This post is to summarize some security incidents investigation steps using DarkTrace.

Investigation methodology

Any incident responder will always begin by asking some high-level questions concerning the incident under investigation – regardless of it being an adware infection, a banking trojan, ransomware, an active intrusion or any other form of cyber security incident.

The most important questions usually are:

  • How did the infection occur? (To prevent the same initial infection vector in the future)
  • What behavior is the infected device exhibiting? (To understand the threat and the risk of the infection)
  • What Indicators of Compromise (IoC) are seen? (To update other security tools and to use for further investigation)
  • Are other devices infected as well? (To assess the extent of the infection)

One CEO-Laptop File Downloading Event Example

1 Review Threat Tray

2 Using Breach Log to quickly identify which device involved into the breach

3 Using Magnify Glass feature visualize the situation in 3D. Provide situation awareness for this breach, ie, which device, where was connecting to. 

4 Using Graph overlay modeling metrics and interpreting log files

5 Comparing similar devices’ normal behavior

6 Thereafter, entered comments into this breach

7 Using advanced search tool to gather further information

8 User Open Source Intelligent Tools (OSIT) to Identity Files and URL. (http://virustotal.com/)

9 Acknowledge this breach after entered comments again.

References

from Blogger //blog.51sec.org/2020/12/darktrace-investigation-steps.html

By Jon

Leave a Reply