APT DFIR & Threat Hunting
18th January, The Pavilion at Dubai World Trade Centre
14:00 - 16:30
NucleoEnergetix Company engaged in Nuclear Science Research and Technology received a report that there was an anomaly attack on its infrastructure. Nation state threat actor (APT Group X) targeting ABC Organization in a country. They are leveraging advanced TTPs to infiltrate the targeted organization. S-DART Samurai Detection and Response Team as a team formed by NucleoEnergetix Company moves quickly to perform Digital Forensic and Incident Response (DFIR) investigation for this security incident. You as S-DART analyze and discover what happened in the attack targeting NucleoEnergetix Company. They have successfully perform data exfiltration, and utilizing their command and control server to control the victim machine inside the organization.
Objectives & Outcomes:
After completing this scenario, you will be able to:
- Understand the current and latest cyber security TTP (Tactic, Technique, Procedure) which is commonly used by the APT Threat Actor Group
- Understanding of the Beacon characteristic and also the C2 Tools which used by the APT Threat Actor Group
- Know where to looks the evidence and artifacts.
- Understand the log analysis process performed during Digital Forensic and Incident Response investigation.
- Getting to know what kind of valuable information can be gathered from a log files
- Understand the effective and efficient procedure and mechanism to do the log analysis process and what are the clue and keyword to looks for signs of an intrusion activity
- Having a new knowledge for tools which can be leveraged for log analysis during investigation process.
Prerequisites
In order to get full benefit from this scenario, it is suggested that you have competences in the following areas:
- The central log management system used for this environment is the Elastic stack. Some knowledge on crafting kibana filters is useful but not required.
- Basic understanding of Network Traffic Analysis
- Basic understanding of Zeek Logs
- Basic understanding of various Windows Event Log (Sysmon, Powershell, etc)
- Basic understanding of DFIR tools and DFIR evidence
- Participants to bring their own device (laptop) for active participation
Recommended Reading
It is suggested that you consult with these recommended reading resources and preexisting scenarios:
https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
https://medium.com/mii-cybersec/log-analysis-for-digital-forensic-investigation-e4a00f5a5c09
https://medium.com/@lucideus/event-log-analysis-part-2-windows-forensics-manual-2018-75710851e323
https://www.andreafortuna.org/2017/10/20/windows-event-logs-in-forensic-analysis/
https://medium.com/mii-cybersec/malicious-powershell-deobfuscation-using-cyberchef-dfb9faff29f
https://github.com/mytechnotalent/Zeek-Network-Security-Monitor
Led By:
Ahmed ElRaghy
Senior Advisor – Regional Office ITU, Egypt
Marwan Ben Rached
Cyber Security Co-ordinator ITU, Switzerland