In Q1, we released new tools to assist cybersecurity incident responders. One of those new features is a root cause analysis tool, is designed to help IR teams trace the source of suspicious activity or identified threats across their environment. This blog introduces the new root cause analysis (RCA) feature, Activity Trace, and how it can help you during proactive threat hunting and incident response investigations.
What is Activity Trace?
When responding to a breach, knowing which system(s) is/are compromised is a great start, but quick correlation across your network to determine the size and scope of the breach is paramount. Activity Trace correlates and combines the historical activity (events) of identified threats and malicious leads flagged by our threat hunting application, Infocyte HUNT, to build an activity timeline.
This timeline includes events like file creation, file modification, process execution, and user login events. These events are organized chronologically and combined into a single timeline, so incident responders can get a clear picture of how the attack started, where, and when — in addition to how it has evolved and moved laterally through your IT environment over time.
While this timeline view is very helpful for developing threat hunting and incident response stories, it also helps system administrators and IT professionals understand what is happening across their network…
Activity Trace allows a quick overview of how software might be making its way through your environment — including where it started (patient zero). This is helpful for tracking malicious and non-malicious software usage, and these time/activity tracking features can help flesh out our IT asset discovery process (software in use, by whom, in what segments of the network, etc.).
Using Activity Trace for Root Cause Analysis (RCA)
Incident Response practitioners use timelines as a way to order events in their most logical fashion. This view paints a clearer picture of where patient zero is most likely to exist. For example, if a user was detected to have run a malicious program today, looking at their activity over the past week or month might indicate if that account was compromised at an earlier date/time.
If the suspected user only routinely accesses one or two workstations, and then suddenly accesses several hosts, there is a good chance the account in question is being used for lateral movement within the network.
Similarly, if a malicious application passes undetected for some time and later threat intelligence catches it and determines it is malicious, then being able to see a historical timeline will reveal important info like what other systems the application has been on (even if the application is no longer on that system) and what accounts may have been affected by the app. This additional information is very helpful during IR investigations and remediation efforts.
Most importantly, Activity Trace provides insights to Incident Responders and Threat Hunters, allowing them to answer common questions without requiring third party tools or custom spreadsheets. Activity Trace also includes historical data from before the installation of Infocyte HUNT and our first scan.
By collecting, combining, and visualizing file timestamps and process start times that are captured by Activity Trace, our RCA tool can extend back months or even years! Being able scan now and timeline data from before our tool was installed is extremely helpful, prior to Activity Trace, our threat detection and IR platform lacked this capability.
To recap, our new root cause analysis tool, Activity Trace:
- Is the first step in being able to automate a key component of incident response investigations: timelining.
- Enables cybersecurity incident responders to easily pivot on user accounts, files, processes, scripts, and host timelines across thousands of endpoints and servers — physical or virtual.
- Generates chronological timelines using forensic artifacts and logs — unlike most EDR platforms and tools (e.g. Sysmon) Infocyte does not have to be present at the time of the incident to identify the root cause or patient zero.
- Can be used to identify root cause (patient zero systems and hosts) of ransomware attacks and other types of advanced cyber attacks involving lateral movement.
Contact us to learn more about proactive threat hunting, incident response, and request a demo of Infocyte HUNT.
More from our blog
A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…Read More »
An Overview of False Positives and False Negatives Understanding the differences between false positives and false negatives, and how they’re related to cybersecurity is important for anyone working in information security. Why? Investigating false positives is a waste of time/resources and distracts your team from focusing on real cyber incidents (alerts) originating from your SIEM.…Read More »
Cyber attacks are evolving so rapidly that security teams are struggling to integrate and operationalize security tools that apply to only one area of the protection model. Malware Hunting (threat hunting) for example is becoming a necessity in today’s enterprise IT environments — especially for organizations charged with protecting our personally identifiable information (PII) and…Read More »