Follow the breadcrumbs
Like the story of Hansel and Gretel, following the small bits of information is often the way to find your way home, or in this case to the attack perpetrator.
Security analytics is a vital part of managing your cybersecurity solution: without analytics there is no way to understand your true protection status. Vendors providing full stack solutions is a great way to minimize the complexity and can provide a high-level overview of your security solution, ensuring that you spend your valuable time on the most important issues rather than spending time digging deep into data to find your own correlations relevant for your infrastructure. However, some issues are highly important to investigate deeper, such as indications of potential directed attacks at your infrastructure. This is commonly called incident handling or incident analysis, and it can help you to learn what went wrong and how you can ensure that a similar incident will not happen again.
Once an attack has been identified, the real work begins. Much like a crime scene investigator, the network administrator needs to fully understand WHAT happened, HOW did it happen and WHO did it? It is not uncommon that the attack identified is actually only the tip of an iceberg and there have been earlier activity leading up to the attack that are just as important to analyze to be able to paint the whole picture. Much like the stories of Hansel and Gretel by the Brothers Grimm, where Hansel takes a slice of bread and leaves a trail of breadcrumbs for them to follow home, an attacker leaves traces of information in their path which we can use to solve the puzzle. Crucial for incident analysis is access to a store of raw log events from your security solution as well as services in your infrastructure.
Gather evidence
Start off by identifying the source of the attack, this is typically an IP address. Query the repository of raw log data for all signs of communication to and from this IP address for the time window of interest, for instance the week leading up to the time of the issue as well as a couple of days after the issue. If you find signs of communication early in the time window or very late in the time window, then you must broaden your time window to ensure that you do not miss any vital information.
Trace activities
Once you have a set of raw log events detailing the communication activities to and from the IP address under investigation, you should map the activities into blocked activities and allowed activities.
The blocked activity can potentially describe how the attack was built up, for instance by showing that the IP address was used to try to access resources on different ports, attempts that the firewall blocked, before an open port was found and the attack was initiated. This is highly relevant information to understand HOW the attack was initiated. Was the attack a targeted attack to a specific resource or a broader attack trying to leverage on software vulnerabilities in a published service?
By looking at the log events for allowed activities, you can find out what type of data was accessed. How much data was uploaded and downloaded and from which services? Was the IP address used to access resources that require some level of authentication, and was that authentication successful? If so, which user credentials were used? All this information is crucial to find out WHO performed the attack and WHAT was accessed. Note, however, that a successful authentication performed before the attack does not necessarily mean that the user was actually intending to attack your systems, rather the user may have had its computer infected by a Trojan performing the attack once the user was authenticated.
The next steps
Once you have mapped all activities for the IP address identified as the source of the attack, then you will have a much clearer view on the activities leading up to the attack, as well as any potential continuation of activities after the attack. Allowing you to extend the analysis into log data for specific network services that was accessed during the time window of the attack, vital information needed to be able to paint the full picture of the attack and its effects. Based on this analysis, you get insights that may lead to proposed changes of policies, need for increased segmentation or highlight the need to update services in your infrastructure.
To summarize this short overview on incident analysis, one key takeaway is that the more information you have at hand, the better. It’s crucial to have the right tools available to make sense of all the log data gathered from your security solution and network services running in your infrastructure. Finally, referring back to the Hansel and Gretel story, birds ended up eating the breadcrumbs Hansel left behind, leaving Hansel and Gretel lost in the woods; Make sure that you are not lost following the traces of your potential attackers, prepare and make sure that you keep the raw log data from your security solution and network services for a sufficient duration of time to be able to perform incident analysis when needed.
Read more on how to know your protection status in our whitepaper:
https://www.clavister.com/security-analytics/
With Clavister InCenter, organizations get immediate visibility of their protection status and full access to raw log data to facilitate incident analysis. It is already included in the Clavister Security Subscription and can be delivered as a cloud service, making the threshold to get started very low.
