Initial Investigation
1. Conducting an Initial Investigation
Purpose: To gather sufficient information about a detected security incident to establish context, assess the scope, and determine the appropriate response.
Why: Without proper context, organizations risk misinterpreting events or escalating incidents unnecessarily. A structured initial investigation ensures that all relevant details are captured before proceeding with further actions.
2. Key Information to Collect
When conducting an initial investigation, aim to collect as much relevant information as possible. Below is a breakdown of the critical data points and how to gather them:
Who Detected/Reported the Incident?
Employee Reports: Document who noticed abnormal behavior and what they observed.
Example: "John Doe (IT Admin) reported unusual login attempts on his workstation."
Tool Alerts: Identify which tool generated the alert and review its logs.
Example: "Antivirus software flagged suspicious activity on SQLServer01."
How Was the Incident Detected?
Use detection mechanisms at various levels:
Network Perimeter: Firewall logs, IDS/IPS alerts.
grep "DROP" /var/log/firewall.logInternal Network: Host-based firewalls, HIDS/HIPS logs.
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational"Endpoint Level: EDR tools, antivirus logs.
Get-MDATPDeviceAlerts -DeviceName "SQLServer01"Application Level: Application logs, service logs.
SELECT * FROM application_logs WHERE event_type = 'ERROR';
What Was the Incident?
Classify the incident type (e.g., phishing, malware infection, system unavailability).
Example: "Phishing email with malicious attachment detected by email filtering system."
Impacted Systems
Assemble a list of affected systems, including their physical location, operating systems, IP addresses, hostnames, and purpose.
Example:
Hostname: SQLServer01
IP Address: 192.168.1.50
OS: Windows Server 2019
Purpose: Database server
Current State: Online but isolated from the network.
Actions Taken
Document who accessed the impacted systems and what actions were performed.
Example: "Admin disabled network access for SQLServer01 and initiated a forensic investigation."
Ongoing vs. Stopped Activity
Determine whether the suspicious activity is ongoing or has been mitigated.
Example: "Malware execution was stopped by antivirus software, but further analysis is required."
Malware Details (If Applicable)
List of IP addresses, time and date of detection, type of malware, impacted systems, and forensic information.
Example:
IP Address: 10.0.0.10
Date/Time: 09/09/2021 13:31 CET
Type of Malware: Mimikatz
Hashes: MD5: abc123, SHA256: def456
Exported Files: Malicious file copied to forensics server for analysis.
3. Building an Incident Timeline
Purpose: To organize events chronologically and provide a clear picture of the incident.
Why: An incident timeline helps investigators understand the sequence of events, identify gaps in evidence, and determine whether newly discovered evidence is part of the current incident.
Example Incident Timeline Table Below is an example of how to populate an incident timeline table:
Date
Time of Event
Hostname
Event Description
Data Source
09/09/2021
13:31 CET
SQLServer01
Hacker tool 'Mimikatz' was detected
Antivirus Software
09/09/2021
13:35 CET
SQLServer01
Network connection established to IP 10.0.0.10
Firewall Logs
09/09/2021
13:40 CET
Workstation05
Suspicious file downloaded
EDR Tool
09/09/2021
14:00 CET
SQLServer01
System isolated from the network
Manual Action
4. Contextual Decision-Making
Purpose: To tailor the response based on the gathered information.
Why: The severity and response strategy may vary depending on the context of the incident (e.g., CEO's laptop vs. intern's workstation).
Technical Example:
High-Profile System Compromise:
If the CEO's laptop is compromised:
Isolate the device immediately.
Notify executive leadership and legal teams.
Initiate forensic analysis to determine data exfiltration.
Example PowerShell command to isolate the device:
Low-Risk System Compromise:
If an intern's workstation is compromised:
Reimage the device.
Monitor for lateral movement.
Provide additional training to the user.
5. Sorting Evidence Chronologically
Purpose: To uncover context and determine whether new evidence is part of the current incident.
Why: Evidence may not be discovered in chronological order, but sorting it helps identify relationships between events.
Technical Example:
Use SIEM tools to correlate and sort events:
Example Scenario:
Initially, you believe the attack started on SQLServer01 on 09/09/2021.
Later, you discover logs showing the same malware on another device two weeks prior.
Update the timeline to reflect this new information.
Conclusion
The initial investigation phase is crucial for gathering context, assessing the scope, and determining the appropriate response to a security incident. By systematically collecting information, building an incident timeline, and tailoring responses based on context, organizations can ensure a structured and effective approach to incident handling.
Last updated