SlideShare una empresa de Scribd logo

Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations

Digital Shadows
Digital Shadows

On August 1, 2018, the US Department of Justice unsealed an indictment against three members of the international cybercrime group known as FIN7. We previously wrote about what FIN7 is, the implications of this indictment and some of the fascinating details of their campaigns, such as the use of a front company that was used to mask the criminal operations. As we did before with the GRU indictment, we wanted to maximize the lessons learned for defenders and therefore used the Mitre ATT&CK framework to replay the FIN7 indictment.

Tecnología
1 de 1
Descargar para leer sin conexión
0. Reconnaissance 4. Persistence 6. Credential Access 10. Exfiltration 9. Collection 8. Lateral Movement MITRE ATT&CK and the FIN7 Indictment Mitre ATT&CK Stage FIN7 Tactics, Techniques and Procedures Mitigation Advice • Awareness is required for which information about the organization and its employees is public, in particular, email and telephone contact details. • Certain job titles may be of more interest to attackers due to the responsibilities and access that specific employees may have. These employees may require dedicated training to educate them of the threats that they face as part of their job. • Social media searches can be used by attackers to uncover these employees but also public documents, such as SEC filings, can reveal these employees and their con- tact details. • Security teams need to understand attackers and their goals, as well as the business processes of their own organizations. • Organizations which operate inside a regulated environment may need to implement additional security controls (both technical and procedural/administrative) to verify communications with the regulator. • Public-facing employees may require dedicated tools to open potentially malicious attachments safely, such as sandboxes or cloud services. • Ensure that antivirus and other detection mechanisms are fully up-to-date with the latest signatures and heuristics is essential for increasing the likelihood that obfuscated payloads are detected and quarantined appropriately. • Organizations may wish to investigate the usage of EDR systems for advanced endpoint protection. • Microsoft’s AMSI can be used to capture obfuscated PowerShell scripts after they have been deobfuscated. • Script Block Logging for PowerShell can also be used to capture PowerShell scripts after they have been deobfuscated. • Microsoft have also released an optional patch update (KB3045645) that will remove the “auto-elevate” flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC. • Improving credential hygiene by using a password only once reduces the impact of credential theft. While the attacker can still access the system that they have captured the credentials for, lack of password reuse means that the damage is limited only to that affected system. • Blocking egress traffic that is not necessary for the organization’s requirements can assist with limiting an attacker’s options in terms of communicating outside of the organization. • Web proxies can provide granular controls for restricting egress traffic types and destinations. • DNS traffic can be used by attackers for moving data out of environments where other controls are present, as such, DNS traffic should be inspected for malicious activity • Sudden anomalies in the amount of storage used by particular machines could be an indication of unusual activity and may be worth investigating. • Application whitelisting can be used to prevent the execution of unauthorized code in an environment and can prevent the execution of certain types of malware. • Change the security descriptor of the Service Control Manager (SCM). • Lateral movement should be restricted as much as possible via restricting workstation-to-workstation communication (via firewalling or even private VLANs) • Principle of least privilege to ensure that only the necessary personnel have the administration privileges required for certain actions. • The ACSC (Australian Cyber Security Centre) recommend disabling macros as part of their Essential Eight approach for securing organizations. When disabling macros it is important to consider the business processes and legiti- mate business requirements for macros and how to miti- gate the risk incurred by them. • OLE package activation can also be disabled where possible. • LNK files can be blocked by email filtering gateways to prevent the files from reaching targeted users. • Windows Script Host (WSH) can be disabled if possible or restricted where not to mitigate its risks. Spearphishing attachment 1. Initial Access 2. Execution User execution Application Shimming Obfuscated Files or Information Input Capture Data Compressed, Data Encrypted, Exfiltration Over Other Network Medium Data Compressed, Data Encrypted, Exfiltration Over Other Network Medium Remote Services 5. Defense Evasion People Information Gathering, Organizational Information Gathering, Organizational Weakness Identification, People Weakness Identification

Recomendados

Threat model of a remote worker | Infographic
Threat model of a remote worker | InfographicThreat model of a remote worker | Infographic
Threat model of a remote worker | Infographic
Digital Shadows
 
Inadvertant Data Breaches
Inadvertant Data BreachesInadvertant Data Breaches
Inadvertant Data Breaches
Digital Shadows
 
Digital Shadows and the NIST Cyber Security Framework
Digital Shadows and the NIST Cyber Security FrameworkDigital Shadows and the NIST Cyber Security Framework
Digital Shadows and the NIST Cyber Security Framework
Digital Shadows
 
