Narrowing Focus in Forensic Investigation

An incident responder is a storyteller. We tell the story of an attack sequence by gradually uncovering artifacts and indicators of compromise (IoC). One of our primary goals is to determine when the story started and find the key plot points along the way. As we piece the story together, we build a timeline of events. This is difficult, especially when provided with limited information and having to sort through vast data sets. By using the concept of narrowing focus, an incident responder can work efficiently and move swiftly to uncover the story and help a customer get back on their feet.

Over the years, I've used the following techniques to narrow focus of an investigation.

1. Building reference points 
2. Starting Indicators 
3. Novel Indicator of Compromise Collection
4. IoC Analysis
5. Time-based filtering

Key Investigation Reference Points 

Narrowing focus is the concept of drilling down from wide datasets to key reference points used to pivot the direction of a forensic investigation. Establishing reference points will eventually build a guiding timeline for the analyst to follow and supply the customer with critical information about an attack's sequence. Key reference points emerge when an IoC is first observed. We can establish new reference points by filtering data containing references to this IoC. If the IoC is observed earlier or later, we have a new reference point. Thus leading to the building and uncovering of noteworthy breach events. Let’s dig deeper. 

Starting Indicator 

Often, a compromise is detected in the middle or end of an attack sequence, such as when fraud is detected or when ransomware encrypts a company's files. An investigator is tasked with working backward to unravel the sequence of key attack events. We know we must look back, but the question becomes; how far?

When an incident is handed off to a responder, they may be supplied with a key date and time. This is our starting time indicator. The responder may also be provided with an IoC or can use this starting time indicator to find one. Think of an attacker's email address, file name, file hash, domain, or other IOoC that was observed at the starting time indicator. With these in hand, we can start working backward to build new reference points.

Moving Forward (or backward, if you will) 

Time-based techniques are effective ways to begin narrowing focus. Applying time-based filters can help establish how far back the attack may go and assist in attempts to identify patient 0 of the attack. Often, this is the most significant challenge of an investigation.

The analyst will take an established IoC and apply a time and date filter based on the starting time indicator to go back incrementally in an attempt to observe the IoC at a prior time. The following time sequence works efficiently. 

• All events containing the IoC 1 hour prior to reference point time  
• All events containing the IoC 12 hours prior to reference point time 
• All events containing the IoC 24 hours to prior reference point time 
• All events containing the IoC 3 days prior to reference point time 
• All events containing the IoC ..N days prior to reference point time 

Each time the filter is applied and results are returned, the responder collects a reference point. We do this until we identify the first entry an IOC is present. With these reference points in hand, the timeline begins to emerge. 

Novel IoC Collection 

Another way to narrow focus is to identify a novel IoC. When one IoC artifact stands out against the rest, it usually means we are onto something.

Unique and previously unseen IP addresses can help an investigator narrow focus and move in the right direction. An analyst can use one of the two following techniques:

1. Use geographic location to determine novelty. 
   1. Export a list of IPs and perform a bulk Whois lookup. Sort the output by Autonomous System or regional geolocation data. 
   2. Identify anomalous regions, such as logins from foreign IP addresses, and establish geographic novelty and uniqueness. 
   3. Subsequently, use this IP address to establish new reference points and narrow focus. 
2. Identify unique IP addresses in a log. 
   1. Perform counts on IP addresses in log entries. 
   2. We expect high login counts for authentications from legitimate users. We expect lower successful login counts from threat actors performing an attack.

Once the novel IP address is detected, we can search log data to determine the first time the novel IP was observed. Thus, additional reference points emerge.

IoC Analysis 

IP addresses, domains, and file hashes can be compared against threat intelligence sources to determine if they have been previously associated with a threat actor or campaign. Using this analysis technique, new reference points can be made for the following:

1. When was a domain first registered
2. Date of DNS resolution
3. When was a unique hash first submitted to the analysis platform
4. Historical Whois lookups
5. Historical SSL certificates
6. Related IOCs
7. Related TTPs

The above established reference points can be added to an analyst's ongoing list to help narrow focus and identify patient 0 of an attack.

Additional Tips 

Using the above will help create the timeline of key observed events, resulting in a clear picture of the investigated attack sequence. Here's a few bonus tips for building out the attack story.  

1. Interview IT Staff
   These are often the first individuals with eyes on the event and can help guide the initial scoping direction. They are a good source of starting reference points.
2. Deeply Analyze IoCs
   IoCs may have additional artifacts inside that can help guide the direction of an investigation. Script based IoCs are great for this scenario as they often contain reference to other hosts, domains, or attack infrastructure.
3. Enumeration Artifacts
   Enumeration artifacts tell an analyst exactly where the threat actor was in an attack sequence. These are great time-based references to pivot forward and backwards. 
4. Pivot Artifacts
   Attackers pivot to access other network resources and hosts. Depending on the direction of the pivot, we can conclude if a compromised host supersedes another.

Conclusions 

Using techniques to narrow focus in an incident investigation will result in a more clear and concise story of the incident. Building reference points over time will help a responder uncover key areas of risk and potential vulnerabilities associated with the attack. Ultimately, empowering business owners to remediate identified cybersecurity flaws and regain control of their IT assets, accounts, and critical infrastructure.