Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Incident Response for Windows
Incident Response for Windows

Incident Response for Windows: Adapt effective strategies for managing sophisticated cyberattacks targeting Windows systems

eBook
€15.99 €23.99
Paperback
€29.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Table of content icon View table of contents Preview book icon Preview Book

Incident Response for Windows

Introduction to the Threat Landscape

Most of the attacks (more than 90% according to GROUP-IB’s global experience) targeting organizations’ networks are run against Windows environments. It derives from the market dominance of the Microsoft Windows operating system, familiarity for most users in the world, software diversity in terms of it supporting a vast range of applications, backward compatibility, which makes it tough to eliminate several severe cybersecurity issues that were discovered in the past, and a bunch of legacy systems that don’t support the latest versions of these operating systems.

We (the authors) have been involved in hundreds of incident response engagements in many organizations on many continents of all sizes in a variety of industries, including government, the financial sector (banks, brokers, and cryptocurrency exchange), pharmacies and healthcare, critical industries, retail, construction, IT, and more, with different levels of cybersecurity maturity: where there were no cybersecurity teams to companies with huge security operations center (SOC) teams with dedicated roles covered by professionals with 10+ years of experience, automations and worked out like a Swiss watch. There is no silver bullet but there are some best practices that can be implemented to reduce – but not eliminate – cybersecurity risks.

This chapter explores the intricate web of threat intelligence levels, which can help organizations identify and categorize potential cyber threats targeting their Windows systems. In terms of all threat intelligence levels, we will discuss how they contribute to an organization’s overall cybersecurity posture.

We will also examine the main types of threat actors, their motivations, and the tactics they employ when targeting organizations with Windows environments.

Additionally, we will present real-world use cases that highlight the importance of understanding the cyber threat landscape, illustrating how organizations can proactively identify vulnerabilities, prioritize risks, and prepare for developing effective countermeasures for their Windows systems.

This chapter will cover the following topics:

  • Getting familiar with the cyber threat landscape
  • Types of threat actors and their motivations, including advanced persistent threats (APTs), cybercriminals, hacktivists, competitors, insider threats, terrorist groups, and script kiddies
  • Building a cyber threat landscape

Let’s take a look!

Getting familiar with the cyber threat landscape

To begin with, there should be a cybersecurity strategy. The smart way to create such a strategy is to understand the current threats and the capabilities of adversaries and apply proactive measures to prevent cybersecurity incidents that an organization might face. For example, a small business such as a consulting company that works with small businesses would not expect an attack from state-sponsored groups to perform espionage with high confidence. Construction businesses will most likely face a ransomware attack, while telecom and government entities will likely face espionage attacks. We will discuss these in more detail later in this chapter.

Such a profile referring to the current and evolving state of cybersecurity risks of potential and identified cyber threats is provided in the unifying concept of cyber threat analysis. The unified cyber threat analysis process includes identifying external attack surfaces (all exposed digital assets) and cyber threat intelligence (CTI).

The external attack surface is a new term that combines all internet-facing enterprise assets, such as the infrastructure perimeter, the intellectual property hosted on other third-party services (including source code), project management, CRM systems, and more. Powered by CTI, it provides significant value to organizations to help them better manage their digital assets and give actionable insights into digital risks. Its verdicts are based on vulnerabilities, with improved severity scoring based on the available exploits and their application in cyberattacks, infrastructure misconfigurations, exposures, confirmed compromises, and leaks. However, this class of solutions does not solve the problem of obtaining information about cyber threats facing organizations. For example, the external attack surface management (EASM) solution provides information about current unpatched vulnerabilities or leaked credentials but does not explain current attacks that other organizations face. Thus, this data may feed user and entity behavioral analysis (UEBA) or trigger playbooks in security orchestration, automation, and response (SOAR) solutions, forcing a password reset or a ticket for the IT team to be created to patch vulnerabilities. However, it does not provide some valuable threat intelligence aspects, all of which we will cover later in this section. In addition, EASM may provide information about the source of the credentials leak specifying the malware family, but it won’t explain how to properly discover and mitigate it.

Next, CTI includes the following aspects that pose cybersecurity risks:

  • Threat actors and their motivations
  • Vulnerabilities
  • Compromised and leaked accounts
  • Malware
  • Tools
  • Attack tactics, techniques, and procedures
  • Indicators of compromise (IoCs)

Compared to the EASM, threat intelligence provides a complete overview of all these aspects without being tied to the specifics of a particular organization.

Cybersecurity vendors generate and fuel this knowledge database through incident response engagements, observing adversaries’ attack life cycles and motivations, and everything else we have discussed already. In addition, experts perform post-analysis by identifying the threat actor’s infrastructure, which is used to conduct attacks on their victims, leverage open source intelligence research (OSINT), generate patterns to track activity, predict future campaigns, and secure their clients from ongoing attacks.

Three different models explain the different levels of threat intelligence:

Strategic

Strategic

Strategic

Operational

Operational

Operational

Tactical

Tactical

Technical

Table 1.1 – Threat intelligence tiered models – comparison

For the sake of atomicity, let’s proceed with a four-layered model:

Layer

Description

Strategic

Executive summary about attackers by activity, country, and industry while considering their motivations, goals, and trends

Operational

A summary of current and impending attacks from various adversaries, as well as vulnerabilities exploited in the recent breaches

Tactical

The tactics, techniques, and procedures (TTPs) of threat actors most frequently based on the MITRE ATT&CK ® matrix; exploited vulnerabilities

Technical

IoCs, detection rules (YARA-, SIGMA-rules), and compromised user accounts

Table 1.2 – Semantics of the different CTI levels

To summarize, the levels of CTI provide answers to the following questions:

  • The who and whystrategic CTI
  • The how and whereoperational CTI
  • The what – tactical and technical CTI

At this stage, you might be wondering how you can apply this knowledge to protect organizations.