WTF is Digital Risk Protection
WTF is Digital Risk ProtectionWTF is Digital Risk Protection
WTF is Digital Risk Protection
Digital Shadows
 
Digital Shadows SearchLight™ Overview
Digital Shadows SearchLight™ OverviewDigital Shadows SearchLight™ Overview
Digital Shadows SearchLight™ Overview
Digital Shadows
 
Data Loss Detection
Data Loss DetectionData Loss Detection
Data Loss Detection
Digital Shadows
 
Detecting Spoof Domains
Detecting Spoof DomainsDetecting Spoof Domains
Detecting Spoof Domains
Digital Shadows
 
Digital Shadows Shadow Search
Digital Shadows Shadow SearchDigital Shadows Shadow Search
Digital Shadows Shadow Search
Digital Shadows
 

Recomendados

Threat model of a remote worker | Infographic
Threat model of a remote worker | InfographicThreat model of a remote worker | Infographic
Threat model of a remote worker | Infographic
Digital Shadows
 
Inadvertant Data Breaches
Inadvertant Data BreachesInadvertant Data Breaches
Inadvertant Data Breaches
Digital Shadows
 
Digital Shadows and the NIST Cyber Security Framework
Digital Shadows and the NIST Cyber Security FrameworkDigital Shadows and the NIST Cyber Security Framework
Digital Shadows and the NIST Cyber Security Framework
Digital Shadows
 
WTF is Digital Risk Protection
WTF is Digital Risk ProtectionWTF is Digital Risk Protection
WTF is Digital Risk Protection
Digital Shadows
 
Digital Shadows SearchLight™ Overview
Digital Shadows SearchLight™ OverviewDigital Shadows SearchLight™ Overview
Digital Shadows SearchLight™ Overview
Digital Shadows
 
Data Loss Detection
Data Loss DetectionData Loss Detection
Data Loss Detection
Digital Shadows
 
Detecting Spoof Domains
Detecting Spoof DomainsDetecting Spoof Domains
Detecting Spoof Domains
Digital Shadows
 
Digital Shadows Shadow Search
Digital Shadows Shadow SearchDigital Shadows Shadow Search
Digital Shadows Shadow Search
Digital Shadows
 
Mapping the ASD Essential 8 to the Mitre ATTACK™ framework
Mapping the ASD Essential 8 to the Mitre ATTACK™ frameworkMapping the ASD Essential 8 to the Mitre ATTACK™ framework
Mapping the ASD Essential 8 to the Mitre ATTACK™ framework
Digital Shadows
 
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for OrganizationsMitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Digital Shadows
 
MITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB IndictmentMITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB Indictment
Digital Shadows
 
Mitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerMitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed Programmer
Digital Shadows
 
Digital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows and Demisto Enterprise Integration DatasheetDigital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows
 
Digital Shadows and Palo Alto Networks Integration Datasheet
Digital Shadows and Palo Alto Networks Integration DatasheetDigital Shadows and Palo Alto Networks Integration Datasheet
Digital Shadows and Palo Alto Networks Integration Datasheet
Digital Shadows
 
Data Sources - Digital Shadows
Data Sources - Digital ShadowsData Sources - Digital Shadows
Data Sources - Digital Shadows
Digital Shadows
 
Energy and Utilities Firm Increases Productivity by Reducing False Positives
Energy and Utilities Firm Increases Productivity by Reducing False PositivesEnergy and Utilities Firm Increases Productivity by Reducing False Positives
Energy and Utilities Firm Increases Productivity by Reducing False Positives
Digital Shadows
 
Digital Shadows Client Feedback
Digital Shadows Client FeedbackDigital Shadows Client Feedback
Digital Shadows Client Feedback
Digital Shadows
 
Managed Takedown Service - Digital Shadows
Managed Takedown Service - Digital ShadowsManaged Takedown Service - Digital Shadows
Managed Takedown Service - Digital Shadows
Digital Shadows
 
Source Code and Admin Password Shared on Public Site by Developer
Source Code and Admin Password Shared on Public Site by DeveloperSource Code and Admin Password Shared on Public Site by Developer
Source Code and Admin Password Shared on Public Site by Developer
Digital Shadows
 
Phishing Site Detected and Taken Down
Phishing Site Detected and Taken Down Phishing Site Detected and Taken Down
Phishing Site Detected and Taken Down
Digital Shadows
 
Mobile Application Detected Impersonating Company Brand
Mobile Application Detected Impersonating Company BrandMobile Application Detected Impersonating Company Brand
Mobile Application Detected Impersonating Company Brand
Digital Shadows
 
Ecommerce Retailer Uncovers Coupon Fraud Scheme
Ecommerce Retailer Uncovers Coupon Fraud SchemeEcommerce Retailer Uncovers Coupon Fraud Scheme
Ecommerce Retailer Uncovers Coupon Fraud Scheme
Digital Shadows
 
Digital Shadows Helps Large Retailer Navigate Extortion Attempt
Digital Shadows Helps Large Retailer Navigate Extortion AttemptDigital Shadows Helps Large Retailer Navigate Extortion Attempt
Digital Shadows Helps Large Retailer Navigate Extortion Attempt
Digital Shadows
 
Contractor Exposed Manufacturer's Sensitive Data
Contractor Exposed Manufacturer's Sensitive DataContractor Exposed Manufacturer's Sensitive Data
Contractor Exposed Manufacturer's Sensitive Data
Digital Shadows
 
Configuration File of Trojan Targets Organization
Configuration File of Trojan Targets OrganizationConfiguration File of Trojan Targets Organization
Configuration File of Trojan Targets Organization
Digital Shadows
 
Company Named on Target List for Hacktivist Campaign
Company Named on Target List for Hacktivist CampaignCompany Named on Target List for Hacktivist Campaign
Company Named on Target List for Hacktivist Campaign
Digital Shadows
 
Inglorious Threat Intelligence by Rick Holland
Inglorious Threat Intelligence by Rick HollandInglorious Threat Intelligence by Rick Holland
Inglorious Threat Intelligence by Rick Holland
Digital Shadows
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
 

Más contenido relacionado

Más de Digital Shadows

Más de Digital Shadows (19)

Mapping the ASD Essential 8 to the Mitre ATTACK™ framework
Mapping the ASD Essential 8 to the Mitre ATTACK™ frameworkMapping the ASD Essential 8 to the Mitre ATTACK™ framework
Mapping the ASD Essential 8 to the Mitre ATTACK™ framework
 
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for OrganizationsMitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
 
MITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB IndictmentMITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB Indictment
 
Mitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerMitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed Programmer
 
Digital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows and Demisto Enterprise Integration DatasheetDigital Shadows and Demisto Enterprise Integration Datasheet
Digital Shadows and Demisto Enterprise Integration Datasheet
 
Digital Shadows and Palo Alto Networks Integration Datasheet
Digital Shadows and Palo Alto Networks Integration DatasheetDigital Shadows and Palo Alto Networks Integration Datasheet
Digital Shadows and Palo Alto Networks Integration Datasheet
 
Data Sources - Digital Shadows
Data Sources - Digital ShadowsData Sources - Digital Shadows
Data Sources - Digital Shadows
 
Energy and Utilities Firm Increases Productivity by Reducing False Positives
Energy and Utilities Firm Increases Productivity by Reducing False PositivesEnergy and Utilities Firm Increases Productivity by Reducing False Positives
Energy and Utilities Firm Increases Productivity by Reducing False Positives
 
Digital Shadows Client Feedback
Digital Shadows Client FeedbackDigital Shadows Client Feedback
Digital Shadows Client Feedback
 
Managed Takedown Service - Digital Shadows
Managed Takedown Service - Digital ShadowsManaged Takedown Service - Digital Shadows
Managed Takedown Service - Digital Shadows
 
Source Code and Admin Password Shared on Public Site by Developer
Source Code and Admin Password Shared on Public Site by DeveloperSource Code and Admin Password Shared on Public Site by Developer
Source Code and Admin Password Shared on Public Site by Developer
 
Phishing Site Detected and Taken Down
Phishing Site Detected and Taken Down Phishing Site Detected and Taken Down
Phishing Site Detected and Taken Down
 
Mobile Application Detected Impersonating Company Brand
Mobile Application Detected Impersonating Company BrandMobile Application Detected Impersonating Company Brand
Mobile Application Detected Impersonating Company Brand
 
Ecommerce Retailer Uncovers Coupon Fraud Scheme
Ecommerce Retailer Uncovers Coupon Fraud SchemeEcommerce Retailer Uncovers Coupon Fraud Scheme
Ecommerce Retailer Uncovers Coupon Fraud Scheme
 
