Chapter 6
Investigation
Knowledge itself is power.
—Sir Francis Bacon
Learning Objectives
Understand the purpose of investigating a cyber extortion attack
Gain strategies for identifying an adversary and using this knowledge to inform the response
Articulate techniques for scoping an attack, including identifying indicators of compromise, tracking down “patient zero,” and developing a timeline
Understand how and why to preserve evidence in cyber extortion cases
Learn the fundamentals of data breach investigations and how they relate to cyber extortion attacks
As soon as a cyber extortion attack is discovered, the investigation begins—at least informally, if not formally. Investigation refers to the process of systematically uncovering facts about the cyber extortion attack to inform response processes, reduce risk, and meet obligations. The results of an investigation can help the victim:
Determine the root cause of the compromise or intrusion
Ensure that the threat is fully eradicated
Effectively contain damage and reduce risk to affected stakeholders
Correct security weaknesses and minimize risk of a reoccurrence
Fulfill ethical, regulatory, contractual, and legal obligations (e.g., data breach risk assessments and notifications)
Investigation is an iterative process that runs throughout the course of the response process. In a cyber extortion attack, three major types of investigative actions are typically used to support the response:
Adversary research: Assessing the threat actor’s communications and attack patterns to identify any association with known groups. This, in turn, can help responders understand the risk of data exfiltration, craft an effective negotiation strategy, and inform the response process.
Scoping: Gaining a complete picture of the adversary’s activities, including which systems were accessed, how the adversary entered and moved through the technology environment, which data might have been compromised, and more. Understanding the full scope of the compromise is critical for addressing security vulnerabilities and completing a breach investigation.
Breach investigation: A formal inquiry used to determine the risk that data was improperly accessed or acquired. The definition of a “breach” varies from state to state, and from country to country. A qualified breach attorney should determine which laws and regulations apply, how the investigation should be conducted, and whether any follow-on actions need to be taken.
In the following sections, we discuss each of these investigative techniques, and provide tips for leveraging their results effectively. Throughout the investigation, responders should coordinate and communicate with public relations, leadership, and other teammates to inform the response strategy.
A Word About “Investigations”
Formal investigations are often carried out by digital forensic investigators, who are experts skilled in the art and science of finding and analyzing digital footprints left behind by the adversary. If the victim does not have an existing relationship with an individual or organization capable of performing a forensic investigation, most cybersecurity insurance providers or legal counsel can make recommendations or introductions.
6.1 Research the Adversary
The more you know about your cyber extortion adversary, the more effectively you can respond and minimize damage from the adversary’s attack. Information about the adversary can help responders use resources efficiently and minimize unnecessary activities, as well as predict the adversary’s reactions and understand key negotiation points.
For example, if you are dealing with a nation-state attacker, you might need to invest in very intensive threat hunting. Conversely, if the adversary is an amateur who leverages less sophisticated toolkits, your response may require only simple eradication tactics.
In this section, we review the goals of adversary research, and discuss tactics for identifying cyber extortion adversaries.
6.1.2 Actionable Intelligence
Understanding your adversary is more than just an intellectual exercise. It can produce valuable insights that responders can leverage immediately, such as the following information:
The average cost of the final negotiated ransom payment: Ransom demands vary from a few thousand dollars to millions. In some cases, criminals base their final number on the victim’s financial reports or insurance coverage, which is helpful information for the negotiator.
Prospects for receiving a discount: Some adversaries are known to give 50% to 60% discounts, while others are offended by pressure to cut a deal. Understanding the adversary’s likely response can help to ensure the best possible outcome.
Whether the adversary reliably sends the decryptor after payment: Receiving the decryptor is not a guarantee, but some groups are more consistent than others.
Whether the decryptor works when received: Some decryptors work flawlessly, while others require a lot of manual work and troubleshooting.
Whether you will need a decryptor for each device encrypted or if one key works for all: Knowing that information while negotiating saves the pain of having to go back to the adversary for a second round of negotiations, if the decryptor works for only one device.
The risk that the decryptor contains additional malware: A large percentage of decryptors contain malware that silently installs backdoors to your network, gathers information, or detonates more ransomware on a timer.
The likelihood that other malware such as information stealing Trojans is present on the victim’s network: As discussed in Chapter 3, many adversaries install remote access software designed to evade detection and maintain persistence prior to detonating ransomware. This malware must be discovered and eradicated, or the victim may suffer a reinfection.
Whether the adversary typically exfiltrates files: Knowing typical behavior provides insights that will be useful for the forensic investigation.
Whether the adversary notifies the media proactively and/or maintains a data leak site: Understanding the adversary’s level of sophistication when it comes to the media can help to inform the victim’s public relations strategy.
Heads Up! An Evolving Ecosystem
Adversary affiliations and tactics are constantly evolving. In recent years, the emergence of ransomware-as-a-service (RaaS) opened the door for franchise models, enabling a wide range of adversaries to leverage sophisticated attack platforms while RaaS operators extended their reach and opportunities for profit. Criminal contractors may serve multiple groups, often specializing in a particular task, such as gaining initial access. The result is that adversary identification is an ever-changing area of research, and it is wise to engage a subject-matter specialist when the stakes are high.
There is no guarantee that the way a particular cybercriminal gang behaved yesterday is the way they will act tomorrow—but knowledge of your adversary does increase your odds of achieving a better outcome.
