What do you think?
Rate this book
The Art of Cyberwarfare: An Investigator's Guide to Espionage, Ransomware, and Organized Cybercrime
A practical guide to understanding and analyzing cyber attacks by advanced attackers, such as nation states.
Cyber attacks are no longer the domain of petty criminals. Today, companies find themselves targeted by sophisticated nation state attackers armed with the resources to craft scarily effective campaigns. This book is a detailed guide to understanding the major players in these cyber wars, the techniques they use, and the process of analyzing their advanced attacks. Whether you’re an individual researcher or part of a team within a Security Operations Center (SoC), you’ll learn to approach, track, and attribute attacks to these advanced actors.
The first part of the book is an overview of actual cyber attacks conducted by nation-state actors and other advanced organizations. It explores the geopolitical context in which the attacks took place, the patterns found in the attackers’ techniques, and the supporting evidence analysts used to attribute such attacks. Dive into the mechanisms
The book’s second part walks through how defenders can track and attribute future attacks. You’ll be provided with the tools, methods, and analytical guidance required to dissect and research each stage of an attack campaign. Here, Jon DiMaggio demonstrates some of the real techniques he has employed to uncover crucial information about the 2021 Colonial Pipeline attacks, among many other advanced threats. He now offers his experience to train the next generation of expert analysts.
Cyber attacks are no longer the domain of petty criminals. Today, companies find themselves targeted by sophisticated nation state attackers armed with the resources to craft scarily effective campaigns. This book is a detailed guide to understanding the major players in these cyber wars, the techniques they use, and the process of analyzing their advanced attacks. Whether you’re an individual researcher or part of a team within a Security Operations Center (SoC), you’ll learn to approach, track, and attribute attacks to these advanced actors.
The first part of the book is an overview of actual cyber attacks conducted by nation-state actors and other advanced organizations. It explores the geopolitical context in which the attacks took place, the patterns found in the attackers’ techniques, and the supporting evidence analysts used to attribute such attacks. Dive into the mechanisms
The book’s second part walks through how defenders can track and attribute future attacks. You’ll be provided with the tools, methods, and analytical guidance required to dissect and research each stage of an attack campaign. Here, Jon DiMaggio demonstrates some of the real techniques he has employed to uncover crucial information about the 2021 Colonial Pipeline attacks, among many other advanced threats. He now offers his experience to train the next generation of expert analysts.
272 pages, Paperback
Published April 26, 2022
78 people are currently reading
387 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 16 of 16 reviews
October 6, 2023
Readable intro into cyber threat intelligence and threat hunting. The title and approach of the book
reminds the classic “the art of war” as first part is on knowing your enemy (threat actors) and second part is about knowing your tradecraft (hunting tools and tactics). Not for everyone but a nice recap for folks in the field.
reminds the classic “the art of war” as first part is on knowing your enemy (threat actors) and second part is about knowing your tradecraft (hunting tools and tactics). Not for everyone but a nice recap for folks in the field.
October 29, 2022
A good introductory treatment to the subject; if you’ve been working on the blue side of the house for a while, it’s likely not going to be earth shattering. If you’re coming from the red side of the house or are new to the blue side, this is a good introduction to some IR, TI, and TH activities. For me, this was mostly known materials, but for my son it’s been a great set of lessons.
July 6, 2022
Not a book for everyone, but if you have a technical bent and a love of cybersecurity and computers, then this is a book you should read. Fascinating tales of how things are going in the world of cybersecurity. Some are more than a bit scary, but they are based on actual events and the planning on how to do bad things to enemies while preventing them from being done to you.
August 18, 2022
Cyberwarfare is a complex topic to define. It's a relatively new concept, and there are many ways to refer to it. Cyberwar, cyber war, cyber warfare, cyberwarfare, and more. Irrespective of how one wants to spell or define it, the reality is that it is upon us. And it behooves every organization and nation to have a plan to deal with it. If not, the only alternative is that they will be a victim.
In The Art of Cyberwarfare: An Investigator's Guide to Espionage, Ransomware, and Organized Cybercrime (NoStarch Press), author Jon DiMaggio has written an interesting book that provides an overview of the new world order of cyberwarfare.
One of the earliest viruses was Yankee Doodle in 1989, which was limited to playing the song Yankee Doodle daily at 5:00 PM. Thirty-three years later, the scene is radically different. Countries such as North Korea, China, and others use cyberwarfare technologies to launch attacks against their enemy's technology systems, steal massive amounts of money from these enemies, and more.
