Stay on Track During IR

Published: 2016-08-24
Last Updated: 2016-08-24 12:23:45 UTC
by Tom Webb (Version: 1)
2 comment(s)

When responding to incidents, it’s easy to go down a rabbit hole that likely won’t produce results to the questions we are always after: How did the attacker get in? What information is contained on the system? And What information was accessed?

 

To streamline analysis we need to determine what information is most useful for each incident classifications, this gives more flexibility to SOPs by pulling these into a methodology depending on the investigation. Rather than adding these processes over and over into different procedures documents (which all may not get updated) you can link to one process from the methodology.

 

Additionally, you can chart out specific items (e.g. determine logged-in username for computer) similar to the SANS forensics poster for where to get specific data for user activity. (P is primary source. S is secondary)


 

 

FW Log

IDS

HID

BRO

DHCP

NAC

Full

Packet

SMTP

Logs

DNS

AD

DLP

Phish

   

S

P

   

P

P

S

   

Web Shell

S

S

S

P

   

P

       

C&C

S

S

 

P

   

P

 

P

   

Data

Exfil

S

 

P

S

   

P

       

Logged-in user

   

S

   

P

     

P

 

 

 

Do anyone else use a similar process or have a better one?Leave a comment.

 

--

Tom Webb

@twsecblog

2 comment(s)

Comments

Tom-

If I understand your post correctly, I think we are on exactly the same page. My goal for process documentation for my team has always been to make it as modular as possible. And then we could build "case type" specific workflows that use those modules. There might be steps that are the same for a phishing investigation, HR investigation, e-discovery case, data exfil - I don't want to have to keep all of those process guides synced whenever tools/technology/knowledge/skills change. Rather it gets updated in one place and any workflow that calls it is automatically up to date. Rather than an investigation checklist, we'd have what I call a "Choose Your Own Adventure" style process guide.

Of course the start is always:

A. What do we know?
B. What do we want to know?
C. How do we get from A to B?

I also have aspirations of using the text/content from the SANS "Evidence of..." poster in those modules.
Hi Tom, I do not have a process to share or a better one, but the developments and updates at Mitre's Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) site are well thought out, organized and can assist people in their process development. Thanks for your efforts at the ISC, they're greatly appreciated. https://attack.mitre.org/wiki/Main_Page

Diary Archives