Question

An organization’s SOC analyst, through examination of the company’s SIEM, discovers what she believes is Chinese-state sponsored espionage activity on the company’s network. Management agrees with her initial findings given the forensic artifacts she presents are characteristics of malware, but management is unclear on why the analyst thought it was Chinese-state sponsored. You have been brought in as a consultant to help determine 1) whether the systems have been compromised and 2) whether the analyst’s assertion has valid grounds to believe it is Chinese state-sponsored. What steps would you take to answer these questions given that you have been provided a MD5 hashes, two call back domains, and an email that is believed to have been used to conduct a spearphishing attack associated with the corresponding MD5 hash. What other threat intelligence can be generated from this information and how would that help shape your assessment?

Answer 1

Answer: Provided in the explanation segment

Explanation:

Below is a detailed explanation to make this problem more clearer to understand.

(1). We are asked to determine whether the systems have been compromised;

Ans: (YES) From the question given, We can see that the System is compromised. This is so because the plan of communication has different details of scenarios where incidents occur. This communication plan has a well read table of contents that lists specific type of incidents, where each incident has a brief description of the event.

(2). Whether the analyst’s assertion has valid grounds to believe it is Chinese state-sponsored.

Ans: I can say that the analyst uses several different internet protocol address located in so as to conduct its operations, in one instance, a log file recovered  form an open indexed server revealed tham an IP address located is used to administer the command control node that was communicating with the malware.

(3). What other threat intelligence can be generated from this information?

Ans: The threat that can be generated from this include; Custom backdoors, Strategic web compromises, and also Web Server  exploitation.

(4). How would that help shape your assessment?

Ans: This helps in such a way where information is gathered and transferred out of the target network which involve movement of files through multiple systems.

Files also gotten from networks as well as  using tools (archival) to compress and also encrypt data with effectiveness of their data theft.

cheers i hope this helped!!!