The first half of the book details the overall issue and many examples of nation-state attacks and state-sponsored financial attacks. In many organizations, management is still in denial and thinks that no nation-state would be interested in attacking them. The first four chapters provide plenty of fodder for the security management to present to senior management and the board to help them understand the scope of these massive security issues.
The book spends time detailing the threat from North Korea. While North Korea, more correctly the Democratic People's Republic of Korea (DPRK), may find most of its 26 million citizens living in poverty, hunger, and without electricity, the country is a significant digital threat to the west.
DiMaggio writes that the DPRK is a patient attacker that spends considerable amounts of time within the target's environment before executing the financial theft phase of the attack.
In some cases, DPRK attackers spent several months observing and learning their target systems and how they connect and interact with other banking resources. Firms that don't have appropriate defenses against attackers like the DPRK may find themselves on the receiving end of a digital attack.
Part two of the book details threat hunting and analyzing advanced cyber threats. There are many tools that can be used for analysis and attribution. As to attribution, DiMaggio cautions that this is not a trivial endeavor and notes that far too many companies and countries have jumped the gun when it comes to attribution, which they later regretted by blaming the wrong perpetrator.
For those looking for a guide to help them understand the new world of cyber war, The Art of Cyberwarfare provides the reader with a good overview of this expanding threat and what they can do to avoid being a victim.
In The Art of Cyberwarfare: An Investigator's Guide to Espionage, Ransomware, and Organized Cybercrime (NoStarch Press), author Jon DiMaggio has written an interesting book that provides an overview of the new world order of cyberwarfare.
One of the earliest viruses was Yankee Doodle in 1989, which was limited to playing the song Yankee Doodle daily at 5:00 PM. Thirty-three years later, the scene is radically different. Countries such as North Korea, China, and others use cyberwarfare technologies to launch attacks against their enemy's technology systems, steal massive amounts of money from these enemies, and more.
The first half of the book details the overall issue and many examples of nation-state attacks and state-sponsored financial attacks. In many organizations, management is still in denial and thinks that no nation-state would be interested in attacking them. The first four chapters provide plenty of fodder for the security management to present to senior management and the board to help them understand the scope of these massive security issues.
The book spends time detailing the threat from North Korea. While North Korea, more correctly the Democratic People's Republic of Korea (DPRK), may find most of its 26 million citizens living in poverty, hunger, and without electricity, the country is a significant digital threat to the west.
DiMaggio writes that the DPRK is a patient attacker that spends considerable amounts of time within the target's environment before executing the financial theft phase of the attack.
In some cases, DPRK attackers spent several months observing and learning their target systems and how they connect and interact with other banking resources. Firms that don't have appropriate defenses against attackers like the DPRK may find themselves on the receiving end of a digital attack.
Part two of the book details threat hunting and analyzing advanced cyber threats. There are many tools that can be used for analysis and attribution. As to attribution, DiMaggio cautions that this is not a trivial endeavor and notes that far too many companies and countries have jumped the gun when it comes to attribution, which they later regretted by blaming the wrong perpetrator.
For those looking for a guide to help them understand the new world of cyber war, The Art of Cyberwarfare provides the reader with a good overview of this expanding threat and what they can do to avoid being a victim.
September 8, 2022
If you are brand new to the field, you may pick some stuff up. If you're a seasoned professional, it's mostly stuff you know.
May 9, 2023
Instructive guide to nation-state, criminal, and advanced ransomware cyber threat actors. The first half gives an overview and history of advanced cyber ops, and the second half explains how to investigate, analyze, track, and attribute. It includes many real-world examples and tools. Neither half dives very deep.
Notes
Nation-State Attacks
China engages in IP theft and espionage to increase its political standing.
Russia conducts espionage and uses malware, disinformation, and cyber-deflection campaigns to achieve military and political goals. It targets financial institutions for retribution and to cause economic disruption in targeted nation.
Iran conducts espionage and sabotage to achieve political, religious, military dominance in Middle East. It uses cyber ops to track and spy on its citizens. It steals from financial institutions to fund its nuclear program and other functions, as it's sanctioned. It seeks to look powerful and retaliate against alleged ops from the US and its allies. It primarily uses contractors.
North Korea steals from financial institutions to fund its nuclear program and other functions, as it's heavily sanctioned. It's motivated to attack other countries because of sanctions and restrictions imposed on it. It also uses cyber ops to develop military, economic, and intelligence-gathering capabilities. It seeks to look powerful and retaliate against alleged ops from the US and its allies.
