Sqrrl Blog

May 24, 2017 8:00:00 AM

Cyber Incident Investigation Series: Retracing Investigation Steps

By Chris Sanders

Finding evil is all about asking the right questions, finding answers, and using those answers to ask more questions. Each question and answer represent a decision point, branching the investigation off down a new path. The path of the analyst is far from linear, and sometimes we need to go back and retrace our steps to work from a previous decision point. Just like Hansel and Gretel left breadcrumbs along their path through the woods, we too need breadcrumbs to ensure that we’re fully exploring our hypotheses and seeing the whole picture of an investigation clearly.

Traditionally, laying down breadcrumbs has been difficult. Analysts often query data across multiple tools, and those tools lack focus on the investigation process and augmenting the abilities of the human analyst. This forces the analyst to rely on manual note taking to keep up with their queries. This isn’t ideal because the analyst also needs to move fast to test their hypothesis and find answers. In this white paper we’ll walk through a simple investigation and show how Sqrrl can help ease the burden of note taking by automatically tracking your investigation steps.

Tracking the Investigation

Even the simplest investigations contain pivots down many different paths. Consider an example where you’ve encountered a suspicious DNS name while hunting through your DNS traffic. How would you investigate that? Your path might look like this:

Sqrrl-RetracingSteps-Figure1.png

  1. You query various open source intelligence repositories to see if the domain name appears to be associated with known malicious activity or malware. You find that the domain is name is listed in a report on VirusTotal, and that a malware sample communicated with the domain. That report provides a variety of additional artifacts you can explore.
  2. You choose to focus on the malicious process name the malware creates on infected systems. You search through Sysmon logs for that process name and find the system that generated the DNS request is running the process identified in the malware report.

  3. You take the username the process was executed by and search web proxy logs to see if any other suspicious browsing occurred around the time the process launched. You don’t find anything that appears suspicious.


At this point, you can begin remediation on the infected machine, but is the investigation truly over? Absolutely not! What about that malware report you discovered early on? It was full of additional artifacts that could be researched. What about the IP address the malicious domain resolved to? There’s a chance other devices in your network have communicated to that same IP, but using different DNS names. What about the user who logs into the system that was infected? You need to examine their activity to make sure an attacker didn’t use their account to access sensitive information. There are several places where the investigation can continue, but, you’ll only be able to pick up the trail if you can follow the breadcrumbs back to where you were.

Following Breadcrumbs in Sqrrl

Sqrrl is true analyst-centered investigation platform. Every action you take is tracked, allowing you to retrace your steps and pick up the investigation from a previous decision point. This is provided to the analyst in a few useful places. 

Sqrrl-RetracingSteps-Figure2.png

First, as you explore artifacts in Sqrrl, you’re constantly building a visual representation of your findings. This graph view allows you to visually traverse the entities and relationships that are uncovered as you progress further in the investigation and build a clear view of what events have transpired. Walking back to an earlier step in the investigation is as simple as shifting focus to one of the other entities on the screen and executing queries against it by right-clicking on it.

Sqrrl-RetracingSteps-Figure3.png

Sqrrl also tracks investigative actions in a linear format so that you can view the steps you’ve taken in order. This feature is accessible by right-clicking any node in the Explore window and selecting the Investigation Manager option. The output slides out from the right side of the screen so you can follow your investigation path while still viewing that data along with the bigger picture relationships you’ve uncovered. As a bonus, you can add comments to individual steps to provide input when you circle back around to indicators uncovered during that step. This also aids collaboration amongst other analysts who are diving into your investigation to help or picking up where you left off after your shift is over.

This data is all generated automatically while you perform your investigation, ensuring you don’t have to slow down to take notes and break your mental rhythm. Entire investigations and the data associated with them can be saved as well. This provides a great opportunity to review your investigation after you’ve stepped away for a few minutes to clear your head. It also provides a training mechanism to show others in your organization exactly how you investigated a specific observation or alert.

Conclusion

It’s easy to get caught up in the heat of the investigation when you’re finding interesting artifacts and forging full speed ahead. However, even in the most basic investigations, you’ll usually need to take a few steps back and pursue leads uncovered at earlier stages of the process. That’s why it’s so critical to have the ability to review your previous investigative actions. This type of workflow is built into the foundation of Sqrrl and is one of many reasons why analysts are more successful when using it as a hunting and investigation platform.    

This is the first post of the cyber incident investigation training series by Chris Sanders. The rest of the posts can be found here:


Chris Sanders is a threat hunter and founder of Applied Network Defense. You can read more of Chris' writing at his blog here.

Interested in trying out Sqrrl for yourself? Click on the button below to register for the Sqrrl test drive VM:

Sqrrl Test Drive VM

For more information on hunting check out these walkthrough videos on hunting for C2:
Hunting for C2: Indicator Search
Hunting for C2: Stack Counting