Well, the answer to the question is a little intricate, but we can break it down step by step.

To start, the technical layer of threat intelligence should not consume a lot of time and must be automated at the implementation phase by the vendor and in-house security team, as shown in the following table:

Type

Action

IoCs

Feeding SIEM or other security controls such as NGFW, AV, EDR, sandboxes, DLP, and email security solutions for automated blocking and prevention, as well as alert triggering, which involves including the severity level to attract the security team’s attention.

Detection rules (YARA-, SIGMA- rules)

YARA rules can be used for one-time or triggered proactive scans, or for custom detections (if the implemented technology capability exists) in AV, EDR, and malware detonation solutions (sandbox). SIGMA rules can be implemented in SIEM detection logic or for the one-time scans of telemetry in EDR.

Compromised user accounts

Feeding privilege access management (PAM) systems or UEBA for resetting access or a password change by the end user.

Triggering a compromise assessment across identified compromised users’ devices to find traces of malware infection or other techniques for credential exposure and remediate it.

Exploited vulnerabilities

Immediately scanning the attack surface and patching.

If there’s a zero-day or one-day vulnerability without a patch available, a workaround can be implemented to reduce the risk of compromise.

Table 1.3 – Tactical CTI consumption

Tactical threat intelligence is consumed by security analysts to help them hunt down threats, enhance their detection logic, and better respond to them. Techniques and procedures should be used in the threat-hunting process, something we’ll cover later in this book. Generally, there are two types of procedures: generic and tailored to specific threat actors where they’re used in a specific attack. Hunting for tailored procedures usually results in a small number of search hits that can be easily discovered by the analyst. Generic procedures are tougher to spot as many legitimate or business-specific software may use the same methods to operate. For example, discovery techniques such as cmd.exe triggering commands such as net use and net user is one of the most frequently seen procedures during normal activity in big environments, and in 99.9% of cases, they are innocent.

Operational threat intelligence is consumed by cybersecurity team leads and security analysts who are performing regular threat hunting as they analyze threat actors’ campaigns.

Strategic threat intelligence usually focuses on decision-makers such as chief information security officers (CISOs), chief information officers (CIOs), and chief technology officers (CTOs). This empowers the CISO/CIO and any cyber executive to have a technical and tactical understanding. They may use it to identify the risk to the organization and define changes that can be made in investments in cybersecurity or the corporate culture, such as cybersecurity awareness.

The result of applied cyber threat analysis is the cyber threat landscape. Several factors influence the landscape for a specific entity, such as geography, industry, organization size, contracts, possession of valuable data for attackers, and publicity.

Moreover, the threat landscape might change over time due to different events:

  • Newly discovered vulnerabilities have been publicly available exploits after a short period and the product vendor isn’t notified of this. It’s important to note that these vulnerabilities are related to public-facing applications (including security controls) or office applications (for example, the Follina – CVE-2022-30190 remote code execution vulnerability in Microsoft Office or the CVE-2023-23397 vulnerability in the Microsoft Outlook mail client).
  • A global shift in the consumer and business market. The more users there are, the higher the probability of a successful attack and more potential victims.
  • New trends in the IT sector: software development, data processing, delegating data to third parties (for example, cloud computing), and a wider use of shared libraries from package repositories.
  • Global events such as the COVID-19 pandemic, which forced organizations to make major changes to their infrastructure to support remote work.
  • Military or political conflicts.

At this stage, we are ready to deep dive into the different types of threat actors and their motivations.

Types of threat actors and their motivations

Cybersecurity vendors, law enforcement agencies, and regulators all around the globe stick to the following classification of threats:

  • APTs
  • Cybercriminals
  • Hacktivists
  • Competitors
  • Insider threats
  • Terrorist groups
  • Script kiddies

Let’s take a closer look at each.

APTs

There are two types of APT groups: nation-state and non-nation-state.

Nation-state groups are also classified as APTs; we will describe their key differentiators shortly. Nation-state threat actors’ main motivation is data. They conduct espionage to steal intellectual property, spy on the targets, and gather state secrets and other confidential information. In some cases, they disrupt business or demand some ransom but are still founded by government authorities.

Note

For more details, please read the Microsoft threat research about MuddyWater cooperating with another cyber threat actor (https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/). Earlier, we looked at the main motivations of state-sponsored APT threat groups. However, there are a few exceptions. Lazarus, the North Korean nation-state group, is mainly motivated by financial gain (https://securelist.com/lazarus-trojanized-defi-app/106195/ and https://www.group-ib.com/resources/research-hub/lazarus/).

Not all nation-state groups are sophisticated. Some of them may use script-kiddie-level techniques that are usually easily detected by security controls but will be ignored by in-house cybersecurity teams due to their lack of skills.

Non-nation-state threat actors are also considered APTs but they are not founded by government authorities. They are also called cyber-mercenaries or hack-for-fire since they offer their hacking services to the highest bidder, often conducting cyberattacks, espionage, or other malicious activities on behalf of clients, which can include other criminals, businesses, or even nation-states. As an example, RedCurl’s threat actor campaigns’ main goals were to steal confidential corporate documents such as contracts, financial documents, records of legal actions, and personal employee records. This was a clear indicator that RedCurl’s attacks might have been commissioned for corporate espionage.