Election Hacking
Likely the same nation-state attacker attacked elections in Ukraine in 2014, US in 2016, France in 2017.
One government accusing another government of hacking draws attention to intelligence capabilities of accusing government, and causes political tensions.
Adversaries and Attribution
Hacktivists
• Often politically or religiously motivated.
• Attacks usually have personal aims.
• Have many followers who can participate in attacks.
• Sophistication varies widely.
• Often use DDoS attacks.
• Commonly try to publicly embarrass target by publicly posting stolen data.
• Often deface websites to embarrass target and spread propaganda.
Cybercrime
• Financially motivated.
• Often target retail and consumer finance industries.
• Often use social engineering to gain initial access.
• Tend to use commodity malware, but may modify it, or purchase or develop custom malware. Malware usually not as advanced as espionage actors.
• Use malware to steal credentials, demand ransom, compromise retail POS systems.
• Sell services (hacking as a service, malware as a service, IaaS, botnets).
Cyber espionage
• Goal is to steal sensitive info (intellectual property, internal communications, etc.) to gain geopolitical advantage.
• Typically conducted by nation-states.
• Present greatest level or risk because attacks are usually advanced, long-term, persistent, so difficult to defend against.
• Typically better funded than other threat actors.
• Have access to custom, sophisticated malware.
• Able to frequently change or expand cyber infrastructure and tools.
• Often have access to zero-day exploits.
• Frequently recon, then use spear-phishing to deliver malware and access targeted networks.
• Often use watering-hole attacks.
"Dark Web" refers to websites not indexed by most search engines, inaccessible without special encryption applications or protocols. "Darknet" refers to encrypted networks; infrastructure that Dark Web runs on.
If after analysis you're not able to classify threat, analyze activity and identify IoCs to link similar instances. Classify based on behavior and tactics. Cluster those with similar activities and behaviors into buckets for later attribution. Monitor and compare tactics with other activities to identify similarities and link attacks.
Attribution process
1. Gather supporting data: Gather attributable data (relevant data about infrastructure, malware, persona, targeting data). Conduct OSINT to supplement data gathered from attack.
2. Assess: Process and analyze data to assess threats and create visualizations. Track attacker activities and timeframes by analyzing log timestamps. Conduct time-zone analysis (document exact time each event occurred to see when attacker was active, to narrow down their time zone). Analyze malicious binaries for interesting strings (e.g., file paths, aliases, usernames), language settings.
3. Hypothesize: Examine big picture and brainstorm attribution hypotheses.
4. Challenge/defend: All parties involved in attribution meet to debate, evaluate, rank hypotheses from strongest to weakest.
5. Confidence assessment: Conduct confidence assessment of top-ranked hypothesis.
6. Document results: Record attribution assessment and confidence rating in attacker's threat profile. Communicate analysis results.
Don't use same name for malware and group that uses it, as multiple groups can use malware, and groups can change which malware they use.
Time-zone analysis
1. Collect attack activity details from system, network, security device logs. Document exact time each attack event occurred in victim's network (e.g., credential collection, network and vulnerability scanning, CLI or PowerShell use). Record malware compile times.
2. Plot data on graph (times of activity broken out by hour, day, week, month). Overlay graph across time zones hour by hour to find 8-9 hr window of consistent activity that may represent typical workday schedule. Consider work days and holidays in suspected country.
Don’t assume domains hosted on same IP address belong to the same attacker. If an IP address hosts multiple malicious domains simultaneously, and IP address doesn't belong to a web host, that's a stronger link, though still not enough evidence for attribution.
Don’t use domains registered by brokers in attribution. Indicators of brokers: lack of WHOIS privacy, over 50 domains registered, registrant’s physical address is associated with many domains.
Don’t attribute based on publicly available hacking tools, as anyone can use them.
"When in doubt, split it out." If unsure of attribution, don’t attribute, but split out or keep activity separate and track it as independent attacker. With more data over time you can associate or disassociate attribution to another known threat group or create a new one. It’s easier to merge 2 groups later than to break a single group into 2.
Malware Distribution and Communication
Sender’s email address is typically in multiple fields, including From, Sender, X-Sender, Return-Path. If address in these fields varies, email is likely fraudulent.
Originating IP field doesn't help with large hosted email providers like Gmail and Microsoft, but can help for email hosted by organizations. Check WHOIS, do reverse DNS lookup to see domains hosted on IP address.
X-mailer field can be helpful in case sender uses unusual email client.
