On March 22, 2024, The Hacker News reported on a new wave of phishing attacks delivering the evolving StrelaStealer malware. The campaigns impacted over 100 organizations in the E.U. and U.S.
This article provides guidance on using this real-world incident to plan and execute an effective cybersecurity fire drill exercise to improve your organization's readiness.
Who Is This For?
- IT, security, and incident response teams at organizations using email clients and remote access tools that may be targeted by information-stealing malware
- Security leaders looking to test and improve their organization's detection and response capabilities for phishing and malware attacks
Cybersecurity Fire Drill Exercise Starting Points
Choosing an interesting starting point that provides participants enough context without being too obvious is key. Here are some ideas:
- Several users report strange emails with attachments from unknown senders that appear work-related
- Your email security tool flags a sudden uptick in messages with ZIP attachments being sent to finance team members
- Endpoint detection tools alert on PowerShell being launched on multiple laptops shortly after users opened email attachments
- Credential misuse alerts appear for multiple employee email accounts from geographically distant locations
Cybersecurity Fire Drill Simulation Phases
Walk through each phase of your incident response process. Using NIST's framework, here are some actions you'll want to make sure your team does:
1. Detection and Analysis
- Triage user reports and security alerts to identify common indicators of compromise
- Analyze email headers, attachments, and malicious domains to scope the attack
2. Containment
- Block malicious domains and hashes on email, web, and endpoint security tools
- Isolate infected machines and disable compromised accounts
3. Eradication
- Reset passwords and enable MFA for breached accounts
- Remove malware persistence mechanisms and artifacts from machines
4. Recovery
- Confirm infection is cleared and restore systems/accounts to normal operation
- Monitor for re-infection or movement of attacker in the environment
5. Post-Incident Activity
- Document attacker TTPs, IOCs, and gaps in security controls
- Determine process improvements and additional mitigations to implement
Inject Ideas
Make the fire drill exercise more interesting and challenging with injects like:
- One impacted user is an executive who demands immediate system access to close a major deal
- Attacker pivots from an infected machine to probe other internal systems
- Exfiltrated data is found for sale on a dark web forum
- A journalist contacts the company about the incident and impending data leak
Relevant MITRE ATT&CK Techniques
Consult the MITRE ATT&CK framework to map techniques used in this attack, such as:
- Spearphishing Attachment (T1566.001) - Initial access via malicious email attachments
- User Execution (T1204) - Exploiting users to open malware attachments and run code
- Steal Web Session Cookie (T1539) - Malware stealing browser session cookies for account access
- Exfiltration Over C2 Channel (T1041) - Using command and control infrastructure to steal data
Get a FREE Trial
ChaosTrack is a platform that combines the best of tabletops and trainings to run ripped-from-the-headlines cybersecurity fire drills against your whole company.