AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

Day 5 – Excerpt from Chapter 5 – “Intrusion Lifecycles”

Day 5 – Excerpt from my newly released book, “Diving In – An Incident Responder’s Journey: A Guide for Executives, Lawyers, Insurance, Brokers & Audiences Eager to Learn” which you can purchase your copy here -> https://www.amazon.com/Diving-Responders-Executives-Insurance-Audiences/dp/B0CCCHTN8R

“Nearly all intrusions involve some type of scouting stage, although attackers may not have specific targets in mind when they start. This is the stage where the attacker may collect information about a victim through the review or scanning of external-facing infrastructure, email account passwords, social media profiles, previously dumped passwords of employees, or any other resources they can find or purchase. Their techniques may be automated through scanning, undertaken manually through collections, or purchased through dark net or deep web marketplaces. This stage may also be more passive and involve paid search result ad-positioning as covered in Chapter 9 discussing BlackCat’s techniques and related-watering hole attacks as discussed throughout this book, to include Turla in Chapter 6.

Rather than targeting specific companies, a threat actor will often have an exploit they can leverage and will scan the internet for organizations and their internet-accessible environments which could be vulnerable and responsive to that exploit — this tactic was pushed to the top of national headlines in May and June 2023 when the threat actor group Clop leveraged zero-day attacks against MOVEit File Transfer Appliances (FTA). From there, they can automate what is identified in The Kroll Intrusion Lifecycle™ as the initial chain for moving from External Victim Scouting to Initial Exploit/Actor Foothold and seeing which organizations they are able to compromise for a further attack. The actor has identified the proverbial house to target, gained intelligence about the house from what they can ‘see’ at a distance, and is now preparing to act.”

Related Posts