Cyber attacks are no longer the domain of petty criminals. Today, companies find themselves targeted by sophisticated nation state attackers armed with the resources to craft scarily effective campaigns. This book is a detailed guide to understanding the major players in these cyber wars, the techniques they use, and the process of analyzing their advanced attacks. Whether you’re an individual researcher or part of a team within a Security Operations Center (SoC), you’ll learn to approach, track, and attribute attacks to these advanced actors.

The first part of the book is an overview of actual cyber attacks conducted by nation-state actors and other advanced organizations. It explores the geopolitical context in which the attacks took place, the patterns found in the attackers’ techniques, and the supporting evidence analysts used to attribute such attacks. Dive into the mechanisms of:

•North Korea’s series of cyber attacks against financial institutions, which resulted in billions of dollars stolen
•The world of targeted ransomware attacks, which have leveraged nation state tactics to cripple entire corporate enterprises with ransomware
•Recent cyber attacks aimed at disrupting or influencing national elections globally

The book’s second part walks through how defenders can track and attribute future attacks. You’ll be provided with the tools, methods, and analytical guidance required to dissect and research each stage of an attack campaign. Here, Jon DiMaggio demonstrates some of the real techniques he has employed to uncover crucial information about the 2021 Colonial Pipeline attacks, among many other advanced threats. He now offers his experience to train the next generation of expert analysts.

Table of Contents

  1. Title Page
  2. Copyright
  3. About the Author
  5. Introduction
    1. Who Should Read This Book?
    2. How This Book Is Organized
  6. Part I: An Advanced Cyber-Threat Landscape
    1. Chapter 1: Nation-State Attacks
    2. China
    3. Titan Rain
    4. Hidden Lynx Espionage Campaigns
    5. Mandiant’s APT1 Report
    6. The U.S. and China Cease-Fire of 2015
    7. Russia
    8. Moonlight Maze
    9. The Estonia Conflict
    10. The Georgia Conflict
    11. Buckshot Yankee
    12. Red October
    13. Iran
    14. The Early Years
    15. The 2011 Gmail Breach
    16. Shamoon
    17. United States
    18. Crypto AG
    19. Stuxnet
    20. Equation Group
    21. Regin
    22. North Korea
    23. Unit 121
    24. Cyberattacks
    25. Conclusion
    26. Chapter 2: State-Sponsored Financial Attacks
    27. Distributed DoS Attacks Against Financial Institutions
    28. The Dozer Attack
    29. Ten Days of Rain
    30. IRGC Targets U.S. Banks (2011–2013)
    31. DarkSeoul
    32. Russian Attacks Against Ukraine
    33. Billion-Dollar Robberies
    34. SWIFT Attacks
    35. The North Korea Financial Theft Model
    36. Bank of Bangladesh Response
    37. FASTCash: A Global ATM Robbery
    38. Odinaff: How Cybercriminals Learn from Nation-States
    39. Conclusion
    40. Chapter 3: Human-Driven Ransomware
    41. GoGalocker
    42. SamSam
    43. Ryuk
    44. MegaCortex
    45. EvilCorp
    46. BitPaymer
    47. Indictment
    48. WastedLocker
    49. Linking These Ransomware Attacks
    50. Ransomware as a Service
    51. The DarkSide Gas Pipeline Attack
    52. Defensive Measures
    53. Conclusion
    54. Chapter 4: Election Hacking
    55. The 2014 Ukraine Presidential Election
    56. The Ukrainian Election Attack Model
    57. Fake Personas
    58. Propaganda Campaign
    59. DDoS and Data Theft
    60. Manipulation and Public Release of Stolen Political Data
    61. Malware and Fraudulent Election Data
    62. The 2016 U.S. Presidential Election
    63. The 2017 French Presidential Election
    64. Conclusion
  7. Part II: Hunting and Analyzing Advanced Cyber Threats
    1. Chapter 5: Adversaries and Attribution
    2. Threat Group Classification
    3. Hacktivism
    4. Cybercrime
    5. Cyber Espionage
    6. Unknown
    7. Attribution
    8. Attribution Confidence
    9. The Attribution Process
    10. Identifying Tactics, Techniques, and Procedures
    11. Conducting Time-Zone Analysis
    12. Attribution Mistakes
    13. Don’t Identify Attacker Infrastructure Based on DDNS
    14. Don’t Assume Domains Hosted on the Same IP Address Belong to the Same Attacker
    15. Don’t Use Domains Registered by Brokers in Attribution
    16. Don’t Attribute Based on Publicly Available Hacktools
    17. Attribution Tips
    18. Building Threat Profiles
    19. Conclusion
    20. Chapter 6: Malware Distribution and Communication
    21. Detecting Spear Phishing
    22. Basic Address Information
    23. The X-Mailer Field
    24. The Message-ID
    25. Other Useful Fields
    26. Analyzing Malicious or Compromised Sites
    27. Detecting Covert Communications
    28. Shamoon’s Alternative Data Stream (ADS) Abuse
    29. Bachosens’s Protocol Misuse
    30. Analyzing Malware Code Reuse
    31. WannaCry
    32. The Elderwood Zero-Day Distribution Framework
    33. Conclusion
    34. Chapter 7: Open Source Threat Hunting
    35. Using OSINT Tools
    36. Protecting Yourself with OPSEC
    37. Legal Concerns
    38. Infrastructure Enumeration Tools
    39. Farsight DNSDB
    40. PassiveTotal
    41. DomainTools
    42. Whoisology
    43. DNSmap
    44. Malware Analysis Tools
    45. VirusTotal
    46. Hybrid Analysis
    47. Joe Sandbox
    48. Hatching Triage
    49. Cuckoo Sandbox
    50. Search Engines
    51. Crafting Queries
    52. Searching for Code Samples on NerdyData
    53. TweetDeck
    54. Browsing the Dark Web
    55. VPN Software
    56. Investigation Tracking
    57. ThreatNote
    58. MISP
    59. Analyst1
    60. DEVONthink
    61. Analyzing Network Communications with Wireshark
    62. Using Recon Frameworks
    63. Recon-ng
    64. TheHarvester
    65. SpiderFoot
    66. Maltego
    67. Conclusion
    68. Chapter 8: Analyzing a Real-World Threat
    69. The Background
    70. Email Analysis
    71. Header Analysis
    72. Email Body Analysis
    73. OSINT Research
    74. Lure Document Analysis
    75. Identifying the Command-and-Control Infrastructure
    76. Identifying Any Altered Files
    77. Analysis of Dropped Files
    78. Analysis of dw20.t
    79. Analysis of netidt.dll
    80. Signature Detection Clues
    81. Infrastructure Research
    82. Finding Additional Domains
    83. Passive DNS
    84. Visualizing Indicators of Compromise Relationships
    85. Findings
    86. Creating a Threat Profile
    87. Conclusion
  8. Appendix A: Threat Profile Questions
  9. Appendix B: Threat Profile Template Example
  10. Endnotes
  11. Index