The following are some key features of APTs:

  • Persistence: APTs are known for their long-term approach to cyberattacks, maintaining a presence in the target’s network for extended periods to gather information, execute attacks, or achieve other objectives. This persistence allows them to explore the target’s systems and networks, stealthily exfiltrate data, or stage future attacks.
  • Sophistication: APT groups typically possess advanced technical capabilities and use sophisticated TTPs in their operations. They can craft custom malware, leverage zero-day vulnerabilities, and utilize advanced evasion techniques to avoid detection and maintain access to their targets.
  • Operational security (OPSec): This refers to the practices, methods, and techniques that these threat actors employ to maintain their covert activities and minimize the risk of detection. APTs typically have strong OPSEC practices, which makes it difficult for organizations and security researchers to detect, analyze, and attribute their attacks.

    Some common OPSEC practices for APTs are as follows:

    • Use of encryption: APTs often use strong encryption for their communication channels and data exfiltration to prevent interception and analysis.
    • Command and Control (C2) infrastructure: APTs utilize diverse and robust C2 infrastructures, often relying on multiple C2 servers, domain generation algorithms, or decentralized communication methods such as peer-to-peer networks or social media platforms to maintain control over their operations.
    • Proxy networks and virtual private networks (VPNs): APTs may use proxy networks, VPNs, or other anonymizing services to hide their true location and obfuscate their activities.
    • Custom and advanced malware: APTs often develop custom malware or use advanced variants of known malware families to evade detection by antivirus and security solutions.
    • Living off the land: APTs may use legitimate tools, processes, or applications present in the target’s environment to blend in with normal activities, making it more difficult to distinguish their actions from legitimate activities.
    • Code obfuscation and anti-analysis techniques: APTs often employ code obfuscation, packing, or other anti-analysis techniques to make it more difficult for security researchers to reverse-engineer and analyze their malware.
    • Cleaning up traces: APTs take steps to clean up traces of their activities, including clearing logs, overwriting data, or deleting temporary files, to minimize the chances of detection and maintain persistence.
    • Updating TTPs: APTs adapt their TTPs in response to changing security environments, making it harder for organizations to develop effective countermeasures.
    • Compartmentalization: APTs often compartmentalize their operations, with different groups or individuals responsible for different aspects of an attack. This can make it difficult for security researchers to gain a comprehensive understanding of the APT’s objectives, infrastructure, and capabilities.
    • Targeted social engineering: APTs may conduct extensive reconnaissance and use targeted social engineering techniques, such as spear-phishing, to carefully select and compromise their targets without raising suspicion.
    • Resources: APTs are often well-funded, with significant resources at their disposal. This funding allows them to invest in the development of advanced tools and maintain operational infrastructure. The backing of nation states or other powerful organizations can provide APTs with the resources necessary to carry out large-scale, long-term campaigns.
    • High-level objectives: APT groups typically have strategic objectives that align with the interests of their sponsors, which are often nation states. These objectives may include cyber espionage, intellectual property theft, disruption of critical infrastructure, or undermining geopolitical rivals.
    • Stealth and patience: APTs prioritize remaining undetected in their target’s networks, often using covert communication channels and blending in with legitimate traffic. They are patient, taking time to learn the target’s environment and waiting for the opportune moment to strike or exfiltrate data.
    • Highly targeted attacks: APTs typically focus on specific high-value targets, such as governments, large corporations, critical infrastructure, or research institutions. They conduct extensive reconnaissance to understand the target’s network and security posture, tailoring their attack methods to maximize success.
    • Adaptability: APTs are highly adaptable and able to modify their TTPs in response to changing environments, security measures, or detection efforts. This adaptability makes them challenging to identify and defend against.
    • Advanced social engineering: APTs often use sophisticated social engineering techniques to gain initial access to a target’s network, such as spear-phishing campaigns with highly customized and convincing messages. They may conduct extensive research on their targets to craft highly effective lures.

Note

As an example, the nation-state-sponsored group APT29 disabled mailbox audit logging to hide their access to emails and other activities from a compromised account.

Cybercriminals

By the end of the 2010s, financial crimes faced a dramatic issue in monetizing their activities as financial institutions significantly improved their security postures, which increased the cost of attacks. Moreover, SWIFT payments are easy to track, require a lot of effort in terms of money laundering, and have greater risks and commissions split across different parties (for example, mule services). Under these circumstances, threat actors started searching for various methods of downsizing the attack period, its complexity, and how easy it was to collect money from victims. The idea was extremely easy – why would the victims not pay a ransom demand to the threat actor themselves rather than searching for a way to transfer money from their accounts? For example, they could heavily impact the business – disrupt business processes, exfiltrate sensitive information, and more. Such an idea made for a sensational shift in the cyber threat landscape as ransomware gangs took the floor. We will discuss ransomware and other cyberattacks in this section.

Ransomware

According to the vast majority of cybersecurity vendors, ransomware is a primary threat facing private and, increasingly, public sector organizations. This type of threat actors’ main motivation is financial gain. The ransom amount varies greatly, depending on the type of victim. In the case of a simple user, the range will be 500 to 1,000 US dollars. When it comes to organizations, the price depends on the revenue and threat actor appetites. It usually starts from $5,000 and can sometimes reach up to £100,000,000. All ransoms are demanded in cryptocurrencies such as Bitcoin and Ethereum, and sometimes in Monero. After receiving the payment, most adversaries send either a key for decryption or a decryptor tool. However, there are always exceptions to the rules: no one can guarantee the honesty of the attackers or the correct implementation of the encryption algorithm. We have been engaged in several cases when even a threat actor failed to decrypt the data using the correct key. At the same time, there is almost zero chance to decrypt data without paying a ransom. Law enforcement agencies or cybersecurity vendors may gain access to the key database stored on the C2 servers of threat actors, there might be a mistake in the encryption algorithm’s implementation, secrets aren’t managed securely, or there isn’t an offline backup of the most crucial data.