6.1.3 Identification Techniques
So how do you identify your adversary? The following areas tend to be fruitful avenues for analysis:
Ransom note
Communications content analysis, including statements, format, subject matter, and styles
Malware samples, including ransomware encryption software and other tools employed on the network
Tactics, techniques, and procedures (TTPs)
6.1.3.1 The Ransom Note
As discussed in Chapter 3, most cyber extortionists leave behind a note that includes instructions and contact information. The note is most commonly a file on the desktop or in each encrypted directory of an infected computer, although it can also be an email, voicemail, audio file, fax, paper that comes out of printers, or any number of other message types.
Ransom notes are often templatized and might—or might not—explicitly name the threat actors. Fortunately, responders can analyze the format and style of the ransom note and match them to known adversary groups. Online services such as IDRansomware1 and the No More Ransom Project2 can enable responders to quickly identify an adversary based on the ransom note left behind and the specific type of encryption used.
1. ID Ransomware, https://id-ransomware.malwarehunterteam.com/.
2. No More Ransom, www.nomoreransom.org/.
To preserve the victim’s privacy, it is important to remove identifying information from the ransom note prior to pasting it into a ransomware search engine. This can include the organization’s name, email addresses, domains, IP addresses, and so on.
The same is true if you conduct searches via Google or leverage third-party software to assist in the investigation. Search engines may track searches, link them to identifying characteristics, and associate these with specific organizations. Make sure to remove identifying characteristics prior to searching for phrases in a note.
Case Study: Ransomware Masquerade
Adversaries may masquerade as known groups when they are actually not. For example, in 2017 a strain of ransomware that claimed to be part of the Globe ransomware group, originally identified in 2011, began encrypting networks around the world.
However, investigators soon realized that this new ransomware strain was not the original Globe ransomware, but was instead mimicking nearly every identifier from the original. This included the malware executable name and ransom note. The adversary behind this new strain, which was renamed GlobeImposter, was attempting to capitalize on the notoriety of the original Globe ransomware to make their demands seem more intimidating.
Another, more sinister example was NotPetya. In 2016, a strain of ransomware called Petya spread around the world, encrypting hard drives and demanding a Bit-coin payment to unlock files. In 2017, a new variant of the malware began spreading rapidly, primarily in Ukraine. However, the new variant was not ransomware at all. Files were encrypted just as with the earlier strains of Petya, but the new variant was modified so that files could never actually be decrypted. The victim computers were effectively destroyed.
Based on the level of sophistication employed by NotPetya, it is widely believed that the malware was, in reality, a nation-state attack executed by the Russian military against Ukraine.3 It was designed to look like a common ransomware attack, when the actual intent was to destroy networks entirely.
3. Liam Tung, “‘Russian Military Behind NotPetya Attacks’: UK Officially Names and Shames Kremlin,” ZDNet, February 15, 2018, www.zdnet.com/article/russian-military-behind-notpetya-attacks-uk-officially-names-and-shames-kremlin/.
6.1.3.2 Communications Content Analysis
Victims may exchange direct communications with the adversary, through custom portals, emails, voicemails, faxes, text messages, Telegram, social media platforms, or other methods. In addition, victims may be the subject of a post on an adversary’s data leak site, exchanges with reporters, or adversary messages to customers, patients, and other stakeholders. Some adversaries also brag on separate dark web forums, which are often monitored by law enforcement and the media.
How can you gain actionable intelligence about the adversary from the content of their communications?
Look for branded ransom notes, data leak portals, and messages that advertise the adversaries’ affiliation.
The adversary may come straight out and tell you who they work for during interactive communications. In some cases, adversaries even provide links to news articles about themselves as a demonstration of their previous success, in an effort to further intimidate the victim. Extortion groups such as REvil and Maze often employed this strategy.
Analyze the grammar and content of messages to identify the native language of the writer (although if the adversary is using a RaaS platform or commercial software, the messages may be generated from templates provided by the software developer).
Pay attention to the adversary’s speech patterns. Look for odd phrasing or colloquialisms that may point to a specific geographic area.
Identify images or styles used routinely by specific criminal gangs and their affiliates.
Observe whether the adversary appears to be technically savvy.
Look for references to adversary job roles or group members, to identify the size and type of the adversary’s organization.
Track the times of communications and attempt to establish the adversary’s time zone by paying attention to the time of day when messages are sent or read.
Often, there are clear differences in communications of amateurs versus organized crime groups. Understanding the category to which your adversary belongs can guide your negotiations, as well as give you an indication of the likelihood of a successful outcome.
An amateur adversary will often:
Respond to messages in a delayed or erratic manner
Respond to messages only during certain hours
Struggle with basics, such as decrypting sample files
An organized crime group is more likely to:
Engage multiple staff members in providing “customer support” to the victim
Respond to all messages within minutes or 1–2 hours at most
Communicate through a portal or provide multiple email addresses
Use templates for communications
Offer to decrypt sample files or provide proof of exfiltration without being asked
When analyzing more subtle clues, it is best to involve a cyber extortion specialist, as the indicators that connect these with specific adversaries evolve rapidly.
Case Study: The Amateur
A midsized U.S. law firm lost access to its files due to a ransomware attack on a Wednesday afternoon. It contacted the authors of this book for help. After determining that the backups were not salvageable, negotiations began on Thursday, and almost immediately it was apparent that we were working with an amateur criminal.
The first indicator was that the adversary’s response times were slow, but predictable. Email responses would always arrive around 8 a.m. PST, 12 p.m. PST, and 5 p.m. PST, and only on weekdays. The patterns were consistent with break times for a standard U.S. organization located in the Pacific Time Zone. The messages arrived only before, after, or at the lunch break of a typical workday. Messages never arrived outside of those times, and never on weekends. The response team hypothesized that the adversary might be using a work computer for their communications.
The initial messages included what appeared to be forced errors, likely in an attempt to lead the recipient to believe that English was the adversary’s second language. However, most of the messages were well written using accurate spelling and grammar, and dollar signs and commas were all written in the American standardized way. As time went on, the pretense was dropped.
The final indicator that this was likely an amateur working alone came when the adversary was initially unable to decrypt the sample files. Initially, they accused the responders of altering the files in some way (though what the perceived gain would be remains a mystery). In the end, the adversary railed that they spent the “entire weekend” troubleshooting their own decryptor to provide the sample files, and demanded a higher ransom for their trouble, using a popular American expression as justification for the increase: “Time = $$.”
After extensive negotiation and technical support from the response team, the adversary eventually relented and dropped the price back to the original demand, which was covered by insurance.
6.1.4 Malware Strains
Knowing the specific type of malware strains used in an attack can be extremely helpful in navigating your response. Quite often, specific adversary groups are associated with particular strains of malware. Accurate identification of a ransomware strain can help you predict indicators of compromise (IoCs), pinpoint affected systems, effectively eradicate the malware, and gauge the risk of reinfection.
Identification can be accomplished in several ways, but the quickest and most common are as follows:
The malware has a distinct file extension (e.g., one of the common ransomware variants, such as .RYK or .Cerber).
Encrypted files match a specific encryption algorithm used by a well-known adversary. For example, the GandCrab ransomware employed the SALSA20 algorithm, which left a file header in a specific format on encrypted files.
The hash value for the ransomware executable matches previously identified malware, as per malware identification services or antivirus software.
Behavioral analysis of the malware reveals IoCs associated with known extortion groups, such as IP addresses, domains, or TTPs (discussed in Section 6.1.5).
Responders can use a public malware analysis service such as VirusTotal4 or Any.Run5 to match specific malicious software to previously identified samples. However, remember that data submitted to online services may not remain private and can lead to the exposure of a security incident to the public. It’s crucial for responders to exercise caution when submitting information to these services. Before uploading anything to a third-party service, consider taking the following precautions:
4. VirusTotal, www.virustotal.com/gui/home/upload/.
5. Any.Run, https://any.run/.
Never submit files that contain sensitive or identifying data to a third-party service unless you are absolutely certain it will not be shared with researchers or other affiliates.
Submit a cryptographic hash instead of the full piece of suspicious software. That way, if criminals have customized the software to suit the local environment, you won’t accidentally reveal hard-coded IP addresses or other identifying information.
Upload a generic file type encrypted by the malware, such as an image icon or a generic application file that is unlikely to contain sensitive or customized data.
If you must submit a malware sample, redact sensitive data such as the organization’s name or IP address range if you are able to reliably edit the sample before it is submitted.
Case Study: Honda
On June 8, 2020, Honda Motor Company disclosed via social media that customer and financial services were offline due to technical difficulties due to a cyberattack against the corporate network.6 Details were scarce, but it became clear that Honda had been the victim of a ransomware attack.
6. Honda Automobile Customer Service (tweet), June 8, 2020, https://twitter.com/HondaCustSvc/status/1270048801307234304.
While Honda did not initially provide a confirmation of the exact variant or adversary involved, clues were unearthed that gave security researchers and reporters what they needed to identify exactly who had taken Honda offline. Researchers identified a recently uploaded sample of the SNAKE ransomware on Virustotal. com, which provided key details that strongly suggested the sample was the very same piece of software that caused Honda’s service outage.
Upon reviewing the ransomware binary in detail, two very curious pieces of information were discovered:
A kill-switch built into the software that would terminate any activity if the domain MDS.HONDA.COM was not resolvable
A secondary network identifier referencing the IP address 170[.]108[.]71[.]15, which resolved to UNSPEC179198.AMERHONDA.COM at the time of discovery
The domain MDS.HONDA.COM was not a public domain name and was specific to the internal Honda network, meaning that if the ransomware was executed anywhere else, it would terminate and fail to encrypt any data. After creating a customized network to mimic this internal configuration, researchers were able to successfully execute the ransomware and obtain details of the infection, including the ransom note and contact instructions left behind by the adversary.
BleepingComputer.com, a cybersecurity news organization, reached out to the adversary directly and attempted to confirm the attack. The adversary declined to do so, stating:
At this time we will not share details about the attack in order to allow the target some deniability. This will change as time passes.7
7. Ionut Ilascu, “Honda Investigates Possible Ransomware Attack, Networks Impacted,” Bleeping Computer, June 8, 2020, www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/.
6.1.5 Tactics, Techniques, and Procedures
It’s always a good idea to take a step back and review the tactics, techniques, and procedures (TTPs) leveraged by an adversary to identify known groups or assess the accuracy of intelligence gathered to date. Analysis of the TTPs is traditionally broken down into three sections, each characterized by its level of detail:
Tactic: A general high-level description of the behavior used by an adversary. Example: The adversary enters the network via RDP.