If multiple emails have same Message-ID, they’re likely forged.
If Message-ID and Reply-To ID are same, the email is fraudulent.
Tracking Date field over time can help attribute region from which emails are being sent.
If domain was registered shortly before start of malicious campaign, it suggests attacker registered domain.
Legitimate websites are often hosted either on web server with many other domains or on corporate infrastructure with domains all associated with same company. Attackers sometimes host only their own domains, not wanting to share IP space with other infrastructure.
If domain was changed from parked to live shortly before start of malicious campaign, it suggests attacker registered domain.
Legitimate and malicious developers frequently reuse code, so malware patterns alone aren't enough evidence for attribution. But if you find advanced but rare or unknown malware, you can have higher confidence.
Open Source Threat Hunting
OPSEC
• Separate system or VM
• Browser with no attributable extensions
• VPN
Infrastructure enumeration tools
• Farsight DNSDB (paid): passive DNS (free to researchers)
• PassiveTotal (free, paid): passive DNS, domain registration records, other infrastructure data
• DomainTools (free, paid): domain registration and IP resolution data
• Whoisology (free, paid): current and historical domain registration records
• DNSmap (free): CLI tool to discover subdomains
Malware analysis tools
• VirusTotal (free, paid): malware repo, historical IP address resolution data, PCAPs.
• Hybrid Analysis (free, paid): malware repo, dynamic analysis.
• Joe Sandbox (free, paid): malware repo, ability to query CLI parameters, static analysis.
• Hatching Triage (free, paid): especially useful for ransomware.
• Cuckoo Sandbox (free): local tool to execute malware in VM, monitor it, and document changes it makes; can decode or decrypt encrypted and encoded binaries.
NerdyData indexes website source code. Search malicious code to see what sites contain it.
deeponionweb.com: info on Dark Web criminal markets.
Investigation tracking
• ThreatNote (free): open source, local TIP; centralized platform to collect and track cyberattack-related content and events; has ability to track threat groups and associated IoCs.
• MISP (free): open source, local TIP.
• Analyst1 (paid): TIP; can ingest threat feeds, reports, and IoCs and use AI to correlate and organize data; can create threat actor profiles.
• DEVONthink (paid): academic research tool to store web pages, emails, documents, attack diagrams, PDFs, notes; allows you to tag, organize, filter data.
Recon frameworks
• Recon-ng (free): identify public-facing infrastructure, existing subdomains, email addresses, protocols and ports in use, technologies and OSs used in target environment.
• TheHarvester (free): gathers info about infrastructure, email, companies.
• SpiderFoot (free, paid): query tool that integrates with other tools such as VirusTotal and Hybrid Analysis; has passive search, IPv6 infrastructure enumeration.
• Maltego (free, paid): visual data analysis tool that integrates with other tools such as VirusTotal.
Analyzing a Real-World Threat
Imphash (import hash): value calculated for all library DLLs used in PE executable and its import functions usage in executable; can be used to digitally fingerprint executables.
Appendix A: Threat Profile Questions
• Do third-party names exist for group you're profiling? Learn from profiles others have created.
• What type of attacks has group conducted?
• What type of malware does group use? Is it publicly available or custom-developed? If developed by attacker, is it unique to one group or used by several? Is second-stage malware used?
• What is timeline of activity?
• What vulnerabilities (CVEs) does attacker exploit? Are zero-day exploits used? Is zero-day unique to this group or used by several?
• Is digital certificate used to sign malware? Who is signer?
• Is malware found in public malware repos? If so, compare compile time and submission date to timeline of your attack. Do compiled timestamps appear legitimate, or forged?
• Does attacker use encryption keys/passwords in malware?
• Once on a network, what are TTPs used to escalate privileges or conduct lateral movements? What tools does group use to do this? Are they custom developed or publicly available?
• What industries are targeted? Were any targets breached? If you have target list, where did it come from?
• Does group use spear-phishing? If so, what are themes and lures? Do you have any spear-phishing emails for analysis?
• Is there a pattern/relationship to infrastructure used (e.g., IP address or domain email originated from)?
• Did group create spear-phishing sender address or use compromised legitimate account? If sender address is spoofed, is persona related to a real person? Is there relationship/association between spoofed persona and target?
• Does group use domains or IP addresses for C&C infrastructure?
• Does group have way to organize exfiltrated data? Look for campaign codes or identifiers within malware or exfiltrated data. Does attack use subdomains with a theme designed to spoof target or associated industry?
