Sometimes, you just have an actor who won't stop. "Can't stop wont stop" or whatever the phrase is. We find ourselves hunting for them over and over. Here I'm going to talk about a situation many companies are families with, being targeted by a hacker, and needing to stay ahead of them.
First up to bat, lets make a scenario where an actor would do this. In some cases, hacktivists target companies because of political gains for their party, sometimes governments attack companies for intellectual property or strategic advantage, sometimes individual actors attack companies for fun or profit. There's even some cases where hackers still enjoy being artists and attacking under the guise of art. But in any case, there are some typical features that all cyber threat actors have that they can be tied to. Use of infrastructure, common code/code with similar features (they don't have to write their own code these days, so many don't but still look for the same features in tools), and use of references (such as names, usernames, passwords, domain strings, registry handles, etc...). When they begin attacking, lets say for an example they ask your sales for support then send them a malicious pdf file. That file immediately infects their system and the game begins. Your security team, or IT incident teams if your company doesn't have security teams, or your IT support if you don't have an IT team, will be engaged to remove the malicious activity and stop them from coming back. In many cases this can be a daunting task and often people develop a level of paranoia in workers. So lets try to run through what your teams need to do.
Don't just identify malware was on the system, or run antivirus, identify how it got there.
This is seriously invaluable. For the smallest companies to the largest, not doing this step allows the actors to get in over and over again. Once malware is removed or system is taken out of production to analyze and reformat, you should find out how it got there. In our case, we need the name/username, ip, email address, and anything else we can gather that they used to join chat. We also need to get the current ip address of the website to download the pdf or if it was provided directly, we need to analyze the pdf (malware analysis, we provide this service as do competitors, however there are also some free public tools that can help with this if you're interesting on learning and saving money) to find any system the pdf or related malware calls out to. If any dns/domains were resolved, also take note that details of both the domain and the ip address. If this is a dynamic domain name, such as one from no-ip, these can change as frequently as every 3 minutes. I'll talk more on this in a moment.
Setup alerts for similar activity
This may sound weird to people not used to doing this, but even your standard IT/TechSupport/Systems administrators SHOULD be doing this much during any incident. Once the information is identified setup alerting for the activity found. Such as systems in the network attempting communication with the threat actor on the same ip or domain, or someone with similar patterns joining chat so the tech folks can review the chat logs and ensure there's not more malicious attempts being made. This helps both ensure if something happens it can be caught timely but also enables possibilities of catching before problems occur or stopping them outright.
A hunting we will go, developing new IOCs, a hunting a will go
If you've read through you would see that I mentioned we need to follow up on these indicators of compromise, the indications related to our actors, in order to make the strongest use of these. This is again something that your IT team, your IT incident team, security team, or even just IT support technician should be able to work with. Idea here is that you need a way to follow up on what changes being made to the malware, changes being made to the attacker's infrastructure such as domains changes, malware changes, and ports open
Dont forget to wipe!
Always be sure that the malware didn't spread on to anything additional, didn't exfiltrate any sensitive of customer information, and sometimes it just takes starting fresh to do so. It's worth it, make that call.