Investigation Framework
- Incident Scoping
- Evidence Collection
- Analysis
- Correlation
- Timeline Analysis
- Intelligence Correlation
- Reporting
Intelligence Correlation
There’s one last piece of “analysis” left to do with your evidence. It’s time to take what you know and look for any similarities to know intelligence. The best way to summarize this section is
“Find out if anyone else has seen this before”
The cybersecurity industry has a significant advantage in sharing findings and intelligence on the internet. Take advantage of this! There is so many resources out there and I’m going to give you some tips to use it in your investigations.
Reputation
You should already have a nice list of indicators in your Incident_Evidence_Timeline, so let’s see what we can learn from them. Your network indicators are mostly going to be IP addresses and domains. Reputation refers to a score assigned to an indicator due to its association with malware or suspicious activity. Here are a few of my favorite place to find reputation of various indicators.
While reputation is a great way to identify something as malicious, it should not be taken as fact. False positives exist everywhere in cybersecurity, so just because the number is high doesn’t mean you immediately block, try to find some context.
Context through Intel
Intelligence isn’t just useful for determining maliciousness, it can also help provide some much-needed context. You may have found a system that is repeatedly calling out to a specific IP address that is not known to your team. Some may panic and immediately block the IP believing it to be Command and Control, but surprise! It’s actually your partner organizations web applications that is crucial to business operations. So don’t panic use some good ol’ fashion open-source intelligence. Here is a breakdown of useful website based on the indicator type.
NETWORK
- Whois Lookup
- Great way to understand which organization controls the IP or domain. Sometimes you get lucky and can find the direct owner!
- URLScan.io
- Sandbox for opening websites. Let’s you see the redirects and webpage, if there is one.
- Google Dorking
- Utilizing Google’s query language to find more precise search results. Can be as simple as confirming if a IP/domain is truly used by an appropriate party
FILE
- Talos Intelligence / VirusTotal
- Many of the typical reputation sites will provide at least some context as to processed produced or any other domains called out
- Joe’s Sandbox
- A great website that has tons of samples to understand what exactly a file is doing. You can submit your own, but if you take some time to search you may find some samples already run
- Google it!
- If you don’t know what the file is, take some time to search around. Not just for malware but maybe it is truly an actual installer or some other potentially unwanted application (PUA).
ACCOUNTS/IDENTIFIERS
- This one is a bit trickier, there are no easy searches you can do to match it to malicious activity. However, look at IR reports of any campaigns you think may be related.
- Look for signs of adversary group names in place like:
- Scripts
- Ransom notes
- Tool output files
- NOTE: This is not common so don’t waste too much time trying to tie it to a specific adversary if you don’t’ have the resources
Create a MITRE map
MITRE is a wonderful tool, but not many folks use it themselves during IR. Several tools will now match any MITRE techniques automatically, and this does make my next recommendation a lot easier. I’m going to show you how to make a solid MITRE ATT&CK map to get an idea of what you know and what the adversary has done.
- Head over to MITRE ATT&CK Navigator
- Create a new layer and select Enterprise, unless you have a very specific incident related to ICS or Mobile
- Now you have a giant list of potential techniques
- Now go through your Incident_Evidence_Timeline spreadsheet and do your best to list a MITRE technique for each finding.
- Don’t worry about being super precise, just your closest guess and maybe even just the Tactic (MITRE header)
- Simply select the technique and change the color. I like to color code using the following key (example below)
- Red – Confirmed Executed
- Yellow – Attempted but not fully executed
- Green – Blocked
- Light Blue – Unconfirmed or suspected
Now you have a nice visual of the various techniques done, and you can “view the technique” on the MITRE website to pull definitions, descriptions and even adversaries who use similar techniques. It is not a full proof method but can help you find some potential gaps in the adversary lifecycle.
The major benefit is quickly looking through what was executed and following MITRE recommendations to improve your security posture.
You also have the option of exporting the mapping to a json or excel so you can keep a local copy with your notes.
Remember MITRE is your friend! It’s a fantastic resource for research and also tracking what you know!
Conclusion
That’s it! You’ve done all of your analysis, I’m sure you will go through some back and forth and I would urge you to treat steps 3 through 6 as a cycle. Intel is crucial, if you are lucky enough to have an intelligence team, utilize them and figure out how you can take your findings to improve their intelligence gathering! If you don’t have an intelligence team, this should give you some clues but will never replace the capability of an entire team.
But wait! There’s one more step…. Reporting. I know folks dread writing reports, but if you followed through everything I’ve explained on the last few steps, reporting is going to be a breeze! In fact, this entire framework is intended to make reporting easier while keeping analysis structured. See ya in the next one!
Twitter: @CyberCoat
Mastodon: @ChocolateCoat@infosec.exchange
LinkedIn: terrynvalikodath
Incident Timeline Template: https://github.com/chocolatecoat/DFIR-Templates/blob/main/Incident_Evidence_Timeline.xlsx
DFIR & Ramblings 
Pingback: Investigation Framework | Part 7 – Reporting | DFIR & Ramblings