Nearly everyone wants to skip the tedious work associated with digital investigations (except for some consultants who get paid by the hour). There are several ways to add automation into your investigations so you can focus less on the tedious and more on the interesting.
Some you can do yourself, but many require specialized tools.
What Are Automated Investigations?
Automation is when the application does the next step for you. Manual is when the user needs to press a button or type a command.
So, an automated investigation is when your software does as many steps as possible before involving the investigator. The investigator still makes the final call, they just have fewer buttons to press.
Automated Investigation Benefits
There are many ways to add automation into your digital investigations, and each has its own benefits.
The 2 major benefits:
- Speed: Automation can make investigations faster because computers do some types of tasks faster, and there is no delay between tasks.
- Consistency: Automation ensures that all necessary data is collected and analyzed, even when Junior examiners are involved.
3 Ways to Automate Investigations
There are several ways to add automations. Let’s focus on 3:
- Collection: Ensure data is quickly and accurately collected.
- Scoring: Ensure you quickly focus on relevant artifacts and not the noise.
- Normalization: Merge artifacts into simple concepts
#1: Automated Artifact Collection
The first step to any investigation is getting access to data to analyze. Automating the live collection process ensures quick access to all data needed.
How to automate:
- Have a single program that does the snapshot collection, even if it’s a script that runs other programs. Users should have to focus only on a single program to run.
- Allow users to remotely collect. Either use an investigation tool with persistent agents or integrate with agents already in place.
- Use continuous monitoring so data is stored centrally, and you can quickly access it.
Benefits:
- Speed: Allowing users to remotely start collections means they can quickly start the process, and it won’t block waiting for user interaction.
- Consistency: Having a single program ensures you don’t forget to run one, and therefore miss critical data.
#2: Score Artifacts
Only a small subset of data is related to an investigation. The investigator’s main responsibility is to find the relevant data. Scoring helps to identify them.
Scoring will identify artifacts as:
- Bad: Related to the attack.
- Suspicious: Could be related to an attack.
- Good: Not related to an attack.
- Unknown: Unclear if related to an attack.
When an investigator’s tools score for them, their first task is to review the bad and suspicious items before aimlessly looking in different places for items that could be suspicious.
Common ways to score:
- Use Malware Scanning engines to identify bad or suspicious files. Use multiple engines for a broad set of opinions, including some that use fuzzy matching techniques to find unique variations of files.
- Use Yara or SIGMA rules to flag malicious files and event logs. These rules are shared within the community based on the research of others and TTPs attackers use.
- Use Machine Learning and AI to look for outliers and data that matches previous incidents.
Benefits:
- Speed: You save time by letting the software apply thousands of rules to each artifact. You can then quickly focus on only notable ones.
- Consistency: It’s easy to miss evidence when it is a tiny subset. Using automation ensures you reliably review each file. It also means you can always use the latest threat intelligence during your analysis.
#3 Normalize Artifacts
Investigators must often locate and de-duplicate artifacts that recorded what happened on the host. For example, evidence a process ran can be found in Prefetch, Event ID 4688, and several other locations.
Each location may have both unique and overlapping data. Making the investigator manually de-duplicate is a waste of time.
Automated tools can normalize and merge multiple low-level data artifacts (such as Prefetch and Event ID 4688) to a single higher-level information artifact (such as Process). This is easier and faster for the investigator to interpret.
How to automate:
- Convert the collected lower-level artifacts and event logs into the higher-level concepts.
- Merge observations of the same event into a single artifact.
Benefits:
- Speed: Users have fewer artifacts to focus on because data artifacts overlap, and they are merged.
- Consistency: Users will not forget to look at a certain type, and you are not relying only on the training of the investigator to know where to look.
Conclusion
Get rid of the tedious tasks in your investigations, and they will be faster, and investigators will be happier. Making sure collections automatically start, artifacts are scored, and artifacts are normalized will help streamline your SOC and DFIR investigations.
If you are looking for an automated solution, consider Cyber Triage. It automates all of the above and is the leader in artifact scoring. It gives you clues to start with instead of just thousands of artifacts. Learn more here.