Insights from the Webinar:

The webinar on Attack Path Diagrams (APD) in Digital Forensics and Incident
Response (DFIR) offered valuable insights, presented by David Pany and Brad
Slaybaugh from Forensics and Investigation and Incident Response teams
respectively. Having a decade of experience in their respective fields, they shared
their knowledge on creating APDs.

Below are the topics discussed during the webinar

1. Goals of APD:

The primary objectives of APDs are understanding what is known, identifying

knowledge gaps, and presenting the information via Visual aids, to technical and
non-technical stakeholders.

2. Considerations When Planning APDs:

Important considerations while planning APDs are to ensure who the audience is,
whether they are technical stakeholders or non-technical stakeholders such as a
boss, a manager an upper-level executive, etc.

Then we need to understand what color schemes, line types, icons, transparency,
custom logos, timeframes, etc to be used based on various scenarios.

3. Diagram Tools
The team discussed various tools available for creating APDs, where they started
with scratch padding the ideas on pen and paper to tools like Microsoft
PowerPoint(simple and advanced) and Visio(which has inbuilt stencils), and other
third-party tools (that could be used based on the sensitivity of information).

Key Takeaways:

Evolution of Diagram Creation:

The speakers provided insights into the evolutionary process of creating APDs,
starting from the initial brainstorming on paper phase to the finalization of
standardized graphics, colors, icons, high-level descriptions, etc.

Application in various scenarios: ( The team has highlighted the need to use
different APD diagrams for various audiences and different scenarios as shown
below)

1. General Timeline depicting a sequence of attack events

2. A Multi-Environment Attack Path( where the attacker got into a corporate
environment and deployed a variant of ransomware and moved to another staging
environment that was related and deployed a separate ransomware variant and
extorting the organization twice)
3. A Business Email Compromise scenario,
4. Sunburst malware flowchart.
5. Network Tunneling
6. Two clusters of activities separated by date, (do not have any link to group
them)

"A picture is worth a thousand words"

Hence it is important to understand and create the APD in such a way that the
audience , no matter whether they are from technical or non-technical background
will be able to
understand , further analyze and take the mitigation actions where ever needed.

Questions Raised During the Webinar:

1. One question raised by an audience member from Australia pertained to providing

information on the tools that they used for the diagrams
in the presentation itself

2. Another question raised by a member from the audience, focused on whether the
presenters maintained templates to speed up the diagram creation process or built
each diagram from scratch.

3. And another question is related to whether APDs are marked with TLP Controls
TLP(Traffic Light Protocol) Controls

NOTE: The Traffic Light Protocol (TLP) is a set of designations used to ensure
that sensitive information is shared with the appropriate audience.TLP only has
four colors (Red, Amber+strict, Amber, Green, and Clear)
(Ref: https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-
and-usage)

Connection to the Real World and Personal Experiences:

During my previous semester, I enrolled in an ethical hacking course where my team

and I worked on a project" The attack process and mitigation measures for the Log4J
Vulnerability". During the project, we used a timeline diagram to illustrate the
events starting from the discovery of the vulnerability and the release of a patch
for Log4j Vulnerability we also developed a few attack path diagrams to demonstrate
the Log4j Attack using JNDI, we have included high-level descriptions, dotted
lines, and icons, various color schemes to demonstrate the attack process.