DarkTrace Investigation Steps
via Blogger https://ift.tt/37sqdQA
December 03, 2020 at 02:18PM Threat Hunting
This post is to summarize some security incidents investigation steps using DarkTrace.
Investigation methodology
Any incident responder will always begin by asking some high-level questions concerning the incident under investigation – regardless of it being an adware infection, a banking trojan, ransomware, an active intrusion or any other form of cyber security incident.
The most important questions usually are:
- How did the infection occur? (To prevent the same initial infection vector in the future)
- What behavior is the infected device exhibiting? (To understand the threat and the risk of the infection)
- What Indicators of Compromise (IoC) are seen? (To update other security tools and to use for further investigation)
- Are other devices infected as well? (To assess the extent of the infection)
One CEO-Laptop File Downloading Event Example
1 Review Threat Tray
2 Using Breach Log to quickly identify which device involved into the breach
3 Using Magnify Glass feature visualize the situation in 3D. Provide situation awareness for this breach, ie, which device, where was connecting to.
4 Using Graph overlay modeling metrics and interpreting log files
5 Comparing similar devices' normal behavior
6 Thereafter, entered comments into this breach
7 Using advanced search tool to gather further information
8 User Open Source Intelligent Tools (OSIT) to Identity Files and URL. (http://virustotal.com/)
9 Acknowledge this breach after entered comments again.
References
via Blogger https://ift.tt/37sqdQA
December 03, 2020 at 02:18PM Threat Hunting
RSS Feed
