© 2015 Sqrrl | All Rights Reserved
ABOUT ME Security Architect at Sqrrl. Research areas include threat intelligence, security analytics and the art & science of hunting. 15 years of detection & response experience in government, research, educational and corporate arenas. A founding member of a Fortune 5’s CIRT. Spent 5 years helping to build a global detection & response capability (500+ sensors, 5PB PCAP, 4TB logs/day).
AGENDA
© 2015 Sqrrl | All Rights Reserved
What is Triage?
The Detection Cycle
Key Questions in the Investigative Continuum
Summary
© 2015 Sqrrl | All Rights Reserved
WHAT IS ALERT TRIAGE?
Image: "Triage" by Umschattiger - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:Triage.jpg#/media/File:Triage.jpg
In medicine, triage involves evaluating, prioritizing and tagging patients according to the urgency of their condition. Alerts should be pre-prioritized and tagged, so humans shouldn’t need to do much except validation. Triage involves less prioritization/tagging and more investigation.
© 2015 Sqrrl | All Rights Reserved
THE AUTOMATED DETECTION CYCLE Observe
Compare
Alert
Validate
Observe what is happening in your environment Compare these activities to some reference databases (signatures, indicators, patterns of activity, etc) Alert when we are reasonably confident of a match Validate that the system actually detected the type of activity it meant to.
© 2015 Sqrrl | All Rights Reserved
THE INVESTIGATIVE CONTINUUM
Alert! Is this an
actual attack?
Was the attack
successful?
What other assets were
affected?
What other activities
occurred?
How should my org
respond?
© 2015 Sqrrl | All Rights Reserved
THE INVESTIGATIVE CONTINUUM
Alert! Is this an
actual attack?
Was the attack
successful?
What other assets were
affected?
What other activities
occurred?
How should my org
respond?
Validation & Scoping AKA
Triage
© 2015 Sqrrl | All Rights Reserved
IS THIS AN ACTUAL ATTACK? Context is key to quickly discarding false positives 02/08-18:48:04.305170 [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 58.64.132.100:44674 -> 172.16.150.20:80
© 2015 Sqrrl | All Rights Reserved
IS THIS AN ACTUAL ATTACK? Context is key to quickly discarding false positives 02/08-18:48:04.305170 [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 58.64.132.100:44674 -> 172.16.150.20:80
© 2015 Sqrrl | All Rights Reserved
IS THIS AN ACTUAL ATTACK? Context is key to quickly discarding false positives 02/08-18:48:04.305170 [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 58.64.132.100:44674 -> 172.16.150.20:80
© 2015 Sqrrl | All Rights Reserved
IS THIS AN ACTUAL ATTACK? Context is key to quickly discarding false positives 02/08-18:48:04.305170 [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 58.64.132.100:44674 -> 172.16.150.20:80
© 2015 Sqrrl | All Rights Reserved
IS THIS AN ACTUAL ATTACK? Context is key to quickly discarding false positives 02/08-18:48:04.305170 [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin interface access attempt [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 58.64.132.100:44674 -> 172.16.150.20:80
© 2015 Sqrrl | All Rights Reserved
WAS THE ATTACK SUCCESSFUL? For fewer alerts, focus on indicators of attacker success
Most alerts are for attack attempts. Most attempts are not successful. Most of your alerts don’t require action, so why waste time with them? Indicators of success or post-compromise actions result in fewer, more meaningful alerts.
© 2015 Sqrrl | All Rights Reserved
WHAT ELSE WAS AFFECTED? Use context to expand the scope of the investigation. Investigation questions from our previous example: • Did the attacker compromise user
accounts on the target? • Where else might those user
accounts be valid? • What other systems
communicated with the attacker? • Are there any other related assets
we need to check out?
© 2015 Sqrrl | All Rights Reserved
WHAT OTHER ACTIVITIES OCCURRED? Create a timeline of attacker activities and IR milestones
First exploit attempt
All alerts generated by
attack
When the alerts were
investigated and escalated
When each asset was contained
When each asset was
remediated
When the incident was
closed
Now you know what assets were affected, find the evidence and record the events in order. Timelines are useful not only for reports, but as IR leads for identifying gaps in the story.
Start with a simple spreadsheet or wiki page to get a feel for the process, then expand. Doing a few graphical timelines manually helps you understand your true requirements, too!
© 2015 Sqrrl | All Rights Reserved
REVIEW: KEY QUESTIONS
Was this an actual attack?
Was the attack successful?
What other assets were affected?
What activities did the attacker carry out?
© 2015 Sqrrl | All Rights Reserved
REVIEW: OTHER TIPS Don’t waste your time prioritizing alerts. Let the computer do it for you.
Make sure your analysis tools and workflows support answering the key questions. This makes your analysts much more powerful.
High level context tools like graphs offer many advantages that are hard to get with log-based tools.
Focus on indicators of success to cut down on the number of alerts.
WANT TO LEARN MORE?
© 2015 Sqrrl | All Rights Reserved
www.sqrrl.com
Read our white paper or product paper Schedule a demo or proof of concept Request a VM or evaluation software