The median detection window for ransomware attacks in 2022-2023 stands at around 4-9 days according to different vendors and their observations (https://cloud.google.com/security/resources/m-trends and https://www.group-ib.com/landing/hi-tech-crime-trends-2023-2024/). In many cases, detection happens after discovering the impact caused by the attack. The attack timeline varies, depending on the complexity and level of attack automation. There are dozens of research papers, trend reports, and even books related to this topic that have been published in the past years. For now, let’s learn how to classify ransomware attacks.

First, we have automated attacks and malware bundles. These are spread across hundreds or thousands of malicious websites via file hosting services, fake updates, Trojanized applications, or mass spear-phishing campaigns that are sent to tens to hundreds of thousands of users. Here are the most recent articles describing malicious campaigns:

  • https://www.group-ib.com/blog/malware-bundles/: This article describes the spread of a malware bundle containing information stealers such as RedLine, AZORult, Vidar, Amadey, Pony, qbot (that is, QakBot), Raccoon stealer, remote access Trojans such as AsyncRAT, Glupteba, njRAT, and nanocore, and other payloads such as miners, keyloggers (HawkEye) and ransomware (DJVU/STOP). Figure 1.1 explains the malware bundle packaging mechanism. The ransom demands in such cases rarely exceed $1,000. However, the key risk is hidden in compromising all the stored credentials and leaving a backdoor that could later be used by other threat actors to run more sophisticated attacks that target not only individuals but the organization. We have observed similar infections on IT administrators’ corporate devices. Once, there was a sale on a dark web forum offering access to the backdoor of an IT administrator’s device that served more than 50 banks in the MEA region for $20,000. At the end of the day, the attack was averted through a joint effort with FinCERTs and potentially affected customers. The following figure shows an example of malware bundle packaging:

Figure 1.1 – Malware bundle packaging example

Figure 1.1 – Malware bundle packaging example

A more sophisticated type of attack is human-operated ransomware. These attacks are conducted by full-fledged, well-organized teams with well-developed task delegation, thorough testing and standardization of the attack process, and scrupulous team selection. They provide clear terms of partner programs for outsourcing certain tasks, such as using initial access brokers, who provide them with access to the compromised organization’s networks (for example, IcedID, QakBot, BazarLoader, Emotet, TrickBot, Dridex, Hancitor, ZLoader, and SocGholish) purchase compromised credentials available on dark web forums, and use pentesters for privilege escalation and preparation for enterprise-wide ransomware deployment or negotiators to agree on the ransom demand. Such attacks include human interaction while gaining ultimate access and preparing for enterprise-wide ransomware deployment. This includes creating a domain group policy object (GPO), attaching shared storage with virtual machine disks, or preparing SSH access for VMWare ESXi nodes. There are two significant trends in human-operated ransomware:

  • In 2014, Iranian threat group SamSam introduced a trend in human-operated attacks called Big Game Hunting
  • Starting in 2017, a ransomware called BitPaymer, associated with a cybercrime group called Evil Corp, gained popularity while following a similar approach to SamSam
  • Starting in 2019, there has been a rise in Ransomware-as-a-Service (RaaS) programs

There are many arguments about whether human-operated ransomware attacks are considered sophisticated. Cl0p (FIN11), FIN12, BlackCat, Black Basta, LockBit, AvosLocker, Royal Ransomware, and others aggregated thousands of successful attacks on their victims using tailored approaches to key targets. Many RaaS operators used to recruit new affiliates on underground forums. However, in 2021, they started doing this more privately to complicate the jobs of security researchers and law enforcement in terms of tracking them. They invest a lot in developing tools for hybrid infrastructures (Windows, Linux, macOS, VMWare, and others). In addition, they deploy guidelines for new teams to follow the steps from the initial foothold to preparing for an enterprise-wide ransomware deployment. A conti ransomware case that was quite interesting was the one where one of the group members leaked their guides to the public, which allowed many cybersecurity researchers and vendors to understand their structure and methods in more detail. To hide their activity, such actors utilize dual-use tools to mimic IT administrators’ activities and perform deep gap analysis, which is followed by various defense evasion techniques such as impairing defenses by blinding or uninstalling AV and EDR solutions. In some cases, ransomware reboots the endpoint into safe mode to ensure no security products interfere with the encryption process.

When it comes to extortion techniques, most groups use double extortion by demanding a ransom payment for data decryption and exfiltrating sensitive data by exposing a small part of it on their data leak site (DLS). A new trend set by LockBit in 2022 opened a world of opportunities to put more pressure on the victim to pay a ransom by launching a distributed denial of service (DDoS) attack against it. The ransom was tied to the organization’s revenue, which was usually gained from B2B databases containing company contacts and intelligence, or cyber insurance levels.

Other financially-motivated groups

Such groups usually have unique monetization strategies directly enabled by data theft. They often steal financial data or files related to a company’s point-of-sale (POS) systems, ATMs, remote banking services, payment card data, and general financial transaction processing systems. They also demonstrate the capability to deploy custom-developed tools and utilities that have been crafted to support their goals in victim environments. Like APTs financially motivate threat actors, they have extended dwell times and evolving TTPs so that they can conduct attacks. Of course, this may vary, depending on the group’s objectives. Silence, FIN13, FIN6, FIN7 (before they shifted their focus to ransomware), FIN8, FIN13, MoneyTaker, CobaltGroup, and Buhtrap are good examples of this class of threat actors.

Some groups (for example, Buhtrap) target accountants and lawyers by either infecting web resources these employees use in their professional activities or conducting SEO-poisoning attacks (https://www.crowdstrike.com/cybersecurity-101/attack-types/seo-poisoning/) and spreading infected office documents via several templates. As a result of the attack, they successfully compromise digital certificates, submit rogue payments that pass all checks, and proceed with processing. In some campaigns, it was observed that attackers were injecting invisible iframes into the web page of the bank and seamlessly replaced payment information, which also resulted in rogue payments being confirmed by the accountants.

