The Investigation

1. The 3-Step Cyclic Process

Purpose: To systematically investigate a security incident by iteratively refining the understanding of the attack through indicators of compromise (IOCs), identifying new leads, and collecting/analyzing data.

  • Why: This cyclic process ensures that the investigation evolves as new evidence is discovered, leading to a comprehensive understanding of the incident.

Step 1: Creation and Usage of Indicators of Compromise (IOCs)

Purpose: To identify and track specific artifacts or patterns associated with the incident.

  • Why: IOCs help detect malicious activity, correlate events across systems, and guide further investigation.

  • Technical Example:

    • Generate IOCs from Initial Data:

      • Extract file hashes, IP addresses, domain names, and registry keys from logs or forensic analysis:

        md5sum /path/to/malicious_file
sha256sum /path/to/malicious_file

      • Example IOC list:

        • File Hash: abc123 (MD5), def456 (SHA256)

        • IP Address: 192.168.1.100

        • Domain: malicious-domain.com

    • Search for IOCs Across Systems:

      • Use tools like Splunk, Elasticsearch, or EDR solutions to search for IOCs:

        index=security_logs file_hash="abc123" OR src_ip="192.168.1.100"

      • Query endpoint logs for suspicious activity:

        Get-WinEvent -LogName "Security" | Where-Object { $_.Message -match "malicious-domain.com" }

Step 2: Identification of New Leads and Impacted Systems

Purpose: To expand the scope of the investigation by identifying additional systems or activities related to the incident.

  • Why: Attackers often move laterally within a network, so identifying all impacted systems is crucial to containing the threat.

  • Technical Example:

    • Identify Lateral Movement:

      • Analyze logs for unusual login attempts or connections between systems:

        grep "Accepted password" /var/log/auth.log | awk '{print $9}' | sort | uniq -c | sort -nr

      • Use EDR tools to trace lateral movement:

        Get-MDATPDeviceAlerts -Severity High | Select-Object DeviceName, AlertTitle

    • Map Affected Systems:

      • Cross-reference IOCs with asset management databases:

        SELECT hostname, ip_address FROM assets WHERE ip_address IN ('192.168.1.100', '192.168.1.101');

Step 3: Data Collection and Analysis from New Leads and Impacted Systems

Purpose: To gather additional evidence from newly identified systems and analyze it to uncover further details about the incident.

  • Why: Each new lead provides more context, helping to reconstruct the attack timeline and understand the adversary's actions.

  • Technical Example:

    • Collect Logs and Artifacts:

      • Use forensic tools to collect logs, files, and memory dumps from impacted systems:

        scp user@192.168.1.100:/var/log/auth.log /local/path/
volatility -f memory_dump.raw --profile=Win10x64 pslist

      • Export Windows Event Logs for analysis:

        Get-WinEvent -LogName "Security" | Export-Csv -Path "C:\Logs\SecurityEvents.csv"

    • Analyze Collected Data:

      • Correlate events across systems using SIEM tools:

        index=security_logs src_ip="192.168.1.100" | join transaction_id [search index=endpoint_logs]

      • Identify malicious processes or files:

        lsof -p <PID> # List open files for a suspicious process
strings /path/to/suspicious_file | grep "http"

Iterating Through the Cycle

As new data is collected and analyzed, the cycle repeats:

  1. Create New IOCs: Extract additional IOCs from newly identified systems.

    sha256sum /path/to/new_malicious_file

  2. Identify Additional Leads: Use the new IOCs to find other impacted systems or activities.

    index=security_logs file_hash="ghi789"

  3. Collect and Analyze More Data: Gather logs and artifacts from these systems to uncover further details.

Conclusion

The investigation process is inherently iterative, driven by the continuous discovery of new evidence. By creating and leveraging IOCs, identifying new leads, and collecting/analyzing data, organizations can build a comprehensive understanding of the incident.

This approach ensures that no aspect of the attack is overlooked, enabling effective containment, remediation, and long-term improvements in security posture. Regularly revisiting and refining the investigation steps helps uncover hidden threats and strengthens the organization's defenses against future attacks.

PreviousDetection & Analysis Stage (Part 2)NextInitial Investigation Data

Last updated