Root Cause Analysis: Finding Patient Zero During a Cyber Security Incident
Our New Root Cause Analysis Tool is Designed to Help IR Teams Trace the Source of Suspicious Activity
In Q1, we released new tools to assist cybersecurity incident responders. One of those new features is a root cause analysis tool, is designed to help IR teams trace the source of suspicious activity or identified threats across their environment. This blog introduces the new root cause analysis (RCA) feature, Activity Trace, and how it can help you during proactive threat hunting and incident response investigations.
What is Activity Trace?
When responding to a breach, knowing which system(s) is/are compromised is a great start, but a quick correlation across your network to determine the size and scope of the breach is paramount. Activity Trace correlates and combines the historical activity (events) of identified threats and malicious leads flagged by our threat hunting application, Infocyte HUNT, to build an activity timeline.
This timeline includes events like file creation, file modification, process execution, and user login events. These events are organized chronologically and combined into a single timeline, so incident responders can get a clear picture of how the attack started, where, and when — in addition to how it has evolved and moved laterally through your IT environment over time.
While this timeline view is very helpful for developing threat hunting and incident response stories, it also helps system administrators and IT professionals understand what is happening across their network…
Activity Trace allows a quick overview of how software might be making its way through your environment — including where it started (patient zero). This is helpful for tracking malicious and non-malicious software usage and these time/activity tracking features can help flesh out our IT asset discovery process (software in use, by whom, in what segments of the network, etc.).
Using Activity Trace for Root Cause Analysis (RCA)
Incident Response practitioners use timelines as a way to order events in their most logical fashion. This view paints a clearer picture of where patient zero is most likely to exist. For example, if a user was detected to have run a malicious program today, looking at their activity over the past week or month might indicate if that account was compromised at an earlier date/time.
If the suspected user only routinely accesses one or two workstations, and then suddenly accesses several hosts, there is a good chance the account in question is being used for lateral movement within the network.
Similarly, if a malicious application passes undetected for some time and later threat intelligence catches it and determines it is malicious, then being able to see a historical timeline will reveal important info like what other systems the application has been on (even if the application is no longer on that system) and what accounts may have been affected by the app. This additional information is very helpful during IR investigations and remediation efforts.
Most importantly, Activity Trace provides insights to Incident Responders and Threat Hunters, allowing them to answer common questions without requiring third party tools or custom spreadsheets. Activity Trace also includes historical data from before the installation of Infocyte HUNT and our first scan.
By collecting, combining, and visualizing file timestamps and process start times that are captured by Activity Trace, our RCA tool can extend back months or even years! Being able to scan now and timeline data from before our tool was installed is extremely helpful, prior to Activity Trace, our threat detection and IR platform lacked this capability.
To recap, our new root cause analysis tool, Activity Trace:
- Is the first step in being able to automate a key component of incident response investigations: timelining.
- Enables cybersecurity incident responders to easily pivot on user accounts, files, processes, scripts, and host timelines across thousands of endpoints and servers — physical or virtual.
- Generates chronological timelines using forensic artifacts and logs — unlike most EDR platforms and tools (e.g. Sysmon) Infocyte does not have to be present at the time of the incident to identify the root cause or patient zero.
- Can be used to identify the root cause (patient zero systems and hosts) of ransomware attacks and other types of advanced cyber attacks involving lateral movement.
Contact us to learn more about proactive threat hunting, incident response, and request a demo of Infocyte HUNT.