Questions about C&C domains
• Are domains created and registered by attacker, or is legitimate infrastructure compromised and used in attack?
• Are any domains hosted with dynamic DNS services?
• If registered by attacker, does group use adversary-created email address, or privacy protection?
• Are there any other domains registered with same registrant info?
• Does group use subdomains? If so, is there theme/pattern?
• What IP address is hosting domain?
• What other domains are being hosted on same IP address at same time as C&C domain? You may find additional attacker infrastructure.
• Have any of C&C domains been seen in use by other threat groups or malware?
• Is domain hosted on hosting server or on dedicated IP address?
Questions about C&C IP addresses
• Who owns or leases IP address?
• Where is IP address located?
• Are there any domains hosted on IP address?
• Has there been other malicious activity associated with infrastructure?
• If more than one IP address is used, are they related (e.g., same subnet lease owner, same ISP)?
Appendix B: Threat Profile Template Example
1. Overview: Summarize group’s activity. Highlight important info about group. Include date of first activity and any names group is known by.
2. Delivery: Detail attack vectors used by group. Describe any unique attributes used in delivery (e.g., theme to spear-phishing emails, persona group uses).
3. Tools and Malware: Describe tools and malware group uses.
4. Operations: Describe previous operations or campaigns attribute to group. Describe motivation behind attacks. Describe any unique attributes to campaigns (e.g., major change in TTPs or targeting).
5. Targets: Explain primary targets (industries, organizations, individuals, or systems). Describe any relationships between targets (e.g., shared business lines, professional affiliations). Describe any specific geographical region attacker targets.
6. Infrastructure: Document themes in C&C domain names used, patterns in infrastructure used, preferences in ISPs or registrars.
7. Exploits: If attacker has access to zero-day exploits, document when they were first used and vulnerabilities exploited. If they don't use zero-days, describe exploits they use.
8. Attribution Theory: Document attribution theory. Provide high-level details about strong attribution points found during investigation.
Notes
Nation-State Attacks
China engages in IP theft and espionage to increase its political standing.
Russia conducts espionage and uses malware, disinformation, and cyber-deflection campaigns to achieve military and political goals. It targets financial institutions for retribution and to cause economic disruption in targeted nation.
Iran conducts espionage and sabotage to achieve political, religious, military dominance in Middle East. It uses cyber ops to track and spy on its citizens. It steals from financial institutions to fund its nuclear program and other functions, as it's sanctioned. It seeks to look powerful and retaliate against alleged ops from the US and its allies. It primarily uses contractors.
North Korea steals from financial institutions to fund its nuclear program and other functions, as it's heavily sanctioned. It's motivated to attack other countries because of sanctions and restrictions imposed on it. It also uses cyber ops to develop military, economic, and intelligence-gathering capabilities. It seeks to look powerful and retaliate against alleged ops from the US and its allies.
Election Hacking
Likely the same nation-state attacker attacked elections in Ukraine in 2014, US in 2016, France in 2017.
One government accusing another government of hacking draws attention to intelligence capabilities of accusing government, and causes political tensions.
Adversaries and Attribution
Hacktivists
• Often politically or religiously motivated.
• Attacks usually have personal aims.
• Have many followers who can participate in attacks.
• Sophistication varies widely.
• Often use DDoS attacks.
• Commonly try to publicly embarrass target by publicly posting stolen data.
• Often deface websites to embarrass target and spread propaganda.
Cybercrime
• Financially motivated.
• Often target retail and consumer finance industries.
• Often use social engineering to gain initial access.
• Tend to use commodity malware, but may modify it, or purchase or develop custom malware. Malware usually not as advanced as espionage actors.
• Use malware to steal credentials, demand ransom, compromise retail POS systems.
• Sell services (hacking as a service, malware as a service, IaaS, botnets).
Cyber espionage
• Goal is to steal sensitive info (intellectual property, internal communications, etc.) to gain geopolitical advantage.
• Typically conducted by nation-states.
• Present greatest level or risk because attacks are usually advanced, long-term, persistent, so difficult to defend against.
• Typically better funded than other threat actors.
• Have access to custom, sophisticated malware.
• Able to frequently change or expand cyber infrastructure and tools.
• Often have access to zero-day exploits.
• Frequently recon, then use spear-phishing to deliver malware and access targeted networks.
• Often use watering-hole attacks.
"Dark Web" refers to websites not indexed by most search engines, inaccessible without special encryption applications or protocols. "Darknet" refers to encrypted networks; infrastructure that Dark Web runs on.
