Some sample questions a security team may ask when triaging events that come from a SIEM/Log Management or directly via a H(N)IDS.
Generally, the exact information an analyst may need to triage the alert may vary depending on the type of event and its source.
Alert triage usually happens in the 'event handling' process -> before a 'security incident' is declared and more detailed invevstigation is needed. However, in smaller SOCs with less rigeur, often the process is compressed - e.g., the same person who is triaging -> performs more detailed investigation, forensics, and other processes that is needed to proceed with incident response. Answering some of the question below may fall into these later phases vs being pure 'triage' tasks.
-
What hostname(s) corresponds to the IP addresses (reverse IP lookup)? (e.g., 123.44.5.55 == google.com, or badmailserver.ru?) Do the hostnames appear to be suspicious, or valid business activity?
-
Answer using: nslookup, dig, or other DNS tools.
-
Who owns the domains (e.g. for reverse lookups or HTTP activity)? Do the owners appear to be suspicious? Was the domain registered recently?
- Answer using:
whoisfor public traffic
- Answer using:
-
Do the 'talkers' represent internal or external traffic?
- Answer using: IANA routes, Configuration Management systems, Firewall rules, Cloud or visualization APIs (e.g. OpenStack, Vmware, AWS)
-
For internal devices, what network segment do the talkers live in?
-
What are the roles of the devices? Are they endpoints, network devices, internal app servers, domain controllers? These answers can help prioritize a alert and also give context as to whether or not the attack matters
-
What vulnerabilities are present on the device? Do the vulnerabilities correspond to the attacks?
-
Answer: from latest vuln scans, config management systems
-
Does this represent SSL traffic?
-
If so, are the certificates self-signed? Are the signers of the certificate suspicious in any way?
-
For a public certificate, is the signer of the certificate different from the known public certificate (SSL MITM)?
-
Do these ports correspond to known or common network services? (E.g., 80/tcp => HTTP vs 12345/tcp)
-
What kind of traffic/protocol does this really represent? Is the traffic non-standard for my business? (e.g. TOR, IRC, or other services)
-
Does this traffic represent tunneling or atypical network services running on a port? (e.g. running IRC or HTTP over a non-HTTP port)
-
Does the traffic resemble Botnet Command & Control Traffic or otherwise look abnormal?
-
HTTP traffic that does not return web activity
-
Regular HTTP requests to the same site that returns small activity (e.g., a single image)
-
Is the traffic encrypted when the traffic on this port is typically NOT encrypted?
-
Are the hostnames, IP addresses known-bad or malicious actors as tracked by a threat intelligence service?
-
Does the traffic represent a 'listening' inbound port on an internal system, vs outbound? (Listening ports are more suspicious especially if the system is a workstation endpoint)
-
Is the traffic 'new'? (E.g., a machine suddenly started listening on port 8080 a day ago)
-
Answer using: endpoint analytics/logs, firewall traffic queries
- For internal endpoints, who is the owner of the endpoint? Is it a user (for workstations?) Which department?
- For endpoint process/application alerts, is the activity typical of the role? E.g., launching chrome.exe == normal for most users, but compiling using
gccis probably typical only for developers.
-
Is the binary filename, hash, or other static indicator in the binary known-bad?
-
Is the binary behavior associated with known threat activity (e.g. writing to a registry key, other TTPs)