Investigation Cycle
The investigation cycle is a tool you can use to guide your investigation efforts. Work through the phases in this topic to perform an effective analysis of items in your environment.
In this topic:
Investigation cycle overview
The following diagram shows the processes you perform when investigating.
Watch this video for a short demonstration.
Phase 1: Choose your approach
You have many different approaches available to use:
Approach |
Description |
|---|---|
Lead-based |
Using this approach you start your investigation with a specific item or behavior of interest. For example, when you view MalOp details, you may find a process that you did not expect or that behaved in an unexpected way. This process could be the start point of an investigation as you search for more information about it. Leads can come from MalOp details, threat intelligence you received, items of interest found in previous hunts, and so forth. |
Attack lifecycle |
In this approach, you search for behaviors associated with different parts of the attack cycle. For example, you can:
|
Internal investigation |
This approach focuses on specific points of interest within your organization. You investigate specific departments, users, machines and so forth and look at the activity for the machines. For example, you could look at the machines of all the upper management to find evidence of data theft and so forth. Conversely, you could focus on all the machines in a department that has suffered attacks in the past. |
Freestyle |
This approach involves random surveys across your organization. You look for a specific item - such as a file hash or certain behavior - and sample randomly across your organization. |
Emerging threats |
This approach focuses more on behavioral characteristics. For example, for a new type of malware, you can search for behaviors that the malware uses, such as using WMI to open new processes. |
Once you select an appropriate approach, you are ready to begin.
Phase 2: Pick a starting point
Based on your investigation method, choose an item from which to launch your investigation. This can be something you do not understand or suspect might be malicious.
For example, for the lead-based approach, start with MalOps in your Malops management screen and put together a list of leads. You could also start with an item from threat intel that is a known indicator of compromise. For an attack lifecycle approach, pick behaviors used in different parts of the attack cycle.
Phase 3: What is it?
From the reported data, try to determine what the suspicious item or activity is. You can:
Look through your system to compare and contrast the suspicion with known activities
View the item’s properties
Search the Internet and threat intelligence sources
Use the File Search feature to search for and view malicious files on your organization’s machines.
Use the information you collect from this to make a more informed guess.
Phase 4: What is it doing now?
Use the data collected from the Cybereason platform to figure out what is happening at this moment.
If you chose your lead from a MalOp, look at the timeline in the Malop details screen.
If you are using the Investigation screen, look in the Element details screen.
From these details, determine the characteristics of the item, including related processes, which can help you determine what the item is trying to accomplish.
For some items, the Attack Tree provides a useful visualization of the item over time. For details on the Attack Tree, see Hunt with the Attack Tree.
Note
Some details reflect the state at the time of collection, not at the present moment. These include items you can delete, such as files, registry entries, scheduled tasks and so forth.
Phase 5: Is it supposed to be here?
By now you have a better idea of what the item is doing and how it interacts with your environment, so you can determine whether it is legitimate.
If the item you are investigating is legitimate: If this item is part of a MalOp, you can respond to the MalOp by using the ‘Malop is benign - Exclude’ option from the Malops management screen’s response dialog box.
If the item you are investigating is NOT legitimate: Continue your investigation with Phase 6.
If you are unsure whether the item you are investigating is legitimate or not: Continue your investigation with Phase 6.
Phase 6: To whom is it talking?
Determine who the malicious item is communicating with. From the MalOp details and Element details screens in the Cybereason interface, investigate parent and child processes, connections, and affected users and machines to determine who the item is communicating with.
Also in this case, the Attack Tree visualization provides a useful context.
Phase 7: Why is it running?
What process or action caused the item to run on your machine? The answer to this may also help you determine if the item is legitimate or malicious.
Phase 8: Where else can I find it?
Conduct wide searches to see where else this item might be.
Phase 9: What actions do I take now?
After Phase 8, ask yourself again if the item is legitimate. If you are unsure, continue investigating or leave the item on your list of leads. If you are able to determine the legitimacy of an item, you can perform actions such as:
Remediate the MalOp (if you began your investigation from a MalOp) - use the available Cybereason remediation functionality to address the item in question. For details on these remediation options, see Understand Threat Activity.
Leave the item alone if it is benign.
Continue monitoring the process or item.
Add the item to your allowlist or create a behavioral allowlisting rule if the item is legitimate.
Add the item to your blocklist if the item is not legitimate.