Cyber Incident Investigation


Effective cyber incident response and investigation is a process, beginning with detection and spanning across alert triage, incident analysis, and remediation. Whether it is being carried out by a full CSIRT or a single analyst, each time an alert is generated there are four questions that must be answered.

Validation Questions:

1. Does this alert indicate an actual attack?

2. If so, was the attack successful?

Scoping Questions:

3. For successful attacks, what other assets were affected?

4. What other activities occurred as part of this attack?

Once you know the answer to these four questions, you can begin to remediate the incident. Following the detection of a threat during a threat hunting trip, Sqrrl enhances your incident response process by contextualizing your security data via linked data and providing you with insights that reduce your traditional investigation time by an order of magnitude. These insights can empower analysts of any tier to handle their tasks efficiently and take on more advanced threats.

Alert Validation

Validation is the process of determining whether an alert or detection is either a true or false positive. Even if an alert is deemed to have truly picked something up, it does not necessarily mean there was an incident. Security analysts have only so much time. Sometimes clarity is what they need to maximize time and detect more threats more quickly.

To obtain sufficient clarity, analysts must be able to investigate an alert and determine both the impact that a potential incident could have and the confidence with which it was generated. This includes assessing the state of your IT infrastructure and gathering additional data about endpoints, applications, and network traffic. Without the right tools, this process is extremely complicated and time consuming.

The best way to enhance your investigation is to make sense of your data and leverage it. Sqrrl Enterprise combines disparate datasets and creates powerful visualizations and anomaly detections that let you explore them, diving down into the connections that one entity, such as a user, host, or domain, might have to another.

Incident Analysis and Scoping

Once a threat is found, containing it and responding to its presence is usually just the first step in resolving the incident.

To answer the two questions involved in this phase (i.e. what other assets and what other activities were involved in the attack), analysts must then be able to correlate data from various sources, conduct root cause analysis, and scope the impact of an incident. Correlating what is found with other known threats or incidents is another advanced data fusion practice.

Gathering and contextualizing information like this accounts for a critical step in developing an effective analysis both of vulnerabilities in your own infrastructure and of threats menacing you over time. These analyses generate threat intelligence when done correctly, which you can use to map the campaigns of advanced threats.

Linked Clarity

Clarity through Linked Data: a Sqrrl network visualization and raw data drill down

The Sqrrl Advantage

Sqrrl Enterprise can radically enhance and speed up an analyst’s ability to do each of these steps. Sqrrl’s benefits include:

  • Contextual, intuitive graph visualization of even the most complex networks
  • Aggregating and fusing petabytes of disparate data sets
  • Real-time search, query, and analysis of entity behaviors
  • Blast radius analysis made simpler through context graphs
  • Fast drill downs into connected datasets
  • Automated detection of anomalies and adversary tactics

Click below to learn more about what Sqrrl can do for your organization:
Download the White Paper