If after analysis you're not able to classify threat, analyze activity and identify IoCs to link similar instances. Classify based on behavior and tactics. Cluster those with similar activities and behaviors into buckets for later attribution. Monitor and compare tactics with other activities to identify similarities and link attacks.
Attribution process
1. Gather supporting data: Gather attributable data (relevant data about infrastructure, malware, persona, targeting data). Conduct OSINT to supplement data gathered from attack.
2. Assess: Process and analyze data to assess threats and create visualizations. Track attacker activities and timeframes by analyzing log timestamps. Conduct time-zone analysis (document exact time each event occurred to see when attacker was active, to narrow down their time zone). Analyze malicious binaries for interesting strings (e.g., file paths, aliases, usernames), language settings.
3. Hypothesize: Examine big picture and brainstorm attribution hypotheses.
4. Challenge/defend: All parties involved in attribution meet to debate, evaluate, rank hypotheses from strongest to weakest.
5. Confidence assessment: Conduct confidence assessment of top-ranked hypothesis.
6. Document results: Record attribution assessment and confidence rating in attacker's threat profile. Communicate analysis results.
Don't use same name for malware and group that uses it, as multiple groups can use malware, and groups can change which malware they use.
Time-zone analysis
1. Collect attack activity details from system, network, security device logs. Document exact time each attack event occurred in victim's network (e.g., credential collection, network and vulnerability scanning, CLI or PowerShell use). Record malware compile times.
2. Plot data on graph (times of activity broken out by hour, day, week, month). Overlay graph across time zones hour by hour to find 8-9 hr window of consistent activity that may represent typical workday schedule. Consider work days and holidays in suspected country.
Don’t assume domains hosted on same IP address belong to the same attacker. If an IP address hosts multiple malicious domains simultaneously, and IP address doesn't belong to a web host, that's a stronger link, though still not enough evidence for attribution.
Don’t use domains registered by brokers in attribution. Indicators of brokers: lack of WHOIS privacy, over 50 domains registered, registrant’s physical address is associated with many domains.
Don’t attribute based on publicly available hacking tools, as anyone can use them.
"When in doubt, split it out." If unsure of attribution, don’t attribute, but split out or keep activity separate and track it as independent attacker. With more data over time you can associate or disassociate attribution to another known threat group or create a new one. It’s easier to merge 2 groups later than to break a single group into 2.
Malware Distribution and Communication
Sender’s email address is typically in multiple fields, including From, Sender, X-Sender, Return-Path. If address in these fields varies, email is likely fraudulent.
Originating IP field doesn't help with large hosted email providers like Gmail and Microsoft, but can help for email hosted by organizations. Check WHOIS, do reverse DNS lookup to see domains hosted on IP address.
X-mailer field can be helpful in case sender uses unusual email client.
If multiple emails have same Message-ID, they’re likely forged.
If Message-ID and Reply-To ID are same, the email is fraudulent.
Tracking Date field over time can help attribute region from which emails are being sent.
If domain was registered shortly before start of malicious campaign, it suggests attacker registered domain.
Legitimate websites are often hosted either on web server with many other domains or on corporate infrastructure with domains all associated with same company. Attackers sometimes host only their own domains, not wanting to share IP space with other infrastructure.
If domain was changed from parked to live shortly before start of malicious campaign, it suggests attacker registered domain.
Legitimate and malicious developers frequently reuse code, so malware patterns alone aren't enough evidence for attribution. But if you find advanced but rare or unknown malware, you can have higher confidence.
Open Source Threat Hunting
OPSEC
• Separate system or VM
• Browser with no attributable extensions
• VPN
Infrastructure enumeration tools
• Farsight DNSDB (paid): passive DNS (free to researchers)
• PassiveTotal (free, paid): passive DNS, domain registration records, other infrastructure data
• DomainTools (free, paid): domain registration and IP resolution data
• Whoisology (free, paid): current and historical domain registration records
• DNSmap (free): CLI tool to discover subdomains
Malware analysis tools
• VirusTotal (free, paid): malware repo, historical IP address resolution data, PCAPs.
• Hybrid Analysis (free, paid): malware repo, dynamic analysis.
• Joe Sandbox (free, paid): malware repo, ability to query CLI parameters, static analysis.
• Hatching Triage (free, paid): especially useful for ransomware.
• Cuckoo Sandbox (free): local tool to execute malware in VM, monitor it, and document changes it makes; can decode or decrypt encrypted and encoded binaries.