Another type of financially motivated group with a lower attack complexity level is business email compromise (BEC). Overall, such actors practice phishing, social engineering, and business email compromise scams to deceive their targets and steal money or sensitive information. It starts with a phishing attack or a valid account being purchased from initial access brokers. This results in them logging in to the mailbox, at which point they can reroute the communication channel between parties to the fake email accounts impersonating each party, thus implementing a man-in-the-middle (MiTM) attack via email and then guiding a victim to change the recipient’s bank account details and making a money transfer. We won’t cover such types of attacks in this book as they have never been seen targeting Windows systems in their attacks before.

More sophisticated attacks included compromising SWIFT and other regional-specific financial messaging platforms by submitting malicious transaction files or details at various gateways (for example, FIN7, FIN8, and Lazarus). One of the most notable cases was an attack on the Central Bank of Bangladesh by Lazarus (https://www.group-ib.com/blog/lazarus/). It usually starts with spear-phishing or exploiting vulnerabilities at an external attack surface while performing a deep dive into the victim’s network (mostly at the IT segment), utilizing a mix of living-off-the-land techniques and customized backdoors and discovering a path to the target network segment, gaining full visibility into their operations, preparing for the impact, and then implementing it. These attacks may last for years before they achieve their goal. However, thanks to huge efforts by the financial sector, regulators, and law enforcement agencies, the costs of these have attacks increased dramatically and their efficiency has been reduced. This has led to ransomware being used by most financially motivated groups.

Hacktivists

Hacktivists are individuals or groups that use cyberattacks as a form of protest, to promote a particular cause, or to gain attention for their beliefs. They often target organizations they perceive as corrupt or unjust. Hacktivists are hacker groups that work together anonymously to achieve a certain objective. They use hacking and other cyber techniques to promote their beliefs, raise awareness, or influence public opinion. Examples of such techniques include DDoS attacks (https://www.group-ib.com/blog/middle-east-conflict-week-1/), website defacing, and leaking confidential information and publishing it on social networks or as web resources. Such campaigns usually occur during wars, revolutions geopolitical conflicts, and social movements. Their attack techniques are usually not sophisticated, they exploit public-facing vulnerabilities, find common misconfigurations, or use weak authentication to perform brute-force or password-spraying attacks to gain access to the web interface of a web resources’ content management systems (CMSs). When hacktivist groups work together, they may perform a DDoS attack. In some cases when a DDoS attack happens, a hacktivist group may claim responsibility for it, but they don’t provide any proof.

Competitors

These include rival organizations or businesses that engage in cyber espionage or other malicious activities to gain a competitive advantage in the marketplace. They usually perform passive attacks by eavesdropping, utilizing shared platforms, or using other publicly available information. The active phases of their attacks include social engineering and the use of insiders. They are extremely careful in terms of NDA violation and try to avoid their rivals’ infrastructure manipulation as this may lead to their activity being exposed. For example, a microfinance institution uses a common shared database of credit bureaus, SMS gateways, and MQL platforms. Their competitors may spot any activity on the organization’s end and send an offer to the customer with better terms. From our experience, such attacks are extremely tough to investigate as there is usually a lack of data flow management, visibility, commercial secrets hygiene, and involvement of multiple third parties with limited responsibility. Moreover, employees may use their devices, SIM cards, or social media accounts to perform multiple business-related activities. Once they are suspected, the organization must have solid evidence to acquire these devices for forensic investigation; otherwise, it may lead to disrupting employees’ loyalty and causing them to search for new jobs.

Insider threats

These are individuals within an organization who misuse their authorized access to systems or data, either intentionally or unintentionally. They can cause significant damage due to their knowledge of the organization’s internal structure and security measures. As discussed previously, they may cooperate with competitors and be guided by them. In some cases, insiders get paid by cybercriminals (https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/) to download and run some malware or disclose some infrastructure details, as well as share credentials. From an incident investigation perspective, it is quite complicated to prove that a user has done this due to a lack of digital hygiene knowledge, not due to them getting paid by other parties. In addition, once cybercriminals or APTs have gained an initial foothold, they try to compromise the privileged accounts of IT administrators and utilize them in the attack. From our experience, cybersecurity divisions are willing to become suspicious about some employees when no evidence can prove employees’ innocence. Once, we were involved in a business email compromise incident that targeted internal employees and some external customers. The employer escalated the case to law enforcement agencies and made formal accusations against an employee. Fortunately, the initial access was identified, and it proved to be a massive campaign from an unknown gang. Further cooperation with law enforcement agencies led to the group being spotted. The final report was used by attorneys; it proved the innocence of the employee and the case was closed.

On the contrary, there was a case where a FIN actor conducted a targeted spear-phishing campaign against a company IT administrator who was familiar with cybersecurity concepts. Despite this, they opened the email on their corporate device, downloaded the attachment, and executed it. This eventually led to a successful attack and the withdrawal of several million dollars. Upon initial analysis of this attachment, it became apparent that it was Cobalt Strike malware. The Department of Cybersecurity decided to launch a criminal case against an employee, which resulted in their arrest on suspicion of assisting the attackers.

There was also a case where an employee, when they moved to a competitor, took a customer database that was stored in a cloud database. The investigation was complicated by the fact that the employees were working from personal Google accounts, personal smartphones, and a corporate laptop. The NDA agreement did not prohibit the use of personal devices, and the exit procedure didn’t include any device checks for the remaining commercial secrets. In addition, no legal documents were signed. After discovering the leak in the customer database (a competitor began contacting VIP customers and offering them better terms), an internal investigation was conducted, which found that the employee didn’t access corporate data after being terminated and that the IT department hadn’t restricted the ex-employee’s access to the database. As a result, everyone knew the person was guilty, but there was no legal reason to hold them accountable.

