We have covered the main aspects of the threat management cycle, in terms of the endpoint and server contexts, in our last few posts. Now let’s apply these concepts to a scenario to see how it plays out. In this scenario you work for a high-tech company which provides classified technology to a number of governments, and has a lot of valuable intellectual property. You know you are targeted by state-sponsored adversaries for the classified information and intellectual property on your networks. So you have plenty of senior management support and significant resources to invest in dealing with advanced threats.

You bought into reimagined threat management, and have deployed a combination of controls on your endpoints and servers. These include advanced heuristics on valuable endpoints, application control on servers with access to key intellectual property stores, and broad deployment of device activity monitoring technology – all because you know it is a matter of when rather than if you will be compromised. You supplement endpoint and server protections with network-based malware detection and full packet capture.

So resources are not an issue and you have controls in place to deal with advanced adversaries. Of course that and $4 will get you a coffee, so you need to build these controls into a strong process to ensure you can react faster and better to the attacks you know are coming. But not every organization can make such extensive investments, so you may not have the full complement of controls at your disposal.

The Attack: Take 1

This attack starts as many do, with an adversary sending a phishing email with a malicious MS Office attachment to an employee in the finance department. The employee’s device has an agent that uses advanced heuristics, which identifies the malicious behavior when the file attempts to turn off the traditional AV product and install what looks like a dropper on the device. The agent runs at the kernel level so it manages to block the attack and administrators alerted, and no harm is done… this time.

These are the kinds of quick wins you are looking for, and even with proper security awareness training, employees are still very likely to be duped by advanced attackers. So additional layers of defense, beyond the traditional endpoint protection suite, are critical.

The Attack: Take 2

The advanced adversary is not going to give up after their blocked initial foray. This time they target the administrative assistant of the CEO. They pull out a big gun, and use a true 0-day to exploit an unknown flaw in the operating system to compromise the device. They deliver the exploit via another phishing email and get the admin to click on the link to a dedicated server never used for anything else. A drive-by download exploits the OS using the 0-day, and from there they escalate privileges on the admin’s device, steal credentials (including the CEO’s logins) and begin reconnaissance within the organization to find the data they were tasked to steal.

As the adversary is moving laterally throughout the organization they compromise additional devices and get closer to their goal, a CAD system with schematics and reports on classified technology. As mentioned above, your organization deployed network-based malware detection to look for callbacks, and since a number of devices have used similar patterns of DNS searches (which seem to be driven by a domain-generating algorithm), alarms go off regarding a possible compromise.

While you are undertaking the initial validation and triage of this potential attack, the adversaries have found the CAD system and are attempting to penetrate the server and steal the data. But the server has application controls, and will not run any unauthorized executables. So the attack is blocked and the security team is alerted to a bunch of unauthorized activity on that server. This is another quick win – attackers found their target but can’t get the data they want directly.

Between the endpoint compromise calling back to the botnet, and attempts on the server, you have definitive proof of an adversary in your midst. At this point the incident response process kicks in.

Respond and Contain

As we described in our incident response fundamentals series, you start the response process after confirming the attack by escalating the incident based on what’s at risk and the likelihood of data loss. Then you size up the incident by determining the scope of the attack, the attacker’s tactics, and who the attacker is, to get a feel for intent. With that information you can decide what kind of response you need to undertake, and its urgency.

Your next step is to contain the attack and make sure you have the potential damage under control. This can take a variety of forms, but normally it involves quarantining the affected device (endpoint or server) and starting the forensics investigation. But in this scenario – working with senior management, general counsel, and external forensic investigators – the decision has been made to leave the compromised devices on the network. You might do this for a couple reasons:

  1. You don’t want to tip off the adversary that you know they are there. If they know they have been detected they may burrow in deeper, hiding in nooks and crannies and making it much harder to really get rid of them.
  2. Given an advanced attacker is targeting your environment, you can gather a bunch of intelligence about their tactics and techniques by watching them in action. Obviously you start by making sure the affected devices can’t get to sensitive information, but this gives you an opportunity to get to know the adversary.

A key part of this watching and waiting approach is continuing to collect detailed telemetry from the devices, and starting to capture full network traffic to and from affected devices. This provides a full picture of exactly what the adversary is doing (if anything) on the devices.


The good news is that the investigation team has access to extensive telemetry from device activity monitoring and network packet capture. Analyzing the first compromised device (the administrator’s system) shows the kind of malware used, and then the organization can more definitively identify the adversary by working with a threat intelligence service. Knowing the adversary gives your team a good idea of what is targeted and that specific adversary’s typical tactics. This will be critical post-recovery. If you are counting quick wins you can put another point on the board – comprehensive data makes it much easier for investigators to identify root cause and ultimately plan remediation and clean-up.

Given the adversary’s sophistication, the incident response team does a similar analysis on all the other devices performing callbacks to the botnet, to understand the attack timeline. Knowing what was attacked when helps you track proliferation and understand where controls failed. This is also critical during the post-mortem analysis.

This analysis shows similar malware to the initial attack on the CEO’s admin. Not wanting to take any chances, the team searches the entire organization for similar indicators – scrutinizing device activity monitoring data, SIEM and event logs, and the configuration management system. You will also want to consult network-based malware detection devices and the threat intelligence service to make sure you are looking at any additional touch points to track the attackers. This analysis helps the team find another 4 compromised devices currently dormant to maintain presence in the organization, even after initial discovery. This is another quick win – if you hadn’t identified the additional devices, you would have failed to fully eject the adversary.

At this point the investigation team puts together its plan to remediate the environment. They decide to take a big bang approach and reimage all the affected devices. They don’t want to take a chance that the adversary found alternative paths into your network to maintain presence. So within a 15-minute period, while all the infected devices are pulled off the network and reimaged, the network team also blocks IPs associated with the adversary and increases their monitoring for command and control patterns.


At this point, the security team tends to hand off information to Operations to execute the cleanup. The most valuable thing you can provide is highly detailed plans and techniques to ensure the adversary is fully removed from your environment. Some operations teams may be a bit resistant to being handed a detailed remediation plan, but if you have done a good job of building bridges with your peers within the organization they will understand that you know more about the adversary than they do, and your plans reflect that deep knowledge.


Once the operations team has executed the big bang remediation and fully removed the attackers, your work is still not done. You need to learn from the situation, tuning your processes and controls to respond more effectively next time. Thanks to quick response and implementation of effective controls, you didn’t lose data. That’s huge, but the adversary will be back, so you need to be ready.

So you undertake a non-judgmental post-mortem to evaluate the investigation, and to determine what went wrong. This evaluation includes active controls and the monitoring environment. What can you do differently now that you know the adversary? Do you need to change your threat management processes or control sets? Now is the time to make those decisions.

Also be sure to look at your response process. What could be done better? What additional tools or automated triggers should come into play? Be brutally honest with your team about what needs to change, and then put a plan in place to implement necessary process changes, new processes, and additional controls.


When dealing with advanced attacks it is critical to appreciate the value of time. So having the data is critical. Once the data is lost you cannot get it back, and you cannot use it to investigate any attacks. Time is money to every organization – the sooner you can identify root cause, investigate the attack, contain the damage, eradicate the adversary from your environment, and then implement controls to keep them out – the better.

You can achieve this goal by implementing a broader threat management process and making a commitment – not just to new and shiny preventative technologies, but also to bolstering your ability to detect and investigate attacks. Yet you still need to deal with the reality of compliance mandates for traditional endpoint protection technologies – even though they won’t help against advanced attackers. You have to balance your need to maintain existing controls against deploying new technologies much better suited to today’s adversaries.