The Art of Cyberwarfare: An Investigator's Guide to Espionage, Ransomware, and Organized Cybercrime
272
The Art of Cyberwarfare: An Investigator's Guide to Espionage, Ransomware, and Organized Cybercrime
272Paperback
-
PICK UP IN STORECheck Availability at Nearby Stores
Available within 2 business hours
Related collections and offers
Overview
Cyber attacks are no longer the domain of petty criminals. Today, companies find themselves targeted by sophisticated nation state attackers armed with the resources to craft scarily effective campaigns. This book is a detailed guide to understanding the major players in these cyber wars, the techniques they use, and the process of analyzing their advanced attacks. Whether you’re an individual researcher or part of a team within a Security Operations Center (SoC), you’ll learn to approach, track, and attribute attacks to these advanced actors.
The first part of the book is an overview of actual cyber attacks conducted by nation-state actors and other advanced organizations. It explores the geopolitical context in which the attacks took place, the patterns found in the attackers’ techniques, and the supporting evidence analysts used to attribute such attacks. Dive into the mechanisms of:
The book’s second part walks through how defenders can track and attribute future attacks. You’ll be provided with the tools, methods, and analytical guidance required to dissect and research each stage of an attack campaign. Here, Jon DiMaggio demonstrates some of the real techniques he has employed to uncover crucial information about the 2021 Colonial Pipeline attacks, among many other advanced threats. He now offers his experience to train the next generation of expert analysts.
Product Details
| ISBN-13: | 9781718502147 |
|---|---|
| Publisher: | No Starch Press |
| Publication date: | 04/26/2022 |
| Pages: | 272 |
| Sales rank: | 164,376 |
| Product dimensions: | 6.90(w) x 9.20(h) x 0.80(d) |
About the Author
Table of Contents
Acknowledgments xiii
Introduction xv
Who Should Read This Book? xviii
How This Book Is Organized xviii
Part I An Advanced Cyber-Threat Landscape 1
Chapter 1 Nation-State Attacks 3
China 4
Titan Rain 5
Hidden Lynx Espionage Campaigns 5
Mandiant's APT1 Report 6
The U.S. and China Cease-Fire of 2015 7
Russia 8
Moonlight Maze 10
The Estonia Conflict 12
The Georgia Conflict 13
Buckshot Yankee 13
Red October 14
Iran 16
The Early Years 16
The 2011 Gmail Breach 18
Shamoon 20
United States 22
Crypto AG 22
Stuxnet 24
Equation Group 27
Regin 30
North Korea 32
Unit 121 33
Cyberattacks 33
Conclusion 34
Chapter 2 State-Sponsored Financial Attacks 35
Distributed DoS Attacks Against Financial Institutions 36
The Dozer Attack 37
Ten Days of Rain 38
IRGC Targets U.S. Banks (2011-2013) 39
DarkSeoul 41
Russian Attacks Against Ukraine 43
Billion-Dollar Robberies 44
SWIFT Attacks 44
The North Korea Financial Theft Model 45
Bank of Bangladesh Response 51
FASTCash: A Global ATM Robbery 52
Odinaff: How Cybercriminals Learn from Nation-States 54
Conclusion 57
Chapter 3 Human-Driven Ransom Ware 59
GoGalocker 61
SamSam 67
Ryuk 69
MegaCortex 70
EvilCorp 70
BitPaymer 71
Indictment 72
WastedLocker 73
Linking These Ransomware Attacks 75
Ransomware as a Service 80
The DarkSide Gas Pipeline Attack 81
Defensive Measures 82
Conclusion 84
Chapter 4 Election Hacking 87
The 2014 Ukraine Presidential Election 88
The Ukrainian Election Attack Model 91
Fake Personas 91
Propaganda Campaign 92
DDoS and Data Theft 92
Manipulation and Public Release of Stolen Political Data 93
Malware and Fraudulent Election Data 93
The 2016 U.S. Presidential Election 93
The 2017 French Presidential Election 101
Conclusion 104
Part II Hunting and Analyzing Advanced Cyber Threats 107
Chapter 5 Adversaries and Attribution 109
Threat Group Classification 110
Hacktivism 110
Cybercrime 111
Cyber Espionage 114
Unknown 116
Attribution 116
Attribution Confidence 118
The Attribution Process 119
Identifying Tactics, Techniques, and Procedures 122
Conducting Time-Zone Analysis 123
Attribution Mistakes 126
Don't Identify Attacker Infrastructure Based on DDNS 127
Don't Assume Domains Hosted on the Same IP Address Belong to the Same Attacker 127
Don't Use Domains Registered by Brokers in Attribution 129
Don't Attribute Based on Publicly Available Hacktools 130
Attribution Tips 131
Building Threat Profiles 132
Conclusion 134
Chapter 6 Malware Distribution and Communication 135
Detecting Spear Phishing 136
Basic Address Information 137
The X-Mailer Field 140
The Message-ID 141
Other Useful Fields 142
Analyzing Malicious or Compromised Sites 143
Detecting Covert Communications 146
Shamoon's Alternative Data Stream (ADS) Abuse 146
Bachosens's Protocol Misuse 147
Analyzing Malware Code Reuse 151
WannaCry 151
The Elderwood Zero-Day Distribution Framework 153
Conclusion 157
Chapter 7 Open Source Threat Hunting 159
Using OSINT Tools 160
Protecting Yourself with OPSEC 160
Legal Concerns 161
Infrastructure Enumeration Tools 161
Farsight DNSDB 162
PassiveTotal 162
DomainTools 162
Whoisology 162
DNSmap 163
Malware Analysis Tools 163
VirusTotal 163
Hybrid Analysis 164
Joe Sandbox 165
Hatching Triage 166
Cuckoo Sandbox 166
Search Engines 167
Crafting Queries 168
Searching for Code Samples on NerdyData 169
TweetDeck 170
Browsing the Dark Web 170
VPN Software 171
Investigation Tracking 172
ThreatNote 172
MISP 173
Analyst 1 174
DEVONthink 175
Analyzing Network Communications with Wireshark 176
Using Recon Frameworks 177
Recon-ng 177
TheHarvester 178
SpiderFoot 178
Maltego 179
Conclusion 179
Chapter 8 Analyzing a Real-World Threat 181
The Background 181
Email Analysis 182
Header Analysis 182
Email Body Analysis 185
OSINT Research 186
Lure Document Analysis 190
Identifying the Command-and-Control Infrastructure 192
Identifying Any Altered Files 192
Analysis of Dropped Files 194
Analysis of dw20.t 194
Analysis of netidt.dll 195
Signature Detection Clues 196
Infrastructure Research 199
Finding Additional Domains 200
Passive DNS 201
Visualizing Indicators of Compromise Relationships 205
Findings 206
Creating a Threat Profile 207
Conclusion 210
A Threat Profile Questions 213
B Threat Profile Template Example 217
Endnotes 219
Index 243