Deriving Intel From Open Reporting

There’s a good bit of open reporting available online these days, including (but not limited to) the annual reports that tend to be published around this time of year. All of this open reporting amounts to a veritable treasure trove of information, either directly or indirectly, that can be leveraged by SOC and DFIR analysts, as well as detection engineers, to extend protections, as well as detection and response capabilities. 

Sometimes, open reporting will reference incident response activities, and then focus solely on malware reverse engineering. In these cases, information about what would be observed on the endpoint needs to be discerned through indirect means. However, other open reporting, particularly what’s available from TheDFIRReport, is much more comprehensive and provides much clearer information regarding the impact of the incident and the threat actor’s activities on the endpoint, making it much easier on SOC and DFIR analysts to pursue investigations.

Let’s take a look at some of what’s shared in a recent write-up of a ransomware incident that started with a “malicious” ISO file. Right away, we get the initial access vector from the title of the write-up! 

Before we jump in, though, we’re not going to run through the entire article; the folks at TheDFIRReport have done a fantastic job of documenting what they saw six ways to Sunday, and there’s really no need to run through everything in the article! Al

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Windows Incident Response

Read the original article: