Clark Flores
Written on

How to investigate?

how to think like an analyst?

trivia

Just had an idea to share my train of thought whenever I do investigations.

This is not a technical subject but more on the how to put puzzle pieces together.

Set of Questions:

Question 1: What is my goal?

  • Is it to prove that the alert is an anomaly aka True Positive?
  • Is it to prove that this is just a business-as-usual type of activity aka False Positive?

Note: As part of Security Operations Center (SOC) / Threat Detection and Response (TDR) my main goal is to prevent attacks from happening and/or mitigate the risk. I always think that the alert you observed is true positive unless proven otherwise (because why would they create an alert in the first place if not to detect a malicious activity, right?).

Question 2: What does the alert says?

  • Does it provide enough context to help with the investigation?
  • Maybe there’s a similar alert somewhere, does the previous investigation help with the situation?
  • Is the alert really related to the person/machine whom generated it?
  • Is the nature of the owner really part of the context of the detection?

Note: I want you to understand the alert and not just copy and paste descriptions. These details sometimes provide enough context to immediately assess the scenario. For example, a person from Accounting Department triggered a PowerShell script. He’s very old and not savvy enough to use PowerShell (let alone use it as part of his job. You need to answer the question: Why does he need a damn PS script for his tasks?), so what does it look like to you as an investigator?

Question 3: What did the alert do?

  • What are the technologies involve?
    • Is it an endpoint?
    • Is it part of DLP case?
    • Is it a web activity?
    • Is it a server?
    • Is it a mobile device?
    • Is it a network equipment?
    • An account perhaps?
    • An external/internal IP?
    • Maybe a combination of assets above?

Note: You need to dig deeper and get every single data you can find based on the alert. Who’s the owner of the machine, what does the person do, are they permitted to do the activities relative to the alert? find hashes in other machine to pull it?

Question 4: How did it happen?

  • Is the process involve malicious-like? (By process I mean not just a Windows process but the activity involved in the alert, e.g. data loss, data privacy, etc.)
  • What do you know about the process?
  • What are the possible attack vectors?
    • Was it a known attack?
    • Could it possibly an unknown activity, similar to a zero-day exploit?

Question 5: What do you observe before, during, and after the alert was triggered?

  • Does it involve human interaction? (e.g. user clicked something, user downloaded something, user sent something, etc.)
  • Is there a connection going outside or possibly an unknown connection internally?
    • Does it involve data?
  • Can you search for the observed activities in the web for something similar?

Note: Using the keyword searches from the alert will help you find similar attack patterns in the web. For example, I handled a case where a particular .exe file was downloaded. It was a bitcoin miner but targeting a specific region. When I correlated the activities, even the location of the victim from my case, it was near identical. I followed the trail based on the reference post and concluded that it was indeed a true positive. Immediately conducted mitigation like changing password of the victim, notify other teams, etc. Google-Fu is really helpful folks.

Note: If you can answer the questions 2-5, then it will really help you crack the case. The aim is to narrow-down your scope of search and limit the possibilities to a certain extent that you might be able to conclude the investigation.

In analogy, imagine you lost your phone in your own home and its dead battery. Your thought process should be something similar: 1. Where was the last place you remember that you still have your phone? 2. Where you outside or inside? 3. If you’re inside then it must be in there somewhere, right? So its relatively easier to search than if its outside the house.

So you go on and on until you find what you’re looking for. You make your scope of possibilities smaller to make it easier to conduct the search.

Question 6: Do you need to contact other member/team/organization?

Question 7: What does your analysis say?

  • Correlate everything and put the puzzles together. What picture do you see?

Question 8: Lastly, list down all the notable data you found during the investigation. It could be:

  • Hosts involved
  • IP address
  • Sites
  • Email address
  • Hashes
  • Platform (e.g. Windows, MacOS, *nix, web server stack, etc)
  • Files
  • Process

So as you further investigate you form a pattern of behavior which you can refer to in case you handle similar scenario in the future.

Incident Response Process

Notice the train of thought above? Surprise surprise. It’s the Incident Response Process.

Step 1 - Detection

As you form an alert and observe activities similar to the created alert, you begin to investigate if its a normal behavior in the environment or not.

Step 2 - Response

You conduct triage and gather evidences based on the context of the alert. You form your own analysis that it might possibly be a malicious activity.

Step 3 - Mitigation

You halt the activity before it spreads out and create an even bigger problem.

Step 4 - Reporting

You document and inform other member/team/organization about the findings.

Step 5 - Recovery

Perform the work-around, restore the affected system and limit the impact on business operation as much as possible.

Step 6 - Remediation

Fix the security holes as exploited by the malicious activity.

Step 7 - Lessons Learned

Review the conducted incident response process, note every detail of the incident, and apply changes if deemed necessary.

Scientific Method

Okay. Okay. Let’s zoom out a little bit. Notice something similar? Scientific Method. It’s a grade school lesson but its super useful whenever there’s a problem (in this case, a cybersecurity incident).

So in relation the set of questions above, here’s how it was related:

1. Define a question

  • What is my goal?

2. Gather information and resources (observe)

  • What does the alert says?
  • What did the alert do?
  • How did it happen?
  • What do you observe before, during, and after the alert was triggered?

3. Form an explanatory hypothesis

  • Based on the data gathered, is it really a true positive?

4. Test the hypothesis by performing an experiment and collecting data in a reproducible manner

  • Record the timeline of the incident with proper screenshots

5. Analyze the data

  • What does your analysis say?

6. Interpret the data and draw conclusions that serve as a starting point for a new hypothesis

  • What does your analysis say?

7. Publish results

  • List down all the notable data you found during the investigation.

Hope I provided some insights, if not then God bless in your future endeavors.

Kidding aside, I’ll be using this work flow in my future posts. Tune in!