Investigation Model

NetWitness Investigation Model

The Investigation model organizes content, with the purpose of delivering an accurate path to information security incident response. This is a hierarchical model, four levels deep.

Threat

• Attack Phase

  • Reconnaissance
  • Delivery
  • Exploit
  • Installation
  • Command and Control

  • Action on Objectives

    • Lateral Movement

    • Data Exfiltration

    • Data Sabotage

    • Denial of Service

• Malware

  • Remote Access Trojans
  • Crimeware
  • Web Shells
  • Key Loggers

Identity

• Authentication

• Authorization

• Accounting

• Behavior Analytics

  • Entity Monitoring

  • User Mapping

Assurance

• Governance

  • Active Violations
  • Enforcement

• Risk

  • Vulnerability Management
  • Organizational Hazard
  • Enterprise Intelligence

• Compliance

  • Corporate
  • Audit

Operations

• Situation Awareness

• Event Analysis

  • Application Analysis
  • Protocol Analysis
  • File Analysis
  • Flow Analysis
  • Filters
  • Log Analysis

The Investigation Feed uses this complete model. The Live Content Search Tags uses the top two levels of this model.

Model Hierarchy

The objective of each category is to catalog existing and upcoming content with an Incident Response service-based approach. This is done to maintain mission critical revenue, protect customer data and branding, as well as to drive information security programs forward in response maturity.

This content strategy focuses on highlighting key pieces of information within an Enterprise network and log capturing environment and strives to make this data readily available for consumption and dissemination. This model aims to aid in the discovery of the preliminary and often responsive data mining tasks related to information security services.

Threat

The Threat category accounts for content that may directly lead to security incident investigations when observed on a high value corporate asset or target.

Examples

If the source host in question is identified as being compromised, we can apply this activity to an attack phase describing pivoting within an environment.

The distinction in specific malware situates this content in the family-type malware subtag.

Attack Phase

The intent of attack phase content is to assist incident response practitioners with the escalation, remediation or classification of observed indicators of compromise activity. This content makes use of organized threat intelligence and provides a template for incident response operations tasked at monitoring and detecting indicators in a given dataset. The attack phases are a procedural set of stages that can be carried out in a variety of ways and over a long period. An example of attack phase content would be a rule that leverages any of the stages listed below.

• Reconnaissance: attacker attempts to gain information about the target before the attack begins.
• Delivery: the attacker sends the malicious code to the victim.
• Exploitation: the actual execution of the exploit (only relevant when the attacker uses an exploit).
• Installation: the installation of malware onto the affected computer.
• Command & Control (aka "C2"): the attacker creates a command and control channel in order to continue to operate internal assets remotely.

• Action on Objectives: the attacker performs the steps to achieve actual goals inside the victim’s network. Possible sub-values are as follows:

  • Enumeration
  • Lateral Movement:
  • Data Exfiltration:
  • Data Sabotage:
  • Denial of Service (aka "DDoS"):

Malware

While some known malicious behavior can be attributed to actors that have high-end intelligence, suspicious behavior can be classified independently of threat portal intelligence. Taking this approach eliminates the downside of associating a certain behavior to one actor only and better permits NetWitness to detect new threats or TTP not already defined.

Breaking malware into certain family types helps content engineers to easily update any parsers or application rules that may reference a new malware variant. Response priorities can differ amongst organizations in relation to the diversity of malware types.

• Remote Access Trojans: Remote Access Trojans are an obvious indication that your network is actively compromised. ASOC Analytical Services recommends high response priorities be set when a remote access Trojan signature is generated
• Crimeware: Crimeware is currently a huge part of the Internet. Thus, it deserves a place in a response program’s standard operational intake and remediation efforts. Heightened awareness on this malware type would be logical within organizations saturated with confidential identity and financial-based information.
• Web Shells: Web shells are an obvious indication there is active compromise. Content related to web shells should be highlighted and escalated with a sense of urgency.
• Key Loggers: Key loggers can be packaged up in exploit kits or delivered via spyware. Key logger content can take the form of intrusion detection signature identification numbers, or antivirus filename matches based off Virus Total analysis. Examples are aimed at identifying key loggers that do not solely utilize packet capture.

Identity

The Identity category accounts for content used in the identification or mapping of users and entities.

Identity content data is heavily utilized in response operations for validation of a particular IP address and associated end user. It classifies specific evidentiary logs to assist in incident response, and provides a means to create a baseline for NetWitness.

Examples

This rule is used to highlight any accounts created in a collection. The data represented in the t escalation can be intelligence that is utilized during the corporate auditing process.

This rule is used to highlight any successful account authentications in a collection. The data represented in this content can also be utilized during the auditing process.

Detects multiple account lockouts reported for a single or multiple users within a given time window.

Authentication

Authentication is the act of giving a user access to secure systems based on user credentials that imply authenticity. For example, the act of logging onto a system. The ways in which someone may be authenticated fall into three tags, based on what are known as the factors of authentication: something the user knows, something the user has, and something the user is.

Authorization

The process of enforcing policy as in available activities, resources, services or overall user access. For example, elevated privilege, password modifications, distribution lists, and lockout activity.

The above rule tags all accounts disabled in a windows collection.

Accounting

The accounting tag contains content that measures resources utilized by a given user. This can include any of the following:

• the amount of data a user has transferred during a session
• remote access session information
• file share activity
• the overall audit of a user footprint

The above content summarizes activity on a network based on a list of source IP addresses. The report includes bandwidth utilization, risk alerts, threats, top destinations, OS types, browsers and clients

Behavior Analytics

The goal of behavior analytics is to determine base lines in user behavior. Base lines are necessary for determining abnormality within overall network utilization. Behavior Analytical content helps to promote data science and user- and entity-based analytics. Within NetWitness, a variety of content has already been utilized in ESA proof of concepts, which visualized host and user relationships based on MAC address, IPv4, hostname and username data from specific windows, DHCP and VPN logs.

• Entity Monitoring: An example of content in this subgroup could be the monitoring of the various types of administrator accounts on a corporate network. Many organizations have exclusive user names for these elevated accounts, or bind them to an associated group within active directory. Collecting, cataloging and embedding this enterprise intelligence within the content model is essential in maintaining a security program.
• User Mapping: Between employees adding their own devices to a network, and having multiple users on a machine, asset management can quickly become a difficult task for analysts. Any data that represents entity correlation can be stored and cataloged in this subgroup. The underlying function of this content is to associate and identify end users while they access the network.

Assurance

The Assurance category contains content that:

• determines the corporate security posture (governance)
• adheres to internal and external audits (compliance)
• manages overall risk within the enterprise (risk)

The governance, risk, and compliance aspects of security are paramount in enabling customers to alleviate and fulfill industry requirements.

Examples

The above rule detects web browsing agents not issued during standard corporate deployments, adding to the summary of overall risk exposure.