Technique: A more detailed description of how the adversary employs the specific tactic. Example: The adversary enters the network by attacking RDP with a brute-force password attack.
Procedure: A highly detailed description of the technique as it is commonly employed by the adversary. Example: The adversary utilizes a time-based password spraying attack against exposed RDP using curated password lists and probable usernames gathered through open-source intelligence gathering (OSINT).
The combination of TTPs used by an adversary can function as a fingerprint, enabling responders to trace the attack back to specific likely adversaries. For example, the authors handled a case in which the initial vector was a phishing email, and the adversary went on to deploy the Advanced IP Scanner and Cobalt Strike before detonating ransomware. This specific combination was associated with the Egregor ransomware group at the time of discovery, and it was rare to find another group using the same TTPs during that time frame.
Security vendors such as CrowdStrike, Sophos, and others publish detailed analyses of threat actors, which can be valuable resources.8 However, few responders have time to pore over detailed whitepapers in the midst of a cyber extortion crisis. Incident response consultants who specialize in cyber extortion routinely track the latest TTPs associated with different groups and can typically identify the adversary based on experience and specialized industry knowledge.
8. CrowdStrike, https://adversary.crowdstrike.com/.
6.2 Scoping
Scoping is the process of discovering and documenting precisely what occurred in a cybersecurity incident, as well as the known extent and impact of the incident. The results of the investigation will be used by:
Responders: Contain the damage, eradicate the threat, close security gaps, and reduce risk.
Legal teams: Determine whether a breach investigation is necessary, and if so, inform the results.
Leadership: Inform decision-making.
In addition, other external parties such as regulators and public relations teams may leverage the results of the investigation for their specific purposes. In this section, we discuss the goals of the scoping process, present an investigative model, and provide an overview of common deliverables.
6.2.1 Questions to Answer
Common scoping questions that support investigative goals may include (but are certainly not limited to):
Entry:
How did the adversary get into the environment in the first place?
Which system and/or account was “patient zero,” the initial point of compromise?
Expansion:
Which systems were accessed? This includes workstations, servers, network devices, cloud applications, and more.
Which data repositories were accessed? Review an inventory of data, if possible, and determine whether any potentially sensitive or regulated data may have been affected.
Which account(s) were compromised? Was it an entire Active Directory, or a smaller number of accounts?
Did the compromise include unauthorized access to cloud repositories?
Which tools, techniques, and procedures did the adversary use to move laterally and escalate privileges?
Which actions did the adversary take after gaining unauthorized access?
Priming:
Which malware or tools did the adversary install?
Did the adversary make significant changes to the host or network configuration that need to be undone?
Leverage:
If data was exfiltrated:
– Did the adversary remove any data from the environment? Once again, review an inventory of data and determine whether any potentially sensitive or regulated data may have been affected.
– What is the risk of harm if the affected data were published or sold?
If ransomware was deployed:
– How was the ransomware distributed and executed?
– Which ransomware strain was deployed? Is it associated with any specific threat actors or activities?
6.2.2 Process
Using a standard digital forensic investigative model, responders can methodically uncover the scope of a cyber extortion incident. As defined by the Digital Forensics Research Workshop (DFRWS) in 2001, the general phases of a forensic investigation include:9
9. “A Road Map for Digital Forensic Research,” Proceedings of Digital Forensic Research Conference, Utica, NY, August 7–8, 2001, https://dfrws.org/wp-content/uploads/2019/06/2001_USA_a_road_map_for_digital_forensic_research.pdf.
Preservation: Ensure that relevant evidence is stored in a manner that maintains the integrity and availability of the data.
Collection: Copy or move the evidence and store it in a format that facilitates access and analysis by investigators.
Examination: Conduct a systematic review of the evidence designed to identify important artifacts and support investigative goals.
Analysis: Interpret results and refine the theory of the case based on the findings.
Presentation: Document and share the investigative process and findings with key stakeholders.
Although this process appears linear, it is typically iterative. Responders may choose to preserve and collect additional evidence at any point if it is available and engage in a cyclical process of examination and analysis, as needed.
A Word About “Patient Zero”
The term “patient zero” refers to the first compromised computer or account in a cybersecurity incident. Identifying this point early in the response is immensely helpful in effectively clearing out residual infections and potential secondary access vectors.
Pinpointing patient zero informs both the investigation and recovery efforts. Often entry by an adversary on a network occurred much earlier than the organization initially believed. If the earlier access is not discovered, the organization risks restoring from a backup that is already infected, leading to a repeat incident.
Once patient zero is identified, responders have a starting point from which to trace the adversary’s activities. Often, when an attack is traced back to patient zero, responders are then able to analyze the initial point of compromise and trace the attack forward throughout the environment, effectively uncovering the full scope. This, in turn, enables responders to fully eradicate the threat and lock the adversary out of the environment.
6.2.3 Timing and Results
A full forensic investigation takes time. Most incidents involve large amounts of evidence—that is, data to parse through for answers. The search can happen only as quickly as hard drive and CPU speeds allow. Answers may take a few weeks to find.
Depending on the evidence available for analysis, the investigators may be unable to find concrete answers. For example, they may be able to determine that an adversary accessed a particular system, but unable to determine if files were accessed due to a lack of logging of file access.
