-
Featured services
-
Services
View all services and productsLeverage our capabilities to accelerate your business transformation.
-
Services
Network as a Service
Popular Products
-
Private 5G
Our turnkey private 5G network enables custom-built solutions that are designed around unique use cases and strategies, and deployed, run and optimized through a full network-as-a-service model.
-
Managed Campus Networks
Our Managed Campus Networks services transform campus networks, corporate area networks and interconnected local area networks, and connect smart places and industries.
-
-
Services
Cloud Services
Popular Products
-
Cloud Migration and Transformation Services
Access the people, processes and technologies you need to deliver cloud migration projects that improve your return on investments.
-
Site Reliability Engineering Services
Get the most from your cloud investments when you harness our Site Reliability Engineering Services to support app development and lifecycle management.
-
-
Services
Edge as a Service
Client stories
-
Penske Entertainment and the NTT INDYCAR SERIES
Together with Penske Entertainment, we’re delivering digital innovations for their businesses – including INDYCAR, the sanctioning body of the NTT INDYCAR SERIES – and venues such as the iconic Indianapolis Motor Speedway, home to the Indianapolis 500.
-
Using private wireless networks to power IoT environments with Schneider Electric
Our combined capabilities enable a secure, end-to-end digital on-premises platform that supports different industries with the benefits of private 5G.
-
-
Services
Technology Solutions
Client stories
-
Services
Global Data Centers
-
Services
Digital Collaboration and CX
-
-
-
Insights
Recent Insights
-
The Future of Networking in 2025 and Beyond
-
Using the cloud to cut costs needs the right approach
When organizations focus on transformation, a move to the cloud can deliver cost savings – but they often need expert advice to help them along their journey
-
Make zero trust security work for your organization
Make zero trust security work for your organization across hybrid work environments.
-
-
-
-
-
Discover how we accelerate your business transformation
-
About us
CLIENT STORIES
-
Liantis
Over time, Liantis – an established HR company in Belgium – had built up data islands and isolated solutions as part of their legacy system.
-
Randstad
We ensured that Randstad’s migration to Genesys Cloud CX had no impact on availability, ensuring an exceptional user experience for clients and talent.
-
-
CLIENT STORIES
-
Liantis
Over time, Liantis – an established HR company in Belgium – had built up data islands and isolated solutions as part of their legacy system.
-
Randstad
We ensured that Randstad’s migration to Genesys Cloud CX had no impact on availability, ensuring an exceptional user experience for clients and talent.
-
-
CLIENT STORIES
-
Liantis
Over time, Liantis – an established HR company in Belgium – had built up data islands and isolated solutions as part of their legacy system.
-
Randstad
We ensured that Randstad’s migration to Genesys Cloud CX had no impact on availability, ensuring an exceptional user experience for clients and talent.
-
-
- Careers
Topics in this article
The 60s musical group, The Beatles, produced a song representing the request of today’s organizations that are victims of ransomware, cryptomining, china chopper, web shells and other complex malicious attacks. The song’s initial lyrics are as follows (Table 1):
Help, I need somebody
Help, not just anybody
Help, you know I need someone, help
When I was younger, so much younger than today
I never needed anybody's help in any way
But now these days are gone, I'm not so self-assured
Now I find I've changed my mind and opened up the doors
Help me if you can, I'm feeling down
And I do appreciate you being round
Help me get my feet back on the ground
Won't you please, please help me
Table 1. Beatles. Lyrics to “Help!,” Album - Help!, 1965
Like the song, many organizations request incident response help and can’t rely only on internal IT teams because today’s malicious attacks are more sophisticated and harder to discover. In addition, like snowflakes, no two cyberattacks are alike because no two organizations are identical, and the attacker’s techniques are constantly evolving. So, I use my cyber-incident response investigation framework that encompasses three cyberattack dimensions: Stage, Temporal and Spatial.
The Lockheed Cyber Kill Chain - the Stage dimension - is used to identify the stages of a cyberattack which are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Actions on Objectives.
The Temporal (Time) dimension is used since cyberattacks require me to review forensics artefacts left-behind on systems (Figure 1) before, during and after a cyberattack. In most cases, both Stage and Temporal based dimensional cyberattacks occur simultaneously which complicates the cyber investigation.
Figure 1. Multiple Dimension Cyberattack
Spatial, the third dimension, is the reason many organizations are requesting assistance, because this entails breadth (lateral) and in-depth movements. Spatial cyberattacks can span across multiple systems: domain controllers, application servers, file servers and end-user workstations. In addition, Spatial dimension cyberattacks entrench themselves within a single system. While in-depth movements encompass multiple components of a system, this blog post focuses on my investigative technique associated with two key file system components: files and folders.
Cyberattack investigations that include files and folders require me to visualize the cyberattack through the lenses of a multi-eye insect: a spider (Figure 2). And like each eye of the spider, which performs a specific function, I examine files and folders residing on systems using six different lenses. The six lenses are:
Figure 2. Multiple eyed spider
- I determine what files and folders are legitimately on the system. This is known as the What should be there review. I perform this review via visual inspections, files and folder positive hashing, organization gold disk image comparisons or using the NIST National Software Reference Library (NDSL).
- The Left behind review, basically What files are there that should not be there. I focus on the presence of malicious files and their purpose in accordance with the Lockheed Cyber Kill Chain. It’s a negative complement to the first lens. I perform the review via visual inspections, files and folder negative hashing and antivirus scans.
- The What should never be there review, basically What is not there, but the attacker need it there. I focus on the baseline of the system and note the absence of malicious files to determine the next steps of the cyberattack, if any, within the Lockheed Cyber Kill Chain. I perform this review based on my experience, threat-hunting models, and Global Threat Intelligence Center (GTIC) threat alerts.
- The What is missing review, basically What is not there but should be there (deleted), attackers will use anti-forensics techniques to evade discovery of deleted artifacts which can provide insight into the attacker’s motives for compromising a system. I use forensics recovery tools to identify artifacts deleted by the attacker and the results from the previous three lenses.
Note: The absence of evidence is as important as the presence of evidence. This is analogous to the missing vase on a mantle, but you can see a dust silhouette.
- The What files have been moved, but are still there review, attackers will move files to a different location for various reasons: to modify files based on permissions or to alter the file path for execution. I review the operating rules for file path execution and perform visual inspections of access rights and permissions for common file and folder locations.
- The What files are there, but have been changed (altered) review. Attackers will use this technique to hide file changes in plain sight. This lens is the most difficult to perform because attackers employ various file hide and modification techniques to evade detection. Therefore, I do not rely on files names, file extensions, file signatures or internal program coding for file validation. I use trust-but-verify techniques to perform file analysis: positive hashing, fuzzy hashing, Alternate Data Stream analysis, steganography analysis, dynamic analysis and reverse engineering.
In conclusion, like the Beatles song, organizations are requesting incident response help because cyberattacks transverse multiple cyberattack dimensions: Stage, Temporal and Spatial.
The Spatial dimension generates the largest organizational outcry because of the business impact of lateral and in-depth movements. For Spatial dimension cyberattacks, I use my spider eyes to assist me during complex cyberattack investigations. The review of files and folders are critical in any cyberattack investigation and may reveal the Who, What, When, Where, Why and How of a complex malicious attack.
The ability to apply the six lenses and the extrapolation from each lens is paramount for any investigation. Regardless of the file type or location, you must identify, analyse, and draw conclusions using the artifacts present or missing on a system to investigate today’s cyberattacks.
