Bringing order to security operations with ThreatQ InvestigationsPOSTED BY LEON WARD
I’m commonly heard saying that aspects of security operations and incident response are chaotic, but what do I mean by this? How can something that is so very technical, somewhat process driven and undertaken by a team of experts, turn into ad-hoc chaos? Data overload, fragmented teams, disparate technologies and no tool for collaboration and coordination. Let me elaborate.
A few examples spring to mind, but in order to protect the innocent I’ll distill a couple of real-life experiences into a clean and crisp example. Anyone that has spent any time working alongside or in teams like I’m about to describe will surely see similarities with their own experience.
The day started out like any other. Everyone was focusing on their day-to-day operations work when a senior exec raised a concern about what looked like a phishing email. The exec had done exactly the right thing: seen something, felt uncomfortable and forwarded the message on to the security team (props to security education!). Unlike the normal phishes that arrive all the time, the exec thought this was tailored for him. The email had all the markings of a targeted effort that can turn into an interesting investigation. That one email sparked a series of questions:
- Was this email part of a larger targeted campaign that could have, up until now, been missed?
- Were any other executives or employees approached?
- Even though the exec had not purposely taken action (executed or clicked) on the payload, could they have been impacted unknowingly?
- Custom domain names were used for this campaign and they appeared to be registered by an employee; were they involved and, if not, why were they selected?
- If the phishing message thread was followed, it resulted in the delivery of some malware. What did it do, and is it on any of our machines?
- How do we respond to mitigate risk and what follow-up actions should we take?
As you can see, a web of intrigue was created that resulted in a team of people being spun-up to investigate a range of different threads.
As tasks were distributed among the team that aligned with their skill sets, things quickly became chaotic. Those researching and analyzing the malware have a different speciality to those hunting down event logs or searching endpoints for the presence of files. Therefore different people (or groups) must work on separate but related tasks.
The teams used an internal text chat channel for collaboration, discussing evidence and key elements uncovered during each person’s work. It quickly became clear that multiple investigators uncovered the same elements – domain names, URLs, command and control infrastructure and IP addresses. But since each person was conducting their investigations in a vacuum, they had differing opinions about the events unfolding. To make matters worse, they were missing commonalities that could have benefitted their work. For example, had they known that an element appeared in multiple investigative tasks, it would have clearly stood out as a key data point. Alas, this was easy to miss in all the chaos. People all pulling at different threads, being taken in different directions, but not being coordinated based on the data uncovered as a complete set.
We have purposely designed ThreatQ Investigations to mitigate these challenges. Tasks can be assigned, in addition to being viewed alongside and integrated with all of the threat data. Clear data visualizations represent the evidence uncovered and if there are relationships between the work-in-progress by other team members.
They say a picture is worth a thousand words, so hopefully the screenshot below makes this clear:
As part of his task to investigate the spear phishing event (at the bottom right of the diagram), Joe uncovers the indicator “interesting-fake-domain.com.” He is able to benefit from Leon’s malware analysis to see that it is known, bad and has already been uncovered as part of the same investigation – albeit in another workstream. This is only a screenshot, but in a real-life situation Joe could click to see more granular information. For example, when the urgent funds transfer request came in, who the recipient was and exactly what was requested.
When occurrences like these happen, ThreatQ Investigations gives all parties involved a great opportunity to change the direction of the investigation – detecting malicious activity that could have easily been missed, gaining a deeper understanding of the threat and decreasing time to detection.
If you would like to learn more about ThreatQ Investigations, you can read more here.