One last note: A forensic investigation is unlikely to point to or bring about the arrest of a specific culprit. The information can be shared with law enforcement at the organization’s discretion. Law enforcement will, in turn, combine it with evidence from similar cases, which may eventually lead to the apprehension of the responsible party. A single forensic investigation, however, is unlikely to do that.
6.2.4 Deliverables
To support responders, legal teams, leadership, and others in their efforts, investigators need to deliver the results of the investigation in a form that is useful and digestible. Key results to document and deliver include the following:
Indicators of attack/compromise
A list of known impacted hosts
Evidence and details that may help identify the adversary
Timeline of the incident, including initial entry, expansion, exfiltration, priming, detonation, and any other relevant facts
Specific samples and descriptions of malware and tools deployed by the adversary
Security tools that were disabled by the adversary or ineffective at detection
Any alerts that were successfully generated but went overlooked
Misconfigurations, vulnerabilities, or other weaknesses that were exploited by the adversary to gain or expand access
Recommendations for eradicating the threat and reducing the risk of future compromise
In addition, responders should produce any evidence needed to support further investigation, such as hard drive images, network logs, mailbox exports, filesystem metadata, activity logs, and more. For more information on this topic, check out Dr. Darren Hayes’s book, A Practical Guide to Digital Forensics Investigations.10
10. Darren Hayes, A Practical Guide to Digital Forensics Investigations, 2nd ed. (Boston, MA: Pearson, 2020).
6.3 Breach Investigation or Not?
As early as possible, carefully consider whether to move forward with a breach investigation. Since “breach” is a legal term, the decision regarding whether to investigate an incident as a potential breach should be made by qualified and experienced legal counsel. There is no single universal definition of a breach; instead, federal, state, and local jurisdictions have varying definitions, in addition to any contractual obligations that may apply to the victim organization.
6.3.1 Determine Legal, Regulatory, and Contractual Obligations
If there is a possibility that the data is regulated, then counsel will need to identify relevant breach notification statutes and laws and determine appropriate next steps. Typically, counsel will determine that either:
There is no risk of a reportable data breach, in which case there is no need for an investigation; or
There is a risk of a reportable data breach, in which case counsel will open a breach investigation.
Victims might be required to notify third parties. This often occurs when the adversary accessed sensitive data, triggering data breach notification laws. In other cases, operational impacts may trigger notification obligations to downstream customers, regulators, or other third parties. For example, in the United States, federal agencies require financial institutions to notify their regulator within 36 hours in the event that they experience a cybersecurity incident that is reasonably likely to disrupt the bank’s operations.11
11. U.S. Department of the Treasury, Federal Reserve System, and Federal Deposit Insurance Corporation, “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers,” Federal Register 86, no. 223 (November 23, 2021), www.fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf.
Tip: Take an Inventory
Take an inventory of your data and identify relevant breach notification statutes, regulations, and contractual obligations in advance. Make sure to document and update this assessment periodically, with input from a qualified external attorney. This can save you a huge amount of time and stress during a cyber extortion response, and also help you effectively develop risk mitigation strategies ahead of time.
6.3.2 Decide Whether to Investigate Further
The victim must weigh many factors when determining how deeply to investigate a potential breach. Investigations can help the victim meet regulatory and ethical obligations, facilitate an accurate understanding of risk, and support harm reduction; however, they can also be expensive and time-consuming. Cyber insurance coverage can help cover the costs in many cases.
If the victim chooses to skip the investigation, and a data breach later comes to light, the victim maybe subject to fines and may be at greater legal risk.
Tip: Criminals Lie
In incidents where the adversary does not claim to have stolen data, or if they show “proof” that they deleted it after a payment was made, the victim may hesitate to investigate the incident in depth. It is important to remember that you are dealing with criminals, and they may not be truthful in their claims.
The claims of the adversary do not take the place of a proper investigation. Skipping a full investigation also increases the likelihood of future incidents; without a full understanding of the compromise, it is difficult to effectively manage the risks that affect all parties.
6.3.3 Moving Forward
Once a victim decides to move forward with a breach investigation, the breach coach will typically take the following steps:
Establish key questions for the investigative team to answer.
Direct the investigative team to collect, analyze, and report on evidence.
Evaluate the results.
Assess the risk that the incident qualifies as a breach or meets other requirements for action based on relevant laws, regulations, or obligations.
Provide clear direction for the response, as needed. This may include notification, risk management processes, additional investigation, or other activities.
6.3.4 Outcomes
Typically, the outcome of a breach investigation is a formal, legal determination of whether the incident under investigation triggers breach notification and reporting laws in a relevant jurisdiction. In “denial” extortion cases such as ransomware, the adversary may only intend to impact operations, but the mere fact that they accessed systems containing sensitive information may be enough to trigger a breach notification law.
If investigators are able to rule out unauthorized access to certain sensitive information through a careful review of relevant evidence, the victim may be able to minimize notifications or even avoid the need to notify altogether. Minimizing the number of notifications saves the organization money and can also reduce reputational harm.
Along the way, the investigative team should coordinate and communicate with public relations, leadership, and other key functions to inform other aspects of the response.
6.4 Evidence Preservation
Access to evidence is fundamental for all investigations. Unfortunately, the evidence needed to make informed decisions does not last forever. Digital evidence is like food: You need to freeze it fast, or it spoils. Evidence disappears as part of the normal use of a computer system. For example, it may be overwritten by new data, or purged after a set number of days, or lost when a system is rebooted.