You might be wondering how these cases are relevant to this book, but we will use their lessons learned to explain the investigation process and other important steps every organization should take to secure its data from threat actors, especially in Windows environments.

Terrorist groups

These are extremist organizations that use cyberattacks in support of their ideological goals. They don’t possess the same level of sophistication as nation-state APT groups, but they can still cause significant harm. Their goals are to perform website defacement, DDoS attacks, data breaches and leaks, cyber espionage, sabotage and disruption, radicalization, and social media manipulation.

Script kiddies

These are inexperienced or unskilled individuals who use pre-made tools, scripts, or exploits to conduct cyberattacks. They typically lack the technical knowledge to create attack methods and often target systems with known vulnerabilities. Their main motivation is to gain experience, build their portfolio, and attempt to join more mature cybercrime syndicates.

Organizations with an average level of cybersecurity can easily resist these types of attackers because their methods are easily detectable, lack uniqueness, and are not targeted. Most techniques can be prevented with security controls. Analysts must ensure that their attacks have been mitigated and they have no other foothold.

There was a case when two cybercriminals worked together on an attack and successfully encrypted a logistics company by putting all of Microsoft Hyper-V’s virtual machine disks into one VeraCrypt container. They contacted their victim, offering to provide a container decryption key and secret. However, it didn’t work, so they requested access to the dedicated server that held the container via a remote administration tool and tried to decrypt it themselves. But this also failed. The initial access vector was external remote services, RDP published to the outside with weak authentication (an 8-digit password for the local administrator and no brute-force protection). Attackers used their personal computers from home while not considering the use of public proxy, VPN, TOR, or hosting provider’s VPS/VDS. Once this was escalated to law enforcement and some joint investigation was conducted, they were caught and arrested.

The lesson to be learned here is that every attack should be properly investigated by professionals as they may identify the threat actor’s maturity, find their mistakes, and proceed with law enforcement agencies to make our cyberspace a little safer.

Wrapping up

With that, we have discussed various threat actor types and their key motivations. Looking at the different levels of maturity of attackers revealed that it is sufficient to implement basic best practices to prevent their attacks. For example, installing an antivirus (AV), running regular vulnerability scans with a proper patch management process, checking for compromised credentials on EASM and acting accordingly, securing email with anti-spam and sandbox solutions, implementing strong password policies and running continuous cybersecurity hygiene exercises with employees, and having proper incident response plans, even for low-mature cybersecurity teams, may prevent script kiddies, terrorist, hacktivists, and some competitor attacks. APTs and cybercrime threat actors can easily bypass this cybersecurity posture and will require significantly more effort from the cybersecurity team and organization management.

The following are some key lessons learned for organizations:

  • There should be an inventory of key assets and business processes, as well as a thorough understanding of the data flow.
  • The cyber threat landscape is a continuous process and requires dedicated resources or regular engagements to be kept up to date.
  • It is critical to perform regular gap analysis while focusing on security control coverage, lack of visibility, proper incident response procedures, and mitigation strategies.
  • There should be a proper external attack surface management process that covers all vulnerabilities that have been discovered and patched promptly and ensures no credentials are exposed or haven’t been resolved and that no explicit resources are exposed to the internet.
  • There are no silver bullets that can ensure 100% protection from cyber threats, such as installing AV or EDR and relying on automated cyber-attack prevention.
  • Intelligence-driven incident response and cybersecurity strategies are more cost and time-efficient than other approaches, providing valuable insights that enable organizations to have better defenses.

To summarize, by understanding the maturity level of attackers, the degree of sophistication of their attacks, and their motivations, we can better understand the purpose and contents of the threat landscape and begin to build a relevant one for our organization.

Building the cyber threat landscape

In this section, we will explain the process of performing a unified cyber threat analysis while exploring its key factors and defining the next steps.

First, we need to define the list of key assets. EASM solutions may help to automate this process. Usually, you’ll require the following:

  • A list of public IP addresses of the infrastructure that have been exposed to the internet
  • A list of DNS zones both used internally (Active Directory domain) and externally (to publish their web resources over the internet)
  • Some organization-specific keywords that may help to identify all externally hosted assets

This will result in you identifying all the organization’s assets, such as exposed business applications, any vulnerabilities and misconfigurations in them, owned IP addresses and DNS zones, third-party solutions, exposed employees’ details, and their geography.

The next step is to gather CTI to build the cyber threat landscape. To start, you should choose the most valuable source of CTI. It may include cybersecurity vendors’ threat reports, purchasing access to the CTI platforms, subscribing to cybersecurity blogs and newspapers, or engaging CTI consultants. The more relevant feeds that are used, the better. However, it may lead to significant time and financial costs for the organization, something outside the scope of this book.

Once all the prerequisites have been met, you can proceed. The following example shows how to apply the CTI platforms to get a list of threat actors as quickly and efficiently as possible:

  1. Filter cyber threat actors by target region. Here, all regions of presence must be specified.
  2. Filter cyber threat actors by target industry while ensuring all sectors are mentioned.
  3. Filter by activity. The threat actor should be active. The trick here is that attackers may be inactive for a variety of reasons: some members of the group may have been arrested (Emotet, NetWalker in January 2021; Egregor, Cl0p in June 2021), the attackers’ infrastructure may have been identified and decommissioned by law enforcement (Hive), or they may have regrouped and joined other syndicates (REvil, DarkSide). An example of filtering is shown in Figure 1.2:
Figure 1.2 – Example of the threat actors in the cyber threat landscape after filtering by region and industry

Figure 1.2 – Example of the threat actors in the cyber threat landscape after filtering by region and industry

It is important to mention that some groups may be inactive for other reasons. For example, they might have identified the fact of disclosure and curtailed the activity to certain circumstances. When it comes to APTs, they may keep silent for a while until further directives arise. In such cases, they must still be considered in the cyber threat landscape but the priority of covering their TTPs may be lower compared to the active actors for the sake of consuming the resources of the cybersecurity team. When these cybercriminals become active again, the security team may act accordingly after CTI provider notification while following the same steps. However, this is not a call to action and is just one of the tips on how to build a process in cases of limited team resources.

