OD1 Check My Knowledge

The strict timing discipline (same days, same hours, same target) and three-week duration without escalation indicate a collection cadence — the hallmark of an intelligence objective. Financial attackers (BEC) typically act within days. Disruption and access objectives require broader environmental access.

A zero-day exploit represents high budget and high capability. Default Mimikatz and PsExec represent low-to-medium capability. This skill discontinuity is the handoff signature — a high-capability initial access broker sold access to a lower-skill affiliate. The investigation should assess whether the broker has access to other organisations via the same zero-day.

One failure per account, distributed IPs, residential proxies, and 48-hour distribution are textbook password-spray indicators. The spray is designed to stay below your per-account threshold (5 failures in 5 minutes). Detection requires cross-account correlation: 200 unique accounts with single failures from residential proxy ranges within a 48-hour window. Check whether any of those 200 attempts succeeded.

Friday evening deployment is a deliberate timing choice. The attacker gains 36-48 hours of uncontested encryption time over the weekend, when security staffing is minimal, response capability is reduced, and executives who authorise incident response spending may be unreachable. This is the documented ransomware timing pattern.

Every observed behaviour prioritises stealth: custom C2 avoids signature-based detection, one hop per day avoids temporal correlation alerts, and accessing only the specific target (R&D roadmap) avoids generating unnecessary log entries. This is a low-risk-tolerance operator protecting access they invested significant effort to establish — consistent with an intelligence or access objective.

Breached credentials with reusable passwords provide direct access without exploitation. If those credentials work against your M365 tenant (no phishing-resistant MFA), the attacker doesn't need phishing, exploits, or any other technique — they authenticate as a legitimate user. The other findings inform the attack plan but don't provide direct access.

Backup deletion at 03:00 on a server means the attacker has already completed discovery (they know where the backups are), credential access (they have credentials that work on the backup server), and lateral movement (they reached the backup server from their initial foothold). Your detection rules for those earlier phases either don't exist or didn't fire. You're in the last containment window — contain immediately, then investigate why you missed the preceding 24-48 hours of activity.

Low budget (commodity tools), short timeline (24-72 hour ransomware sprint), medium capability (follows playbooks with some adaptation), and high risk tolerance (accepts noise to achieve speed) is the canonical ransomware affiliate profile. State-sponsored operations have high budget and low risk tolerance. Supply chain operations have long timelines. IABs have medium timelines and focus on access, not objective execution.

The distribution phase uses the vendor's own trusted delivery mechanism. The update is signed with the vendor's code-signing certificate, delivered through the expected update channel, and installed by the same process as every legitimate update. There's no phishing, no exploitation, no anomalous access — just a normal software update that happens to contain malicious code. Detection shifts to post-installation behavioural monitoring: does the trusted application suddenly make connections or spawn processes it's never done before?

The Operational Profile produces a leadership brief within the first hours: who (adversary class from constraint profiling), what (objective from target analysis), how bad (predicted next steps from the decision matrix), and what we're doing (containment priorities). Full attribution and forensic analysis take days or weeks. The CISO needs actionable understanding now — the Operational Profile delivers it.