NerdyData indexes website source code. Search malicious code to see what sites contain it.
deeponionweb.com: info on Dark Web criminal markets.
Investigation tracking
• ThreatNote (free): open source, local TIP; centralized platform to collect and track cyberattack-related content and events; has ability to track threat groups and associated IoCs.
• MISP (free): open source, local TIP.
• Analyst1 (paid): TIP; can ingest threat feeds, reports, and IoCs and use AI to correlate and organize data; can create threat actor profiles.
• DEVONthink (paid): academic research tool to store web pages, emails, documents, attack diagrams, PDFs, notes; allows you to tag, organize, filter data.
Recon frameworks
• Recon-ng (free): identify public-facing infrastructure, existing subdomains, email addresses, protocols and ports in use, technologies and OSs used in target environment.
• TheHarvester (free): gathers info about infrastructure, email, companies.
• SpiderFoot (free, paid): query tool that integrates with other tools such as VirusTotal and Hybrid Analysis; has passive search, IPv6 infrastructure enumeration.
• Maltego (free, paid): visual data analysis tool that integrates with other tools such as VirusTotal.
Analyzing a Real-World Threat
Imphash (import hash): value calculated for all library DLLs used in PE executable and its import functions usage in executable; can be used to digitally fingerprint executables.
Appendix A: Threat Profile Questions
• Do third-party names exist for group you're profiling? Learn from profiles others have created.
• What type of attacks has group conducted?
• What type of malware does group use? Is it publicly available or custom-developed? If developed by attacker, is it unique to one group or used by several? Is second-stage malware used?
• What is timeline of activity?
• What vulnerabilities (CVEs) does attacker exploit? Are zero-day exploits used? Is zero-day unique to this group or used by several?
• Is digital certificate used to sign malware? Who is signer?
• Is malware found in public malware repos? If so, compare compile time and submission date to timeline of your attack. Do compiled timestamps appear legitimate, or forged?
• Does attacker use encryption keys/passwords in malware?
• Once on a network, what are TTPs used to escalate privileges or conduct lateral movements? What tools does group use to do this? Are they custom developed or publicly available?
• What industries are targeted? Were any targets breached? If you have target list, where did it come from?
• Does group use spear-phishing? If so, what are themes and lures? Do you have any spear-phishing emails for analysis?
• Is there a pattern/relationship to infrastructure used (e.g., IP address or domain email originated from)?
• Did group create spear-phishing sender address or use compromised legitimate account? If sender address is spoofed, is persona related to a real person? Is there relationship/association between spoofed persona and target?
• Does group use domains or IP addresses for C&C infrastructure?
• Does group have way to organize exfiltrated data? Look for campaign codes or identifiers within malware or exfiltrated data. Does attack use subdomains with a theme designed to spoof target or associated industry?
Questions about C&C domains
• Are domains created and registered by attacker, or is legitimate infrastructure compromised and used in attack?
• Are any domains hosted with dynamic DNS services?
• If registered by attacker, does group use adversary-created email address, or privacy protection?
• Are there any other domains registered with same registrant info?
• Does group use subdomains? If so, is there theme/pattern?
• What IP address is hosting domain?
• What other domains are being hosted on same IP address at same time as C&C domain? You may find additional attacker infrastructure.
• Have any of C&C domains been seen in use by other threat groups or malware?
• Is domain hosted on hosting server or on dedicated IP address?
Questions about C&C IP addresses
• Who owns or leases IP address?
• Where is IP address located?
• Are there any domains hosted on IP address?
• Has there been other malicious activity associated with infrastructure?
• If more than one IP address is used, are they related (e.g., same subnet lease owner, same ISP)?
Appendix B: Threat Profile Template Example
1. Overview: Summarize group’s activity. Highlight important info about group. Include date of first activity and any names group is known by.
2. Delivery: Detail attack vectors used by group. Describe any unique attributes used in delivery (e.g., theme to spear-phishing emails, persona group uses).
3. Tools and Malware: Describe tools and malware group uses.
4. Operations: Describe previous operations or campaigns attribute to group. Describe motivation behind attacks. Describe any unique attributes to campaigns (e.g., major change in TTPs or targeting).
5. Targets: Explain primary targets (industries, organizations, individuals, or systems). Describe any relationships between targets (e.g., shared business lines, professional affiliations). Describe any specific geographical region attacker targets.
6. Infrastructure: Document themes in C&C domain names used, patterns in infrastructure used, preferences in ISPs or registrars.
