Have you ever looked around the house for a specific tool to complete a task? And, after looking high and low, even scouring through that bottomless “junk drawer,” you were unsuccessful locating it. Then, you decide to just use what you have readily available. You know, using that flathead screwdriver as a chisel or a prybar, which inevitably breaks because you did not use the correct tool for the task. I recall back as far as my childhood hearing my father’s voice in my head, “take your time and use the correct tool for the job”. As I mentioned in my previous blog posts, “Pops” always stressed safety and effectiveness, even when selecting the correct tool for the job.
The same is true today with cybersecurity investigation tools, more commonly known as Endpoint Detect and Respond (EDR) tools. Selecting the correct EDR tool is as important as the actual incident investigation.
When selecting an EDR for your organization, ask yourself, “Does it offer:
And most of all, does it deeply integrate with the rest of your security stack, where actions can be taken directly on the endpoint, firewall, or network especially for those critical events where time to respond is a factor?”
As a feature in Cisco’s AMP for Endpoints Advantage, Orbital Advanced Search is the “correct tool” for Incident Investigation. Orbital Advanced Search has an entire category dedicated to Forensics, which contains queries to collect data such as installed programs on the host, types of failed login attempts, operating system attributes, and more.
Let’s start with one Incident Investigation Catalog query that you can run weekly.
YOU WANT TO: Check to see if there is any anomalous user account activity on a host
Orbital Catalog Query to run: Windows Events for Account Modifications Monitoring – This query retrieves Windows Event Logs related to user account modifications. Some of the related Event Log include:
WHY IS THIS IMPORTANT: Windows Event Logs for the ID’s listed above should be investigated for potential system compromise. When investigating a potential compromise, time is of the essence. Investigating an incident often requires an investigator to backtrack for activity details – this requires logs. These logs have to be queried and delivered quickly to assess if there is a compromise. The terminology Mean Time to Discovery (MTTD) and Mean Time to Respond (MTTR) are critical measurements when determining how well organizations can react to a compromise. Understanding how credentials were used for access, persistence, manipulation, and privilege change can be pulled from event logs and the data returned can be used to assemble a picture of user account modification on a system.
Select the endpoints you wish to query
Search the Catalog for “”
Click the “+” to copy into your SQL query window
Close the Query Catalog Window
Click the Query button
QUERY RESULT: The query results deliver a table of data with rows dedicated to identifying which if any of the changes are related to the list above. Remember, this query is for incident investigation. Therefore, you are looking for anomalous behaviors that occurred without the knowledge of the true user. Having this information delivered to you as a query result allows you to survey the results to look for anomalous behavior so that you can react fast.
FREQUENCY TO RUN: Weekly and/or at the start of an investigation.
That’s it! It’s easy to get you started on your first Incident Investigation using Cisco’s Orbital Advanced Search. Orbital Advanced Search’s Catalog has dozens of pre-built forensics queries to streamline your endpoint incident investigations.
Stay tuned, our next blog discusses IT Operations and how you can use Orbital Advanced Search to check hardware and network hygiene and ensure that a new employee’s device was configured properly without having to physically inspect the endpoint.
The post Getting more value from your endpoint security tool #3: Querying Tips for Incident Investigation appeared first on Cisco Blogs.