Initial Investigation Data

1. Importance of Valid Leads

Purpose: To ensure that the investigation is based on comprehensive and diverse leads, rather than focusing narrowly on a single finding.

• Why: Relying solely on a specific finding (e.g., a known malicious tool) can lead to incomplete conclusions and an underestimation of the incident's scope or impact.

---

2. Avoiding Premature Conclusions

Purpose: To prevent tunnel vision during the investigation by continuously exploring new leads and expanding the scope of analysis.

• Why: Narrowing the investigation to a single activity may overlook other critical aspects of the attack, such as lateral movement, persistence mechanisms, or additional compromised systems.

• Technical Example:

  • Broaden the Scope of Analysis:

    • Instead of focusing only on a known malicious tool, investigate all related activities:

      grep "malicious_tool.exe" /var/log/syslog

    • Expand the search to include related processes, files, or network connections:

      lsof -p <PID> # List open files for the malicious process
      netstat -anp | grep <PID> # Identify network connections

  • Correlate Events Across Systems:

    • Use SIEM tools to identify patterns across multiple systems:

      index=security_logs process_name="malicious_tool.exe" | stats count by src_ip, dest_ip

---

3. Generating New Leads Throughout the Investigation

Purpose: To continuously uncover new evidence and expand the understanding of the incident.

• Why: New leads often emerge as more data is collected and analyzed, providing a clearer picture of the attack's full scope.

• Technical Example:

  • Identify Additional Compromised Systems:

    • Search for IOCs across the network:

      index=endpoint_logs file_hash="abc123" OR src_ip="192.168.1.100"

    • Query EDR tools for suspicious activity on other endpoints:

      Get-MDATPDeviceAlerts -Severity High | Select-Object DeviceName, AlertTitle

  • Trace Lateral Movement:

    • Analyze logs for unusual login attempts or connections between systems:

      grep "Accepted password" /var/log/auth.log | awk '{print $9}' | sort | uniq -c | sort -nr

    • Use tools like BloodHound to map relationships between users and systems:

      Invoke-BloodHound -CollectionMethod All

---

4. Collecting and Analyzing Diverse Data Sources

Purpose: To gather evidence from multiple sources to ensure a holistic understanding of the incident.

• Why: Different data sources provide unique insights into the attacker's actions, helping to avoid blind spots in the investigation.

• Technical Example:

  • Collect Logs from Multiple Sources:

    • Firewall logs:

      grep "DROP" /var/log/firewall.log

    • Endpoint logs (e.g., EDR tools):

      Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object { $_.Id -eq 1117 }

    • Application logs:

      SELECT * FROM application_logs WHERE event_type = 'ERROR';

  • Analyze Memory Dumps for Hidden Artifacts:

    • Use memory forensics tools like Volatility to uncover hidden processes or malware:

      volatility -f memory_dump.raw --profile=Win10x64 pslist
      volatility -f memory_dump.raw --profile=Win10x64 malfind

---

5. Documenting Findings and Updating the Incident Timeline

Purpose: To maintain a clear record of all findings and ensure that the investigation evolves with new evidence.

• Why: Documenting findings helps track progress, identify gaps, and ensure that no critical details are overlooked.

• Technical Example:

  • Update the Incident Timeline:

    • Add new events to the timeline as they are discovered:

      Date       | Time     | Hostname     | Event Description                     | Data Source
      10/01/2023 | 14:00 CET| SQLServer01  | Malicious tool detected               | Antivirus
      10/01/2023 | 14:15 CET| Workstation05| Lateral movement detected             | EDR Tool

    • Use visualization tools like Gantt charts or SIEM dashboards to present the timeline.

  • Document New Leads:

    • Maintain a list of new leads and their status:

      Lead: Unusual outbound traffic to IP 10.0.0.10
      Status: Under investigation
      Assigned To: John Smith

---

Conclusion

The initial investigation phase sets the foundation for the entire incident response process. By focusing on valid leads, avoiding premature conclusions, and continuously generating new leads, organizations can ensure a thorough and accurate investigation.