This is the second installment in our three-part EDR Matters blog series. In this series, Chris Hallenbeck, Director of Tanium’s Endpoint Detection and Response team, shares his personal views on how organizations can position themselves to be proactive, rather than purely reactive, when it comes to scoping, hunting, and analyzing incidents.
Investigation and forensic analysis capabilities are critical to an effective endpoint security strategy – and just as important as detection, remediation, and prevention. In fact, we advise our customers not to wait for an incident before conducting a hunt. We call this “proactive hunting,” and it starts with the assumption that an intrusion is underway which hasn’t been detected yet.
We see most organizations take a reactive, rather than proactive, approach to hunting. This means they tend to explore investigative tools from an alert-centric perspective. In the EDR and EPP space, this typically means alerting on a detection produced by structured intelligence, such as OpenIOC, Yara, or STIX, or expressions of behavior such as Tanium Signals.
In these cases, your EDR and EPP efforts will benefit from starting with:
- Time of alert or detection;
- Signal expression or intelligence that caused the alert;
- Matching endpoint data for the alert; and
- Impacted system(s).
Not all investigations start from alerts, however. For example, you might know when a rogue employee took actions and have a need to search a particular timeframe. In other cases, you may need to search for specific artifacts — for instance, when a malicious file slips past your email scanning appliances, or when a spreadsheet with employee evaluations begins floating around the office. Or, you might want to proactively look for anomalies extending into what’s known as “gray area” activity, considered to be too noisy for alerts.
No matter the starting point in the investigative workflow, you need a way to drill down into results and systems of interest and explore a timeline of events so you can develop a mental image of what has transpired. As an investigator, you must contend with the mountain of data continuously produced by systems during normal operations, so data enrichment – such as file reputation – can help distinguish between good and bad, and further refine your understanding of the incident.
Analysts have many different ways to approach and understand events. Some prefer pictures, link charts, and process trees, while others might prefer a text/tabular view. Your choice of EDR platform should allow you and your analysts to mix the data presentation styles.
Once you have found the initial systems of interest, it’s time to fill in gaps in what is known, and perhaps preserve evidence for later review or action. Your EDR solution should enable you to:
- Remotely retrieve files from disk.
- Remotely acquire memory, along with copies of other useful raw evidence (registry hives, browser data, linux/MacOS shell history, etc).
- Interact with and query off-network hosts, such as teleworkers.
- Save or bookmark events for later reference.
- Capture a snapshot of forensic telemetry data for preservation.
- Pivot between single-host deep dives and enterprise-wide searches.
- Iteratively search for other affected systems using IOCs you generate as your investigation progresses.
Intruders today rarely stop their intrusion with their initial malware infection. Upon gaining a foothold, they seek to expand their presence in your network, steal credentials, and use native tools to blend in with legitimate users. Nearly every multi-system incident response investigation turns into a hunting effort. Your investigative/response team will pivot to become a hunt team in order to close out the incident and ensure they’ve fully scoped it.
Inevitably, your investigation will reach a point where you’ll want to block the malicious activity. Will your EDR platform allow your or your analysts to pivot to creating protection or enforcement policies?
Investigation and forensic analysis: how Tanium can help
Tanium provides continuous recording of forensic telemetry to help you analyze and scope incidents. However, investigations need to go beyond the data captured by an endpoint “flight recorder.” Our Threat Response offering combines access to historical data with the ability to query current system state and files at rest, all at scale and with unimaginable speed. This includes real-time access to comprehensive sources of evidence, such as indices of all files on disk, native operating system artifacts, and the full contents of volatile memory. And, finally, it provides the opportunity to iterate on searches, experiment with ideas, and compare data in real time without the need for post-processing. For example, when you can collect data about persistence mechanisms from all systems in your environment and present it in a stacked manner, your analysts can spot outliers that may suggest malicious activity.
Tanium allows you to start from a blank canvas, but most organizations prefer to have a consistent core set of investigative workflows from which analysts should begin their work. To that end, the “Enterprise Hunting” area in Tanium Threat Response provides a suggested series of queries. An interactive selector allows you to narrow your investigative task by operating system, source of evidence, and phase of the attack lifecycle. Within Enterprise Hunting, Tanium provides built-in common uses allowing single-click access for analysts to pursue the hunt.
Incident Response completed: what’s next?
While the steps we’ve outlined above are crucial to helping you put an incident to bed, your work is really just beginning. Sure, you and your team can take pride that you’ve successfully reacted to initial alerting, scoped the event at scale, and gathered a wide range of data for your executive decision makers. You’ve generated IOCs to continually search out other impacted hosts, and conducted a hunt to validate the initial incident scoping. These are all essential parts of your response, and it’s satisfying to check off all those boxes. Next, you need to understand the root cause of the incident. And speed matters here, too.
The shorter the window from intrusion to detection to completion of your investigation, the more likely you are to discover the root cause. For example, the incident may have been facilitated by poor system configuration or missing patches. In this case, it’s important to answer the following questions:
- Do your security teams have visibility into the progress of patching or configuration changes?
- Who will clean the infected systems, and how will that be tracked?
- In an emergency, such as WannaCry, can your security organization give the IT operations teams a helping hand to apply a one-off patch or disable a vulnerable service?
As discussed, most investigations can turn into a hunt, but your organization shouldn’t wait for an incident before you conduct a hunt. Increasingly there is a realization that intrusions are inevitable, but long dwell times for the adversary in your network don’t have to be a given. Proactive hunting starts with the assumption that an intrusion is underway which hasn’t been detected yet.
Will your EDR platform position you to be purely reactive, or can you proactively hunt enterprise-wide, for anomalous behavior efficiently and conduct investigations when necessary?
In part one of our EDR Matters blog series, we explore the investigation phase of the process and review how the Tanium platform can be used to gain more control and flexibility.
Like what you see? Click here and sign up to receive The Tanium 10 in your inbox every Friday.