Identification Of New Leads & Impacted Systems

1. Analyzing IOC Hits

Purpose: To identify new leads and impacted systems by analyzing hits from IOC searches.

  • Why: IOC hits can reveal additional compromised systems or related malicious activity, helping to expand the scope of the investigation.

  • Technical Example:

    • Search for IOCs Across Systems:

      • Use SIEM tools to search for IOCs across logs and endpoints:

        index=security_logs file_hash="abc123" OR src_ip="192.168.1.100"

      • Query EDR tools for suspicious activity:

        Get-MDATPDeviceAlerts -Severity High | Select-Object DeviceName, AlertTitle

    • Cross-Reference with Asset Inventory:

      • Identify systems associated with IOC hits:

        SELECT hostname, ip_address FROM assets WHERE ip_address IN ('192.168.1.100', '192.168.1.101');

2. Eliminating False Positives

Purpose: To filter out irrelevant or overly generic IOC matches that do not relate to the incident.

  • Why: False positives can waste time and resources, diverting focus from genuine threats.

  • Technical Example:

    • Validate IOC Hits:

      • Investigate whether the hit is relevant to the incident:

        grep "malicious_tool.exe" /var/log/syslog | awk '{print $5}' | sort | uniq -c

      • Compare with known legitimate activity (e.g., software updates):

        cat /path/to/whitelist.txt | grep "malicious_tool.exe"

    • Refine Generic IOCs:

      • Narrow down overly broad IOCs to reduce false positives:

        rule RefineMaliciousTool {
    meta:
        description = "Detects specific version of malicious_tool.exe"
    strings:
        $file_name = "malicious_tool_v2.exe"
        $hex_pattern = {DE AD BE EF}
    condition:
        $file_name and $hex_pattern
}

3. Prioritizing Leads

Purpose: To focus on high-value leads that are most likely to provide actionable insights.

  • Why: When dealing with a large number of IOC hits, prioritization ensures efficient use of resources and faster progress in the investigation.

  • Technical Example:

    • Prioritize Based on Severity:

      • Focus on systems with critical alerts or high-severity events:

        Get-WinEvent -LogName "Security" | Where-Object { $_.LevelDisplayName -eq "Critical" }

    • Focus on Business-Critical Systems:

      • Identify and prioritize systems that are critical to operations:

        SELECT hostname, system_role FROM assets WHERE system_role = 'critical';

    • Prioritize Leads with Forensic Value:

      • Select systems where forensic analysis is likely to yield new insights:

        volatility -f memory_dump.raw --profile=Win10x64 pslist
volatility -f memory_dump.raw --profile=Win10x64 malfind

4. Identifying New Leads

Purpose: To uncover additional systems, activities, or artifacts that expand the understanding of the incident.

  • Why: New leads often reveal lateral movement, persistence mechanisms, or other attack vectors that were previously unknown.

  • Technical Example:

    • Trace Lateral Movement:

      • Analyze logs for unusual login attempts or connections between systems:

        grep "Accepted password" /var/log/auth.log | awk '{print $9}' | sort | uniq -c | sort -nr

      • Use tools like BloodHound to map relationships between users and systems:

        Invoke-BloodHound -CollectionMethod All

    • Identify Persistence Mechanisms:

      • Search for registry keys or scheduled tasks created by attackers:

        Get-ChildItem -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ScheduledTask | Where-Object { $_.State -eq "Ready" }

5. Handling Large Numbers of Hits

Purpose: To manage and process a high volume of IOC hits effectively.

  • Why: Large numbers of hits can overwhelm investigators, so systematic filtering and prioritization are essential.

  • Technical Example:

    • Automate IOC Filtering:

      • Use scripts to filter and categorize IOC hits:

        with open("ioc_hits.txt", "r") as file:
    hits = file.readlines()
filtered_hits = [hit for hit in hits if "critical" in hit.lower()]
print(filtered_hits)

    • Visualize Hit Data:

      • Use visualization tools to identify patterns and trends:

        index=security_logs | stats count by src_ip, dest_ip | sort -count

Conclusion

The identification of new leads and impacted systems is a critical step in expanding the scope of an investigation. By analyzing IOC hits, eliminating false positives, and prioritizing high-value leads, organizations can efficiently uncover additional compromised systems and malicious activities.

PreviousCreation & Usage Of IOCsNextData Collection & Analysis From The New Leads & Impacted Systems

Last updated