This post is to summarize some security incidents investigation steps using DarkTrace.
Investigation methodology
The most important questions usually are:
- How did the infection occur? (To prevent the same initial infection vector in the future)
- What behavior is the infected device exhibiting? (To understand the threat and the risk of the infection)
- What Indicators of Compromise (IoC) are seen? (To update other security tools and to use for further investigation)
- Are other devices infected as well? (To assess the extent of the infection)
One CEO-Laptop File Downloading Event Example
1 Review Threat Tray
2 Using Breach Log to quickly identify which device involved into the breach
3 Using Magnify Glass feature visualize the situation in 3D. Provide situation awareness for this breach, ie, which device, where was connecting to.
4 Using Graph overlay modeling metrics and interpreting log files
5 Comparing similar devices’ normal behavior
6 Thereafter, entered comments into this breach
7 Using advanced search tool to gather further information
8 User Open Source Intelligent Tools (OSIT) to Identity Files and URL. (http://virustotal.com/)
9 Acknowledge this breach after entered comments again.
References
from Blogger http://blog.51sec.org/2020/12/darktrace-investigation-steps.html