Digital Shadows Helps Large Retailer Navigate Extortion Attempt
Digital Shadows Helps Large Retailer Navigate Extortion AttemptDigital Shadows Helps Large Retailer Navigate Extortion Attempt
Digital Shadows Helps Large Retailer Navigate Extortion Attempt
 
Contractor Exposed Manufacturer's Sensitive Data
Contractor Exposed Manufacturer's Sensitive DataContractor Exposed Manufacturer's Sensitive Data
Contractor Exposed Manufacturer's Sensitive Data
 
Configuration File of Trojan Targets Organization
Configuration File of Trojan Targets OrganizationConfiguration File of Trojan Targets Organization
Configuration File of Trojan Targets Organization
 
Company Named on Target List for Hacktivist Campaign
Company Named on Target List for Hacktivist CampaignCompany Named on Target List for Hacktivist Campaign
Company Named on Target List for Hacktivist Campaign
 
Inglorious Threat Intelligence by Rick Holland
Inglorious Threat Intelligence by Rick HollandInglorious Threat Intelligence by Rick Holland
Inglorious Threat Intelligence by Rick Holland
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations

  • 1. 0. Reconnaissance 4. Persistence 6. Credential Access 10. Exfiltration 9. Collection 8. Lateral Movement MITRE ATT&CK and the FIN7 Indictment Mitre ATT&CK Stage FIN7 Tactics, Techniques and Procedures Mitigation Advice • Awareness is required for which information about the organization and its employees is public, in particular, email and telephone contact details. • Certain job titles may be of more interest to attackers due to the responsibilities and access that specific employees may have. These employees may require dedicated training to educate them of the threats that they face as part of their job. • Social media searches can be used by attackers to uncover these employees but also public documents, such as SEC filings, can reveal these employees and their con- tact details. • Security teams need to understand attackers and their goals, as well as the business processes of their own organizations. • Organizations which operate inside a regulated environment may need to implement additional security controls (both technical and procedural/administrative) to verify communications with the regulator. • Public-facing employees may require dedicated tools to open potentially malicious attachments safely, such as sandboxes or cloud services. • Ensure that antivirus and other detection mechanisms are fully up-to-date with the latest signatures and heuristics is essential for increasing the likelihood that obfuscated payloads are detected and quarantined appropriately. • Organizations may wish to investigate the usage of EDR systems for advanced endpoint protection. • Microsoft’s AMSI can be used to capture obfuscated PowerShell scripts after they have been deobfuscated. • Script Block Logging for PowerShell can also be used to capture PowerShell scripts after they have been deobfuscated. • Microsoft have also released an optional patch update (KB3045645) that will remove the “auto-elevate” flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC. • Improving credential hygiene by using a password only once reduces the impact of credential theft. While the attacker can still access the system that they have captured the credentials for, lack of password reuse means that the damage is limited only to that affected system. • Blocking egress traffic that is not necessary for the organization’s requirements can assist with limiting an attacker’s options in terms of communicating outside of the organization. • Web proxies can provide granular controls for restricting egress traffic types and destinations. • DNS traffic can be used by attackers for moving data out of environments where other controls are present, as such, DNS traffic should be inspected for malicious activity • Sudden anomalies in the amount of storage used by particular machines could be an indication of unusual activity and may be worth investigating. • Application whitelisting can be used to prevent the execution of unauthorized code in an environment and can prevent the execution of certain types of malware. • Change the security descriptor of the Service Control Manager (SCM). • Lateral movement should be restricted as much as possible via restricting workstation-to-workstation communication (via firewalling or even private VLANs) • Principle of least privilege to ensure that only the necessary personnel have the administration privileges required for certain actions. • The ACSC (Australian Cyber Security Centre) recommend disabling macros as part of their Essential Eight approach for securing organizations. When disabling macros it is important to consider the business processes and legiti- mate business requirements for macros and how to miti- gate the risk incurred by them. • OLE package activation can also be disabled where possible. • LNK files can be blocked by email filtering gateways to prevent the files from reaching targeted users. • Windows Script Host (WSH) can be disabled if possible or restricted where not to mitigate its risks. Spearphishing attachment 1. Initial Access 2. Execution User execution Application Shimming Obfuscated Files or Information Input Capture Data Compressed, Data Encrypted, Exfiltration Over Other Network Medium Data Compressed, Data Encrypted, Exfiltration Over Other Network Medium Remote Services 5. Defense Evasion People Information Gathering, Organizational Information Gathering, Organizational Weakness Identification, People Weakness Identification