Scoping Attacks By Following Attacker Breadcrumbs
As defenders, the critical moment is when we’ve determined that an attacker’s attempt to gain a foothold onto the network was successful. This sets of a chain of investigative activity where we follow breadcrumbs through our data to understand where they attacker went, what their mission is, and what they took. As these breadcrumbs are uncovered, we don’t just have to follow their path, we also must ascertain if similar evidence can be found at other points on the network. This is all part of scoping the attacker to better understand the attack. In this post, I’m going to talk about strategies for attack scoping and discuss how Sqrrl enables them intuitively.
INVESTIGATING SCOPE WITH EXPANSIONS
Seasoned investigators have built muscle memory specific to scoping. Any time they encounter evidence of an attack, they will typically perform a network-wide search to see if similar evidence can be found elsewhere. In data transformation terms, this is called an expansion. For example, an analyst who discovers a malicious HTTP user agent is likely to search all their HTTP Proxy data or Bro HTTP logs to see if the same user agent was observed on another device. This could yield the discovery of additional hosts infected with the same malware. Here, the analyst has taken the result of what was likely a much more specific search and broadened the scope of it.
Figure 1: Expanding a Search to Scope an Attack
So, how do you build this same muscle memory if you don’t already have it? It’s all about repetition. Any time you find a suspicious or malicious indicator, ask yourself “Can I find any other evidence of this on other devices?”
If you don’t have a centralized way to search your data, this can be a very cumbersome task which can dissuade an analyst from building this habit. It might mean multiple searches across several data sources and a manual attempt to piece together the sequence of the events they form. In Sqrrl, scoping attacks in this manner is a couple of clicks away.
Consider an example where you’ve uncovered a malicious process running on a host. There are a couple of ways you might want to search for this evidence. First, are any processes with the same name running on other hosts? To perform this search in Sqrrl, you can right-click the process name, select the Expand menu, and choose the Process_hostedOn > Hostname option.
Figure 2: Searching for a Malicious PHP File on Other Hosts Reveals another infection
Of course, file names can and will change. Let’s say that you’ve uncovered the malicious process by looking at Windows Sysmon logs. That means you have the file hash of the process. You could pivot off that file hash instead of just the file name, but you could also look at Bro File logs to see if any host downloaded a file with the identified file hash. This might uncover infected hosts that simply haven’t yet executed the malicious file. The process to perform this scoping in Sqrrl would be the same, and because it allows you to model similar fields across your data sources, it’s still only a one click operation.
COMMON SCOPING EXPANSIONS
Most of the data transformations I’ve discussed here are based on expansions. That is, taking the results of a query and using a piece of data that was returned to query a broader array of data sources, a larger time span, or a larger array of the attack surface area (more hosts). If you’re new to analysis, where and how to apply expansions may not always be intuitive. Here are a few of the most common expansions you’ll make when scoping attacks:
IP Address > Flow, PCAP, Proxy Logs
File Name > Window Process Execution Logs, Sysmon Process Execution Logs, E-Mail Logs
User Name > Windows Authentication Logs, Proxy Logs, VPN Logs
File Hash > Sysmon Process Execution Logs, EDR Tool, Bro File Logs, Proxy Logs
Text Strings > Proxy Logs, E-Mail Logs, Sandbox Output, Registry Keys
You’ll uncover many places to scope expansions, but this list provides a starting point and will afford you plenty of opportunities to develop better scoping practices.
If you’re not thinking about attack scoping while you’re investigating a compromise there is a strong chance you’ll miss something. Experienced analysts know this, which is why they’ve built up the muscle memory that compels them to perform wide searches for uncovered evidence. This is a good habit for every analyst to develop. The easier a process like this is, the better luck you’ll have to codify it into a habit. Fortunately, Sqrrl takes what could be a complex, multi-step process and simplifies it into a few clicks. The next time you’re investigating an attack, my challenge to you is to think about every piece of evidence to find and how you can pivot to a broader search for it. You might find something even more malicious!
This is the first post of the cyber incident investigation how-to series by Chris Sanders. The rest of the posts can be found here:
- Answering Questions Before They’re Asked
- Reducing Evidence Abstraction
- Retracing Investigation Steps