Identification Of New Leads & Impacted Systems

---

1. Analyzing IOC Hits

Purpose: To identify new leads and impacted systems by analyzing hits from IOC searches.

• Why: IOC hits can reveal additional compromised systems or related malicious activity, helping to expand the scope of the investigation.

• Technical Example:

  • Search for IOCs Across Systems:

    • Use SIEM tools to search for IOCs across logs and endpoints:

      index=security_logs file_hash="abc123" OR src_ip="192.168.1.100"

    • Query EDR tools for suspicious activity:

      Get-MDATPDeviceAlerts -Severity High | Select-Object DeviceName, AlertTitle

  • Cross-Reference with Asset Inventory:

    • Identify systems associated with IOC hits:

      SELECT hostname, ip_address FROM assets WHERE ip_address IN ('192.168.1.100', '192.168.1.101');

---

2. Eliminating False Positives

Purpose: To filter out irrelevant or overly generic IOC matches that do not relate to the incident.

• Why: False positives can waste time and resources, diverting focus from genuine threats.

• Technical Example:

  • Validate IOC Hits:

    • Investigate whether the hit is relevant to the incident:

      grep "malicious_tool.exe" /var/log/syslog | awk '{print $5}' | sort | uniq -c

    • Compare with known legitimate activity (e.g., software updates):

      cat /path/to/whitelist.txt | grep "malicious_tool.exe"

  • Refine Generic IOCs:

    • Narrow down overly broad IOCs to reduce false positives:

      rule RefineMaliciousTool {
          meta:
              description = "Detects specific version of malicious_tool.exe"
          strings:
              $file_name = "malicious_tool_v2.exe"
              $hex_pattern = {DE AD BE EF}
          condition:
              $file_name and $hex_pattern
      }

---

3. Prioritizing Leads

Purpose: To focus on high-value leads that are most likely to provide actionable insights.

• Why: When dealing with a large number of IOC hits, prioritization ensures efficient use of resources and faster progress in the investigation.

• Technical Example:

  • Prioritize Based on Severity:

    • Focus on systems with critical alerts or high-severity events:

      Get-WinEvent -LogName "Security" | Where-Object { $_.LevelDisplayName -eq "Critical" }

  • Focus on Business-Critical Systems:

    • Identify and prioritize systems that are critical to operations:

      SELECT hostname, system_role FROM assets WHERE system_role = 'critical';

  • Prioritize Leads with Forensic Value:

    • Select systems where forensic analysis is likely to yield new insights:

      volatility -f memory_dump.raw --profile=Win10x64 pslist
      volatility -f memory_dump.raw --profile=Win10x64 malfind

---

4. Identifying New Leads

Purpose: To uncover additional systems, activities, or artifacts that expand the understanding of the incident.

• Why: New leads often reveal lateral movement, persistence mechanisms, or other attack vectors that were previously unknown.

• Technical Example:

  • Trace Lateral Movement:

    • Analyze logs for unusual login attempts or connections between systems:

      grep "Accepted password" /var/log/auth.log | awk '{print $9}' | sort | uniq -c | sort -nr

    • Use tools like BloodHound to map relationships between users and systems:

      Invoke-BloodHound -CollectionMethod All

  • Identify Persistence Mechanisms:

    • Search for registry keys or scheduled tasks created by attackers:

      Get-ChildItem -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
      Get-ScheduledTask | Where-Object { $_.State -eq "Ready" }

---

5. Handling Large Numbers of Hits

Purpose: To manage and process a high volume of IOC hits effectively.

• Why: Large numbers of hits can overwhelm investigators, so systematic filtering and prioritization are essential.

• Technical Example:

  • Automate IOC Filtering:

    • Use scripts to filter and categorize IOC hits:

      with open("ioc_hits.txt", "r") as file:
          hits = file.readlines()
      filtered_hits = [hit for hit in hits if "critical" in hit.lower()]
      print(filtered_hits)

  • Visualize Hit Data:

    • Use visualization tools to identify patterns and trends:

      index=security_logs | stats count by src_ip, dest_ip | sort -count

---

Conclusion

The identification of new leads and impacted systems is a critical step in expanding the scope of an investigation. By analyzing IOC hits, eliminating false positives, and prioritizing high-value leads, organizations can efficiently uncover additional compromised systems and malicious activities.