a timeline of their activity is fundamental to achieving this objective. This approach is also indispensable in communicating investigative findings to stakeholders, including senior management and legal professionals.
In this blog post, I discuss the importance of mapping investigative findings to the MITRE ATT&CK framework and conducting a timeline analysis to answer vital investigative questions.
Analysis is the crux of incident response. The purpose of analysis is to examine available forensic artifacts and contextual information to determine threat actor activity in the compromised environment.
As part of the analysis process, incident response professionals generate a hypothesis based on investigative leads to provide a direction for the investigation. Rarely is a malware alert or evidence of command and control (C2) communication an isolated event. Threat actors often progress through earlier phases of the cyberattack lifecycle, including initial access and privilege escalation, before their activity triggers an alert. For this reason, establishing a hypothesis is critical to ensuring that an investigation does not miss critical findings. Mapping evidence of attacker activity to a cyberattack framework, such as MITRE ATT&CK, can help establish and refine the hypothesis.
Incident response professionals can map two types of information to the MITRE ATT&CK framework: Indicators of Compromise (IoC) and behavioral characteristics.
IoCs and TTPs
An IoC is a forensic artifact indicative of threat actor activity. Analysts often derive IoCs through forensic analysis of compromised systems and threat intelligence enrichment. IoCs include hashes, IP addresses, domain names, and program execution metadata. For example, a malware binary hash and C2 IP address are common IoCs that incident responders can map to tactics and techniques within MITRE ATT&CK.
In contrast, behavioral characteristics are higher order information referring to the tactics, techniques, and procedures (TTPs) that represent how a threat actor operates to progress through the cyberattack lifecycle. Behavioral characteristics are useful in developing contextual information associated with threat groups. For example, a specific Advanced Persistent Threat (APT) actor may exploit vulnerable Apache web servers and place a particular web shell on those web servers for remote access.
IoCs and TTPs are fundamental to lifecycle and timeline analysis described in the next two sections.
In many cases, threat actors operate predictably, and the threat intelligence community created models to describe their operations, including cybercrime gangs and APT actors.
A cyberattack lifecycle is a sequence of steps that threat actors move through to attain their goals. The MITRE ATT&CK framework has become the de facto lifecycle used for developing threat models and analysis methodologies. The Enterprise version of the framework includes fourteen tactics that represent different phases of the attack lifecycle. Each of these tactics contain numerous techniques threat actors leverage to operate in a compromised environment.
In the context of incident investigations, understanding the MITRE ATT&CK framework is essential for the following reasons:
Mapping evidence of attacker activity to the tactics allows incident response professionals to determine how far the threat actor progressed through the lifecycle and paint a holistic picture of an attack.
Determining gaps in findings based on the mapping allows analysts to work backward by collecting and analyzing additional data to answer any outstanding questions.
Breaking one of the stages by containing an incident and eradicating the threat from the compromised environment prevents attackers from attaining their goals.
A lifecycle analysis focuses on the bigger picture, but it is not enough on its own. The next section focuses on timeline analysis and its importance in reconstructing threat actor activity.
Operating systems create many artifacts that have temporal characteristics, including filesystem activity, event logs, application logs, network connection logs, and registry entries. Timeline analysis is a forensic technique that allows analysts to reconstruct events on the examined systems by arranging relevant events in a timeline. Timeline analysis is a powerful technique that allows analysts to answer questions relating to which events occurred before and after a given event, such as malware infection, and to gain valuable insights into attacker activity.
Timeline analysis is a particularly powerful tool during large-scale investigations. To arrive at a timeline of attacker activity during an incident, incident responders typically create timelines for individual compromised systems and combine them into a single master timeline consisting of significant events. This information is invaluable for reporting and reconstructing the picture of an attack. In my personal experience, a timeline with a narrative in business security language is particularly useful for reporting and communicating investigative findings to senior management.
Mapping investigative findings to the MITRE ATT&CK framework and conducting a timeline analysis are critical activities when conducting an incident investigation. They allow incident response professionals to understand how the actor progressed through the cyberattack lifecycle, determine gaps in investigative findings, and establish a detailed timeline of events during the attack. They are also indispensable in communicating investigative findings to cybersecurity managers, senior management, and legal professionals because they allow incident response professionals to visualize the progression of a cyberattack and its extent.