Maybe I watched too many episodes of Sherlock on the BBC or really am too left brained for my own good. But, I wanted to create a post that served as a quick visual and written overview of how to analyze security events. The steps can be applied to just about anything, from fixing a problem on your car to investigating a murder. The steps are based loosely on Sniper Forensics by Chris Pogue
The 4 principles of analysis, based on the Alexiou Principle
- What question are you trying to answer?
- What data do you need to answer that question?
- Where do you go for the data?
- What does the data tell you?
“When selecting a hypothesis, the one that makes the fewest number of new assumptions is more likely to be correct.” - Occam’s Razor
9 steps for analyzing events
- Define normal
- Recognize abnormal
- Question
- Study the attacker
- Study the target
- Analyze the data
- Discard the irrelevant data
- Apply logic
- Provide analysis
The 9 steps in detail
1. Define Normal
Determine what normal messages, events and alerts look like in the SIEM.
2. Recognize Abnormal
Once you can recognize normal traffic, you can filter it out. Anything left over is abnormal and is worth investigating.
3. Question
What event or message are you seeing? Why is it abnormal? Who is the attacker? Who is the target? When did it occur?
4. Study the Attacker
Who is the attacker? What information can we find out about them? What are they doing?
5. Study the Target
Is the target system compromised? Is it behaving suspiciously? Is there any abnormal traffic originating from it? What OS and applications are running?
6. Analyze Data
What do our logs and packet captures show? What was found online? What vulnerability were they attempting to exploit?
7. Discard Irrelevant Data
What's not needed? Get rid of useless facts and noise.
8. Apply Logic
What does our data tell us? Allow the data to form the hypothesis; don’t disregard the data for an assumption.
9. Provide Analysis
What did the data show? Was there an event or a false positive? Form your analysis with as many facts as possible.
