In conversations with customers, we find that they delve deep into their data in two situations. They are either:
- Investigating a specific issue they’ve discovered
- Proactively hunting based on some threat intel they’ve received
In either case, this means getting as much information as you can about what did or didn’t happen. If you’re lucky you’ve been able to collect a huge amount of data that may or may not contain the information you need. Your job is to sift through the data and glean meaningful conclusions. To do this there are three main steps you need to follow.
- Following a lead. When you’re investigating a specific issue, you’re following a lead, something an outside party or a tool has alerted you to. So when you’re looking at this large data set there are some high level parameters you’ll use to narrow it down. It might be based upon a date, a set of data sources, a set of data of types, or tags that have been applied.
- Searching to isolate relevant data elements. In both threat hunting and investigating, there’s normally something specific you’re looking for - an IP address, a user name, a process name, or a specific behavior. When searching, you’re able to get a list of all the data elements where whatever you’re looking for gets a mention.
- Pivoting to shift investigation focus. Once you’ve sifted through your search results, you’ll likely need to shift your focus to something related to your initial search. You might want to know more about the machine your user was logged into, or the processes they kicked off.
And you keep going until you’ve identified the right line of inquiry and gathered all the information you need. Simple, right? Well, not always.
- It’s not always easy to apply the right filters. Narrowing down your data set, something most likely to contain the data you need, isn’t always easy. You don’t always know the timeframe, the source, or the tactics of the attack, so any pre-processing or tagging of data can be really helpful in speed up investigations.
- Searching large data sets can be slow. Performing searches is almost as close as you can get to actually looking for an actual needle in an actual haystack. However, creating the right queries and having the technology to crunch the data can be very time consuming.
- Most investigation solutions aren’t built to pivot. Pivoting is where most investigative solutions break down, since they focus on filtering and searching. They’ll usually just return a list of hits against the search query you executed. If you need to pivot, they usually make you search recursively, manually typing in your search query and waiting for the answers. This can be very time consuming.
Pivoting is particularly important since in an investigation, 99 percent of your avenues of inquiry are going to be wrong. So when you do realize you’re heading in the wrong direction, being able to pivot quickly to another avenue is vital.
Cybereason is built from the ground up to make investigations easy. Cybereason goes way beyond just collecting information and indexing it for search. The Cybereason platform:
- Maintains links between all related data. The Cybereason Hunting Engine is a graph database that correlates users, processes, network connections, files, and machines. This makes it trivially easy to pivot from focusing on users, to their machine, to a network connection it opened.
- Tags suspicious data for later investigation. The Hunting Engine constantly analyzes all the data it collects, and asks millions of questions every second of that data, looking for suspicious activities. When it finds those suspicious activities, it tags that data to help in detection and alerting and give you a jumping off point and lead you in the right direction as part of an investigation.
- Keeps data linked to suspicious activity in-memory for easy retrieval. The Hunting Engine keeps data in-memory, which allows it to read data hundreds or even thousands of times faster than data written to disk. This speeds up the search process, getting you the answers you need as quickly as possible.
- Presents data to make pivoting easy. The Cybereason Incident Response Console allows you to not only follow leads and search for specific items, but to pivot and refocus your investigation at any time with ease.