7. Exploits: If attacker has access to zero-day exploits, document when they were first used and vulnerabilities exploited. If they don't use zero-days, describe exploits they use.
8. Attribution Theory: Document attribution theory. Provide high-level details about strong attribution points found during investigation.
January 24, 2025
Although, this was not one of my favorite books I have read, the detail, stories, and lessons told in this book are incredible valuable and provide even people like me who are cyber security noobs, some extensive knowledge into the world of cyber espionage and ransomeware. I really liked how the book was split into two parts first breaking down the different kinds of cyber attacks that groups/individuals can commit and how this was all told through real life examples. Then the book transitioned into a crash course for the reader on how to identify malware and what to do if one is being targeted.
December 30, 2023
I learned a lot here. I'm not gunna become a cybersecurity researcher but it's really interesting to learn about the mechanisms, and particularly how different nation-states operate. That said, this is so jingoistic. Russia, China, North Korea & Iran are profiled, but America is just the good guys, defending against these bad guys. Maybe the author doesn't want to bite the hand that feeds, or maybe this is just the hegemony of the militarized cyber-sec world? Even knowing that, I still learned a lot.
February 26, 2023
The Art of Cyberwarfare is a solid read. Like the subtitle said, it is a guide — more like a textbook than a novel. It introduces the problem set, discusses the need for investigation, then provides insight how to do it. Wrote a lengthy review here:
https://medium.com/hybrid-analyst/boo...
https://medium.com/hybrid-analyst/boo...
August 29, 2024
Easy read and recommended for anyone interested or beginning to learn more about cybersec. Good high-level overview with some basic info. First half is all about attacks that have taken place, while second half gets a little more practical. The last chapter is the most intriguing as it documents the process of analyzing an attack.
October 26, 2025
From a technical standpoint, the book isn’t particularly useful for seasoned professionals, it doesn’t go deep into tools, analysis, or advanced methodologies. But the historical context and theoretical perspective are well written and definitely valuable for beginners or anyone wanting to understand the broader evolution of cyberwarfare and organized cybercrime.
January 30, 2023
Best tech book I've read in while. It's really more like a workbook, or a homework assignment. I give high praise to any book that engages in such a way that it compels you to research beyond its pages to dive deeper into the topics. While the first few chapters have a few recognizable bad actors and incidents, many were new to me and DiMaggio's analysis through the chronology of events made for interesting case studies.
I've worked adjacent to this field for many years and have always found it interesting. The Art of Cyberwarfare: An Investigator's Guide to Espionage, Ransomware, and Organized Cybercrime provides excellent examples and can serve as a valuable resource. DiMaggio did well navigating this book, keeping it accessible to those new to the field while providing enough down-in-the-weeds details to make it interesting to more experienced professionals. Every page of my copy is marked up with highlights and red-penned annotations as a great reference guide in my bookshelf. A definite recommend for my fellow security practitioners!
I've worked adjacent to this field for many years and have always found it interesting. The Art of Cyberwarfare: An Investigator's Guide to Espionage, Ransomware, and Organized Cybercrime provides excellent examples and can serve as a valuable resource. DiMaggio did well navigating this book, keeping it accessible to those new to the field while providing enough down-in-the-weeds details to make it interesting to more experienced professionals. Every page of my copy is marked up with highlights and red-penned annotations as a great reference guide in my bookshelf. A definite recommend for my fellow security practitioners!
September 15, 2022
Fascinating.
November 24, 2022
Relatively short book with clear and concise information. Includes real-world examples. Knocked off one star for the $40.00 price tag.
January 4, 2023
Fascinating and well researched. More insightful and timely than most books from NoStarch (which tend to age quickly)
July 7, 2022
If you are looking for first book on the subject - this might be an Ok choice. It gives lot of examples and lot of practical tools and how to use them, also language is clear and simple and you can go through it quickly.
Otherwise I find it hard to recommend.
On one hand, it tries to be documentary - first part is all about various hacker groups and famous attacks, on the other - field training guide, as all second part is purely how-to, how to read email headers, what is osint and how to perform it. So it tries to be two books at once and to achieve this sacrifices depth in both topics.
Otherwise I find it hard to recommend.
On one hand, it tries to be documentary - first part is all about various hacker groups and famous attacks, on the other - field training guide, as all second part is purely how-to, how to read email headers, what is osint and how to perform it. So it tries to be two books at once and to achieve this sacrifices depth in both topics.
Displaying 1 - 16 of 16 reviews