Evoltin POS Malware – Kill Chain Mind Map

Readers!!!

Its been quite a while I have updated my blog posts, due to me spending  some quality time off the work and being with family.

Recently, was honoured to attend SANS FOR578 Cyber Threat Intelligence course taught by Robert M. Lee and it was excellent. I will be writing a separate blog post reviewing the course later.

Being on customer service environment, I have realised how important data visualisations are. When you are presenting your findings to C Level Executives, having tables, charts and graphics in the report, makes it easier to grasp and understand analyst ( or whoever wrote the report) point of view. We can visualise our findings about Organisational Risks, Threats, Incidents and many other departmental attributes in different manner.

For me, best visualisation is Mind Maps and I have used them to represent process, procedure, incidents etc. I also, use mind maps, when I am performing any investigations on incidents during IR, Forensics and/or Threat Hunting. It helps me track investigation steps and my findings. If the incident continues or the next business day, the mind map, helps me to start where I left, and also helps me trace back my steps rather looking at excel sheets or other textual representation or a case management system.

During the course, there was a good stress on making sure investigation or intelligence gathering information is represented in a manner that all levels of audience can understand. This is when I thought to create a mind map of a malware and its behaviour and how it can be represented on Kill Chain phases.

evoltin-pos-aka-nitloveposb

Above screenshot shows Kill Chain phases for Evoltin POS Malware and indicators that were identified during analysis and how they can associated to different Kill Chain phases. Rather presenting them on table or chart format, I believe the view via mind map is much more easy to grasp and better presented.

I will be creating more mind maps and uploading to my GitHub account. I normally, update IOC’s to Alienvault OTX, Blueliv, GitHub and ThreatConnect, but now I will also create similar Kill Chain Mind Map for every investigation I do.

Happy Mind Mapping!!!!!

Advertisements