This post is to summarize some security incidents investigation steps using DarkTrace.

Investigation methodology

Any incident responder will always begin by asking some high-level questions concerning the incident under investigation – regardless of it being an adware infection, a banking trojan, ransomware, an active intrusion or any other form of cyber security incident.

The most important questions usually are:

  • How did the infection occur? (To prevent the same initial infection vector in the future)
  • What behavior is the infected device exhibiting? (To understand the threat and the risk of the infection)
  • What Indicators of Compromise (IoC) are seen? (To update other security tools and to use for further investigation)
  • Are other devices infected as well? (To assess the extent of the infection)

One CEO-Laptop File Downloading Event Example

1 Review Threat Tray

2 Using Breach Log to quickly identify which device involved into the breach

3 Using Magnify Glass feature visualize the situation in 3D. Provide situation awareness for this breach, ie, which device, where was connecting to. 

4 Using Graph overlay modeling metrics and interpreting log files

5 Comparing similar devices’ normal behavior

6 Thereafter, entered comments into this breach

7 Using advanced search tool to gather further information

8 User Open Source Intelligent Tools (OSIT) to Identity Files and URL. (http://virustotal.com/)

9 Acknowledge this breach after entered comments again.

References

from Blogger http://blog.51sec.org/2020/12/darktrace-investigation-steps.html

By Jon

Leave a Reply

%d bloggers like this:
Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

Powered By
Best Wordpress Adblock Detecting Plugin | CHP Adblock