Preserving evidence is the process of collecting and storing evidence in a format and location that will ensure the integrity and availability of the data as long as it is needed. When critical evidence is preserved in the early stages of a cyber extortion crisis, it dramatically improves the chances of identifying the adversary, scoping the incident, and properly investigating a breach, if needed. This, in turn, can minimize the risk of future compromise and potentially save the victim thousands or even millions of dollars in data breach–related costs.
Evidence preservation takes time and resources, which are in short supply in a crisis. Understanding potential sources of evidence and the order in which they should be preserved will prevent missteps that can result in lost, destroyed, or compromised evidence.
Before a cyber extortion event, and especially prior to preserving evidence, the organization should create a strategy to facilitate effective evidence preservation, and prevent accidental destruction, duplication, or contamination.
Case Study: Evidence Destroyed
All of the servers belonging to a school district were encrypted by ransomware. While the district had migrated to the cloud and stored most of its current data there, its servers contained files saved prior to 2018 that included medical and behavioral issues, as well as birth dates, home addresses, and other personally identifiable information of students and staff. The organization’s insurance company insisted on a forensic investigation to determine if any of the data was accessed or exfiltrated prior to encryption. The authors of this book were asked to lead that investigation.
Early on, it became apparent that the IT team was opposed to the investigation primarily due to the time it would take to gather and preserve evidence from the impacted systems. Their focus was restoring systems and moving on. The IT staff decided among themselves that preserving one domain controller would be sufficient. They set it aside for us, then wiped and rebuilt the rest of the impacted servers.
As a result, evidence was limited. We were able to determine that the adversary had, in fact, accessed the network through a vulnerability in its Fortinet VPN, scraped the IT administrator’ s credentials, and successfully moved laterally to other hosts containing sensitive data. However, because the Windows Event logs and other filesystem artifacts were lost when the IT team reimaged the other impacted servers, artifacts that could have been used to narrow the scope of unauthorized access (or rule it out entirely) no longer existed on the network. We could not determine what the adversary did or did not access with enough certainty to rule out a data breach.
In the end, the school district had to notify thousands of individuals about their breach and the potential that their personal information had been viewed or stolen. If the other affected systems had been available, the school district might have potentially limited the number of people who needed to be notified (or avoided notification altogether), thereby saving time, money, and reputation.
6.4.1 Sources of Evidence
To a certain extent, the type of cyber extortion event determines where valuable evidence will be found. However, some common sources are valuable and should be preserved regardless of the type of event. Keep in mind that the evidence may reside with a third party (such as a managed service provider) outside of the impacted network. Here is a list of common types of evidence that are useful in a cyber extortion case:
Security software and devices
Ransom notes
Encrypted file extensions
Volatile evidence
System artifacts
Firewall logs
Flow records
Authentication logs
Cloud-based evidence
Let’s look at each of these in turn.
6.4.1.1 Security Software and Devices
Security software and devices such as intrusion detection and prevention systems, antivirus software, access control software, and more can provide insights into the intrusion. A successful detonation of ransomware indicates that security software and devices were not sufficient to stop a full attack, but it does not mean that they aren’t useful to an investigator. Valuable artifacts such as behavioral alerts, additional malware detections, access violations, and much more may be contained within this log data. The investigator can also use this data to establish an early IoC list, which can provide a significant benefit to responders.
How to Get It
Acquisition methods for security software and devices will differ based on which types of elements exist within a network and how they are configured. In some cases, the data may be stored in a centralized location and can be easily accessed and exported if the storage location has not been encrypted. In other cases, the data may reside with a third-party provider, which will need to provide the data to the investigator at the request of the victim. The investigator should also be aware that some security software, such as antivirus or anti-malware applications, may store log data locally on their respective hosts.
6.4.1.2 Ransom Note Metadata
Ransom notes are left behind by the adversary primarily to provide information about how to contact them to pay the ransom. Ransom notes can contain much more information than a defender might originally think. Notes may contain information that is essential to the proper operation of decryption software if the goal is to decrypt data using a utility provided by an adversary. In general, the following information can potentially be gained from the ransom note:
The time when encryption started
Key information for decryption
Contact information for the adversary
Ransom amount information
While ransom notes may be named the same, contents of the notes may differ. In situations where the note is needed by the adversary to create a decryption utility, a defender needs to get all unique notes from an infected environment. When searching for individual notes, a cryptographic hash of the note file can be used to separate duplicate notes if needed.
How to Get It
Ransom notes will sometimes exist only on the desktop folder of the affected computer or in some other high-visibility area, or they may exist in every folder that the ransomware has touched. Ransom notes will often follow similar or identical naming conventions; so, once a single note is identified, it is usually easy to find the others. Writing a PowerShell or bash script to identify files by name is a trivial task, even for an inexperienced IT person. It is important, however, to keep note of where these notes were identified.
6.4.1.3 Encrypted File Extensions
File extensions are the letters or numbers appended to filenames that indicate the file type to the user’s filesystem. While some ransomware strains encrypt all files on an impacted network with a single file extension, others use different extensions on each individual host, device, or file share they encrypt. A different file extension can indicate the use of a unique key used to encrypt just files with that extension, meaning a responder will need to identify changes in file extensions to ensure that decryption is possible if a utility is purchased from an adversary. Failure to identify changes in encryption can lead to repeated negotiations with an adversary and wasted time during recovery.
