This post is to summarize some security incidents investigation steps using DarkTrace.
The most important questions usually are:
- How did the infection occur? (To prevent the same initial infection vector in the future)
- What behavior is the infected device exhibiting? (To understand the threat and the risk of the infection)
- What Indicators of Compromise (IoC) are seen? (To update other security tools and to use for further investigation)
- Are other devices infected as well? (To assess the extent of the infection)
One CEO-Laptop File Downloading Event Example
Review Threat Tray
Using Breach Log to quickly identify which device involved into the breach
Using Magnify Glass feature visualize the situation in 3D. Provide situation awareness for this breach, ie, which device, where was connecting to.
Using Graph overlay modeling metrics and interpreting log files
Comparing similar devices’ normal behavior
Thereafter, entered comments into this breach
Using advanced search tool to gather further information
User Open Source Intelligent Tools (OSIT) to Identity Files and URL. (http://virustotal.com/)
Acknowledge this breach after entered comments again.