I took the Investigation Theory course by Chris Sanders from Applied Network Defense with my team because we wanted to improve how we conducted security incident investigations and take a more standardized approach rather than relying on abstract knowledge that the analyst might have. I am adding some of the takeaways from the course I had, which might be useful to others or might convince you to take this course for yourself.
The course goes into detail on the investigation process, how to form investigative questions and incorporate them into our process so we don’t miss out on threads that we could’ve pulled, the ability to dissect signatures from an alert, how to pivot between evidence sources to answer the questions that you have formed, and recognizing the difference between abnormal and normal behavior to find anomalies.
Chris tells us about the Diagnostic Inquiry process and how our goal is to arrive at a final attack timeline where we can explain the majority of the events, how the attack started, and how everything connects. One thing to keep in mind while handling the initial alert is interpreting the evidence accurately and looking for cues that indicate the presence of additional relationships. We want to start asking the right questions and find events that would help answer those questions and keep on plotting those events onto the attack timeline to get a complete picture.
As security engineers and analysts, we have to find meaning in data; we have to find links in the data and come up with the most accurate description of what might have transpired. Visualizing the cues you would have already found might help you understand the path the attacker took. Categorizing those cues while you are stuck during an investigation of whether they are malign or benign might help you conclude whether the alert was a False Positive or not.
Different analysts can look at the same data and come up with different conclusions or find different clues. Be careful about abstractions in your data, which can lead you down rabbit holes or skew your conclusions. The aim is to improve the consistency of the conclusions.
You can also write investigation playbooks for your Rules/Detections that you notice are being asked repeatedly for specific scenarios. A thorough playbook will help an analyst move forward regardless of their skills when they need to come up with new ideas for investigations or don’t have to rely on their intuition.
You should be able to identify the question you’re trying to answer before diving into the evidence. Don’t scroll around in the logs aimlessly hoping to find an anomaly, think of a question or a thread to pull on to answer that question to move ahead in your investigations. Every detection has a hypothesis with it, your investigation is to either prove or disprove that hypothesis. Try to do deliberate and slow thinking and come up with relevant, answerable, specific questions so that you don’t always rely on your intuition because it might not always give you the correct answers.
I would highly recommend you take this course if you would like to improve the consistency of your investigations. If you want your team to be speaking a common language with similar vocabulary so that meaning can be efficiently conveyed between the team during an active incident. Chris reviews your answers and provides you with some great feedback about your investigative questions and conclusions. There are some interesting exercises and labs where you can practice slow thinking and apply the investigative process from the course.