How to Get It
File extensions for encrypted files need to be identified and recorded by a responder. Extensions for impacted files can be found at the end of filenames on systems that have been encrypted.
6.4.1.4 Volatile Evidence
Volatile evidence includes artifacts from computers that are not stored long-term and will be lost once power is removed (or even sooner). This can include RAM, CPU cache, network connections and process listings, pagefiles, and so on. Volatile evidence can contain information showing live activities on the system, including active network connections, active processes and applications, decrypted versions of software, passwords, and even decryption keys. Volatile evidence should be captured very quickly to avoid evidence spoliation. See Section 6.4.2 for more information about the order of volatility.
How to Get It
Volatile evidence can be captured from any system on the network that is in a powered-on state and has not been powered off or rebooted since the incident started. Popular forensic tools that can capture such evidence include Volatility, Axiom by Magnet Forensics, and FTK Imager, among others.
6.4.1.5 System Artifacts
System artifacts include Windows Event logs, Windows Registry data, filesystem metadata, and other evidence stored on the hard drive of a computer system. They can also include deleted files or snippets of data stored outside the filesystem. These artifacts may contain crucial indicators of compromise that a responder can use to pinpoint malicious activities, potential file access, system modifications, or other evidence consistent with the adversary’s activities during the incident.
How to Get It
System artifacts can be obtained from any computer system on the network and can be forensically preserved using specialized software like FTK Imager. Responders can take a full system image to forensically preserve all nonvolatile evidence, including metadata and deleted files. Unfortunately, this process can be time-consuming and take up large volumes of storage space.
In many instances, responders can use rapid, targeted captures (also known as “sparse acquisition”) to preserve only relevant system-based artifacts. This dramatically reduces the time and storage space needed to preserve evidence, although there is always a risk that important evidence may be missed. If the original hard drive is not immediately needed for the recovery, responders should preserve the original hard drive of the impacted host by physically locking it up after performing a sparse acquisition. That way, responders can begin rapid analysis and recovery, while still maintaining a source for gathering additional evidence later, if needed.
6.4.1.6 Firewall Logs
Firewall logs may exist at the enterprise level, physical location level, or department location depending on the infrastructure model and maintain a record of all inbound and outbound traffic. Such logs can provide information about network activity during a period of compromise. As a common exit or entry point to a network, the firewall is in a unique position to capture data relating to most, if not all, network communication. In incidents where data exfiltration is a concern, the firewall log data can provide a very clear view of any suspicious connections or large data transfer events. The full timeline of compromise can also be identified using firewall logs, as the time between initial infection and ransomware detonation is often significant.
How to Get It
As their name suggests, firewall logs are normally found on perimeter firewall devices, or contained within central log aggregation systems. All available devices and log repositories on a network should be analyzed and all identified sources of log data should be preserved immediately.
6.4.1.7 Flow Records
Flow records are logs documenting the flow of information across a network and can contain both internal and external communications. Tracking network activity is a necessary part of any investigation. Flow records can be used to identify signs of lateral movement, unauthorized access, data exfiltration, and much more. As an added benefit, because flow records record only a summary of information about network activity, they take up a relatively small amount of storage space and can be quick to analyze. Their small footprint compared with their potentially high usefulness make flow records a very valuable source of evidence.
How to Get It
Flow records are conveniently generated by many different types of network hardware, from routers, to switches, to access points, and many more devices. Typically, network equipment does not include large volumes of built-in storage space, so flow records must be routinely exported from network equipment and sent to a separate collection system for retention.
6.4.1.8 Authentication Logs
Authentication logs ideally record all attempted, failed, and successful logins to devices or the infrastructure. Successful authentication events can provide a useful map of assets within a network that have been compromised or otherwise accessed without authorization, which provides a responder with information about which data may be at risk, which accounts may have been compromised, and how far an adversary made it into the network. Failed authentication events can alert responders to an attack, indicate that a system or account is compromised, or signal that malicious software is present on a network. For example, if a responder observes a series of failed logins from a specific source within the environment, this may indicate the presence of an adversary’s brute-force utility, which helps a responder remove compromised endpoints from the environment and reduce the chance of reinfection.
How to Get It
Tip: Time Zones
While preserving evidence, document the time zone and format that are currently in use on each source. For example, are the log files in UTC or are they set to a local time zone? If you are pulling logs from multiple locations, are they all in the same time zone? Does the system record time in 12- or 24-hour formats? Are the devices in sync or is time skewed? Correlating events based on timestamps gives you an accurate picture of the event, whereas if times are skewed or tracked differently, you may draw false conclusions.
6.4.1.9 Cloud-Based Evidence
Cloud-based evidence can include any artifacts stored within a cloud service or application—for example, email, file metadata, backup systems, application, or any other service that utilizes cloud-based infrastructure. Quite often in cyber extortion cases, cloud-based evidence is intact and reliable even when the local environment has been totally destroyed. While adversaries may attempt to encrypt or erase data within cloud environments in addition to the local network, this is a newer trend and typically requires extra effort. In the meantime, responders may be able to trace the initial point of entry back to a phishing email stored in the cloud or gain valuable insights by analyzing artifacts from cloud backup solutions. Responders can use cloud-based evidence to reconstruct the attack timeline and understand the full scope of the compromise.