Once the cyber threat actors list has been compiled, a strategic summary is created. Further actions include doing a deep dive into operational, technical, and tactical threat intelligence details.

This is where the cybersecurity team steps in. The next step is to learn the adversaries’ attack life cycle. Usually, vendors provide such information by mapping to well-known and industry-standard frameworks. Almost all cybersecurity companies provide MITRE ATT&CK® (see Figure 1.3) mapping; a few provide a detailed list of procedures that were observed during the attack:

Figure 1.3 – Example of a MITRE ATT&CK ® mapping for the threat actors in a cyber threat landscape

Figure 1.3 – Example of a MITRE ATT&CK ® mapping for the threat actors in a cyber threat landscape

However, not all these tactics apply to organizations’ infrastructure, particularly Windows systems. Keeping this in mind, we will focus more on how adversaries attack Windows infrastructures so that we can make them safer.

Let’s stop here for now and summarize this chapter.

Summary

In this chapter, we explored the various aspects of the complex and ever-evolving world of cyber threats. We began by discussing the different threat intelligence levels, which help organizations understand and categorize the types of information available for protecting their assets. This includes strategic, operational, tactical, and technical intelligence, each serving a unique purpose in the overall cybersecurity posture.

Next, we delved into the main types of threat actors and their motivations. By understanding their objectives and tactics, organizations can better prepare themselves to counter potential attacks.

Then, we presented some use cases that highlighted the importance of comprehending the cyber threat landscape and demonstrated how organizations can leverage this knowledge to proactively identify vulnerabilities, prioritize risks, and develop effective countermeasures.

Lastly, we outlined the process of building a cyber threat landscape, which involves defining the scope, identifying threat actors, gathering intelligence, analyzing threats and vulnerabilities, and prioritizing risks.

This systematic approach allows organizations to stay informed about the latest threats and ensure that their security measures remain effective in the face of ever-changing cyber risks of modern sophisticated attacks, especially those targeting Windows systems.

In the next chapter, we will cover various aspects of the cyber attack life cycle that align with our sophisticated attack kill chain, including gaining an initial foothold, network propagation and data exfiltration, and the impact from the threat actor’s perspective. We will also explain how to leverage operational, tactical, and technical threat intelligence in preparing for the emerging cyber threat landscape and developing the most productive and sustainable incident response process.

Left arrow icon Right arrow icon

Key benefits

  • Explore contemporary sophisticated cyber threats, focusing on their tactics, techniques, and procedures
  • Craft the most robust enterprise-wide cybersecurity incident response methodology, scalable to any magnitude
  • Master the development of efficient incident remediation and prevention strategies
  • Purchase of the print or Kindle book includes a free PDF eBook

Description

Cybersecurity incidents are becoming increasingly common and costly, making incident response a critical domain for organizations to understand and implement. This book enables you to effectively detect, respond to, and prevent cyberattacks on Windows-based systems by equipping you with the knowledge and tools needed to safeguard your organization's critical assets, in line with the current threat landscape. The book begins by introducing you to modern sophisticated cyberattacks, including threat actors, methods, and motivations. Then, the phases of efficient incident response are linked to the attack's life cycle using a unified cyber kill chain. As you advance, you'll explore various types of Windows-based platform endpoint forensic evidence and the arsenal necessary to gain full visibility of the Windows infrastructure. The concluding chapters discuss the best practices in the threat hunting process, along with proactive approaches that you can take to discover cybersecurity incidents before they reach their final stage. By the end of this book, you’ll have gained the skills necessary to run intelligence-driven incident response in a Windows environment, establishing a full-fledged incident response and management process, as well as proactive methodologies to enhance the cybersecurity posture of an enterprise environment.

Who is this book for?

This book is for IT professionals, Windows IT administrators, cybersecurity practitioners, and incident response teams, including SOC teams, responsible for managing cybersecurity incidents in Windows-based environments. Specifically, system administrators, security analysts, and network engineers tasked with maintaining the security of Windows systems and networks will find this book indispensable. Basic understanding of Windows systems and cybersecurity concepts is needed to grasp the concepts in this book.

What you will learn

  • Explore diverse approaches and investigative procedures applicable to any Windows system
  • Grasp various techniques to analyze Windows-based endpoints
  • Discover how to conduct infrastructure-wide analyses to identify the scope of cybersecurity incidents
  • Develop effective strategies for incident remediation and prevention
  • Attain comprehensive infrastructure visibility and establish a threat hunting process
  • Execute incident reporting procedures effectively
Estimated delivery fee Deliver to Romania

Premium delivery 7 - 10 business days

€25.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Aug 23, 2024
Length: 244 pages
Edition : 1st
Language : English
ISBN-13 : 9781804619322
Category :
Concepts :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Estimated delivery fee Deliver to Romania

Premium delivery 7 - 10 business days

€25.95
(Includes tracking information)

