Incident response processes have become more standardized in the past two decades, but any organization without a dedicated development team has had to design its processes to take available tools into account. I want to talk about incident investigation tools and how they are analogous to those used in the non-"cyber" criminal investigations that we have seen for years on television. There is a point where a security incident investigation gives way to a criminal investigation, due to a criminal act having been committed, but that is a topic for a different day.

The Tools Matter

I love watching old episodes of "Columbo" to see how he is going to trick the criminals into either admitting or exposing their guilt, but we all know that this just isn't a realistic approach to criminal, or incident, investigations. I am not going to pretend that "CSI: Somewhere" and the way they solve every crime from a laboratory is realistic either, but it is closer to reality. Just as having a forensics laboratory significantly helps modern detectives by enabling a search for fingerprints or DNA against a national (or worldwide) database, incident response teams need tools that give them access to the right data, no matter the data source.

Since there are human beings behind the attacks, it is not shocking that post-breach analyses are showing more and more that every attack is different. Is the same malware being used? Yes, often. Are attackers using the same techniques to move laterally with stolen passwords and hashes? Yes, consistently. However, the exact string of events leading to the ultimate goal indicates that attackers are using trial-and-error to adapt their approach based on which tools work in each environment. Given this adaptability and unpredictability of events, incident response teams cannot know ahead of time exactly which data are going to be important to an investigation until they start finding relevant facts, so they need access to a wide variety of data from numerous sources.

Speed Matters

When I re-watched "Se7en" for the thirtieth time, I took notice of the detectives' need to spend an entire night at the library to research the seven deadly sins or the computing power they needed to find a fingerprint match in only a matter of many hours. This is how far we've progressed today to be able use "big data analytics" to find over a billion explanations for the seven deadly sins or a fingerprint match in minutes.

With regard to breaches, the statistics are everywhere and they all say the same thing: the attackers are only taking minutes to get in and out, while we are taking months to detect them, so incident response tools need to enable (a) faster detection, but also (b) faster investigation. I find it very important to mention how much we need faster investigation because detection is not just the alert that was triggered; you have not detected a serious attack on your organization until you have investigated an alert and recognized it as both a true positive and malicious.

This is what gets me so excited about the new UserInsight Investigations feature: it is very fast. If you need to grab all log data associated with "John Doe" from August 23rd through November 1st, it will pull it up for you in less than five minutes. You read that right. I ran an investigation on me (because I am shady) and retrieving all of the past 36 days' administrative changes, asset authentications, firewall traffic, IDS alerts, and ingress activity took 58 seconds. I can immediately dig into this data in various areas.

Just as an example, you can see above that I can look at all of my firewall activity for the 36-day time period I have chosen. Since I am not trying to test your eyes here, I will tell you that the peaks in the center are over 23,000 events in a ten-hour window, so having only waited for a minute to dig through this amount of data all associated with a single user is noteworthy.

Organization Matters

One advantage that Hollywood investigators always have over incident response teams is that they are in the same physical location to collaborate on the established facts and look for a pattern. "The Wire" often showed the teams constructing investigation boards with photos and notes to organize what is known and connections that had been made between facts. This process appears repeatedly in crime dramas to demonstrate how a group of people would "connect the dots" between many disparate data points to hopefully identify all criminals involved and the extent of the criminal network.

In incident investigations, we were consistently hearing that disparate data points were being manually pulled together in a report identifying all compromised assets and users. Without the benefits of co-location and complex investigation boards with yarn and pushpins between details, incident responders are often challenged to determine the extent of an incident (or worse, a breach). This very problem is what we are looking to solve with the Investigations timeline. Once you have sifted through the data and decided that something is relevant to your current investigation, you add it to the timeline.

This way, you have a Gantt chart view of the relevant data points over time to help produce an easily understood report, like the one above. As you can see, I had some suspicious ingress activity on September 25th, a series of firewall denies over the last week of September, changes made to my account on October 3rd, and some IDS alerts on October 22nd.

Were there truly a concern that my account were compromised, UserInsight now provides me with a tool that helps me quickly "connect the dots" to create an organized report that summarizes my findings and send them to anyone that can help me completely contain the threat.

If you want to see how UserInsight can help you speed up and organize your incident investigations, watch the incident investigation webcast or contact us to schedule a demo. We would love to improve the speed and breadth of your investigations.