How to Get It
Certain cloud-based applications have a built-in legal hold function. When this is available, responders may wish to immediately activate it to prevent evidence destruction.
Responders should export cloud-based evidence to a secure source for preservation and analysis. Be sure to quickly secure cloud repositories that may contain evidence (for example, by changing passwords), so that the adversary cannot modify evidence after the fact. Also, responders should avoid exporting cloud evidence to a host that is connected to the infected network. Often, retention times for cloud evidence can range anywhere from days to years, so local evidence preservation may take priority.
6.4.2 Order of Volatility
Evidence should be preserved quickly and methodically to minimize accidental loss and avoid potential contamination from active malware. Unfortunately, in the midst of a cyber extortion incident, particularly one involving ransomware detonation, access to evidence can be very unpredictable.
Volatility refers to the lifespan of digital evidence. Some types of evidence are naturally short-lived, or more “volatile,” and need to be prioritized for collection over items that can safely be left for a period without the risk of data or information loss.
The order of volatility refers to the timing of evidence preservation. Responders should collect the most volatile evidence first, and work their way down to the least volatile, to maximize the success of evidence preservation efforts. A general order of volatility for digital evidence sources is as follows (in order from most to least volatile):
Volatile artifacts: CPU cache, RAM, active network connections, and other sources of data that typically change quickly or may be lost if power is removed from a device.
Nonvolatile artifacts: Hard drive images, local application logs, and other sources of evidence that will persist through a power cycle but may be overwritten during normal system operations.
Cloud-based evidence: Artifacts contained within cloud infrastructure, services, or applications. (Note that this may vary greatly depending on the system and type of evidence.)
Centralized security artifacts: Evidence contained on the hard drive of a central syslog server or SIEM.
Offline physical storage: Secure, nonwritable storage devices or locations including offline backups, tape storage, and external media.
Archive media: Data written to CDs/DVDs, paper media, and archived physical storage.
6.4.3 Third-Party Evidence Preservation
In some cases, evidence may be stored by third parties in a manner that is not directly accessible to the victim. This frequently occurs when data is hosted by cloud providers, but it can also occur with other third parties such as managed service providers and affiliates, particularly when the adversary gained access by leveraging one of these organizations.
When investigating a case that involves a third-party provider, ask legal counsel to compose letters of preservation and send them to the affected organization. A letter of preservation notifies the receiving party that they are to preserve any and all evidence related to the matter. If possible, the letter should outline specific types of evidence to be preserved.
Note that a letter of preservation does not require the third-party provider to actually produce the evidence; it merely notifies them of potential impending litigation and requests preservation. You may need to engage the services of an attorney and file a subpoena to actually require the third party to produce the evidence, unless a relevant law or contract in place requires it.
6.4.4 Storing Preserved Evidence
Once evidence has been preserved, it must be protected. Original copies should be put on removable media (such as hard drives or portable USB drives) and stored in a secure, fireproof location like a safe or safe deposit box.
Going forward, investigation should never take place using the original preserved evidence. Instead, the investigator should use a copy, while the original remains securely stored. In most situations, the copy used for investigation should be a forensic image. However, for log files, a simple copy is sufficient.
6.5 Conclusion
In this chapter, we discussed the purpose, strategy, and importance of an investigation after a cyber extortion incident. We also covered three types of investigations—adversary research, scoping the incident, and data breach investigation—and outlined expected outcomes for each.
In the next chapter, we will delve into techniques for negotiating with the adversary.
6.6 Your Turn!
Every cyber extortion incident is unique. The response team’s options and priorities will vary depending on the victim organization’s industry, size, and location, as well as the details of the incident itself.
Based on what you learned in this chapter, let’s think through key elements of the investigation.
Step 1: Build Your Victim
Choose one characteristic from each of the three columns to describe your victim’s organization:
Industry | Size | Location |
|---|---|---|
Hospital | Large | Global |
Financial institution | Midsized | United States |
Manufacturer | Small | European Union |
Law firm | Australia | |
University |
| India |
Cloud service provider |
| Country/location of your choice |
Organization of your choice |
|
|
Step 2: Choose Your Incident Scenario
Select from one of the following incident scenarios:
A | Ransomware strikes! All of the victim’s files have been locked up, including central data repositories, servers, and workstations. |
B | A well-known cyber extortion gang claims to have stolen all of the victim’s most sensitive data and threatens to release it unless the victim pays a very large ransom demand. The gang posts the victim’s name on their dark web leaks site, along with samples of supposedly stolen data. |
C | Double extortion! Both A and B occur at the same time. |
D | The victim is hit with a denial-of-service attack on its Internet-facing infrastructure that slows its access and services to a crawl. The adversary threatens to continue and even escalate the attack unless a ransom is paid. |
Step 3: Discussion Time
The incident response team is ready to conduct their investigation. Given what you know of the victim and the scenario, answer the following questions:
Name two benefits of investigating a cyber extortion incident.
The victim’s leadership is considering skipping evidence preservation to speed recovery. Do you think this is a reasonable idea? Describe the tradeoffs and your recommendation. Make sure to support your conclusions.
Which type of information can you expect to find when conducting adversary research? Are you likely to identify the person responsible for the attack?
Name three sources of evidence that may be useful in fully understanding this incident.
What obstacles might the victim face when attempting to preserve evidence held by a third party?