Product Details

Publication date : Aug 23, 2024
Length: 244 pages
Edition : 1st
Language : English
ISBN-13 : 9781804619322
Category :
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 89.97 113.97 24.00 saved
Mastering Microsoft Intune
€30.99 €41.99
Incident Response for Windows
€29.99
Malware Development for Ethical Hackers
€28.99 €41.99
Total 89.97 113.97 24.00 saved Stars icon

Table of Contents

19 Chapters
Part 1: Understanding the Threat Landscape and Attack Life Cycle Chevron down icon Chevron up icon
Chapter 1: Introduction to the Threat Landscape Chevron down icon Chevron up icon
Chapter 2: Understanding the Attack Life Cycle Chevron down icon Chevron up icon
Part 2: Incident Response Procedures and Endpoint Forensic Evidence Collection Chevron down icon Chevron up icon
Chapter 3: Phases of an Efficient Incident Response on Windows Infrastructure Chevron down icon Chevron up icon
Chapter 4: Endpoint Forensic Evidence Collection Chevron down icon Chevron up icon
Part 3: Incident Analysis and Threat Hunting on Windows Systems Chevron down icon Chevron up icon
Chapter 5: Gaining Access to the Network Chevron down icon Chevron up icon
Chapter 6: Establishing a Foothold Chevron down icon Chevron up icon
Chapter 7: Network and Key Assets Discovery Chevron down icon Chevron up icon
Chapter 8: Network Propagation Chevron down icon Chevron up icon
Chapter 9: Data Collection and Exfiltration Chevron down icon Chevron up icon
Chapter 10: Impact Chevron down icon Chevron up icon
Chapter 11: Threat Hunting and Analysis of TTPs Chevron down icon Chevron up icon
Part 4: Incident Investigation Management and Reporting Chevron down icon Chevron up icon
Chapter 12: Incident Containment, Eradication, and Recovery Chevron down icon Chevron up icon
Chapter 13: Incident Investigation Closure and Reporting Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8
(8 Ratings)
5 star 75%
4 star 25%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Jennifer McCombs Sep 03, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
“Incident Response for Windows: Adapt Effective Strategies for Managing Sophisticated Cyber Attacks” is an indispensable resource for cybersecurity professionals and IT administrators. The book offers a comprehensive guide to managing and mitigating cyber threats specifically targeting Windows environments.One of the standout features of this book is its practical approach. The authors provide detailed, step-by-step strategies that are easy to follow, even for those who may not have extensive experience in incident response. The inclusion of real-world examples and case studies helps to illustrate the concepts and techniques discussed, making them more relatable and easier to understand.The book covers a wide range of topics, from the basics of incident response to advanced techniques for dealing with sophisticated attacks. It delves into the intricacies of Windows-specific threats and vulnerabilities, offering tailored solutions that are both effective and efficient. The sections on threat hunting and forensic analysis are particularly noteworthy, providing readers with the tools and knowledge needed to proactively identify and address potential threats before they can cause significant damage.Another strength of this book is its focus on adaptability. The authors emphasize the importance of staying up-to-date with the latest threats and trends in cybersecurity, and they provide guidance on how to continuously improve and adapt incident response strategies to meet the evolving landscape of cyber threats.Overall, “Incident Response for Windows” is a must-read for anyone involved in cybersecurity. Its practical advice, real-world examples, and focus on adaptability make it a valuable addition to any professional’s library. Whether you’re a seasoned expert or just starting out in the field, this book will equip you with the knowledge and skills needed to effectively manage and respond to cyber incidents in a Windows environment.
Amazon Verified review Amazon
isaiah Sep 16, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is a practical guide that provides a good overview of handling cybersecurity incidents within Windows environments. The book covers everything from understanding the threat landscape and the attack life cycle to effective incident response, forensic evidence collection, and post-incident analysis. Each chapter is well-structured and offers insights into specific phases of incident management, making it a valuable resource for IT professionals and security analysts. I defiantly recommend this book as a base for understanding DFIR.
Amazon Verified review Amazon
Seth Keyser Oct 06, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is well-written and thought out bringing real-world scenarios and practical approaches for Incident Responders in today's challenging and evolving cybersecurity landscape. The authors provide a wonderful foundation for preparing and responding to incidents in Windows Systems.This is a must have resource for guidance, preparation, and knowledge for investigating and remediating incidents in Windows Systems for today's Incident Responder.
Amazon Verified review Amazon
Daniel Aug 27, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is packed with up-to-date information and covers much of what was taught in multiple certification classes. It's a comprehensive guide to cybersecurity within Windows environments, emphasizing the critical need for vigilance against threats that can lead to severe consequences like financial losses and reputational damage.I particularly appreciated the chapter that breaks down the methodology of sophisticated cyber attacks, detailing each stage from reconnaissance to data exfiltration. This detailed overview of attacker tactics and tools was crucial in helping me understand how cyber attacks work.The book explores how attackers gain network access, establish a foothold, and propagate, offering insights into detection and response, as well as asset discovery. It also covers data exfiltration, damage assessment, and impact evaluation in cyber attacks. Additionally, the book provides a step-by-step incident response guide, focusing on forensic evidence collection in Windows environments to ensure investigation integrity.The book emphasizes proactive cybersecurity, offering guidance on threat hunting and analyzing known TTPs to identify threats early. It concludes with practical advice on incident containment, eradication, recovery, and the importance of thorough documentation. Overall, it's an invaluable resource for cybersecurity professionals, covering both offensive and defensive strategies and offering practical guidance for managing and responding to cyber threats.
Amazon Verified review Amazon
Dr. Larry Leibrock Sep 21, 2024
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Concise body of knowledge concerning cyber threat intelligence and forensics insights for Windows endpoints. Well referenced and clear assessment of various attack surfaces. Excellent summary for Indicators of Compromise. Recommended reading for forensics professionals. Larry Leibrock
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you