Hi, Looking for a short description of how to use the forensic investigation work bench to determine if an alert that I received actually has some "Bad Meat" behind it. What are the steps that you suggest taking?
asked 07 Jan '13, 19:38
The Investigation can be launched on a threat flagged by the Securonix product or some alert that you receive from an external source. Typically, the investigation will bring up a system or a user or an IP address that is suspicious.
Step 1: Select the time frame for your investigation. Typically this will be the last week of activities. You may even expand this to a longer period (example: last month)
Step 2: Start from the point of interest. If you start from a system on which a suspicious activity is detected, you probably want to see the IP addresses that were used on that system in a time frame and see all activities done on the system. If you see an account activity that looks suspicious, you may want to drill into the account and see all transactions done by the account across other systems.
Step 3: Once you have narrowed down your points of interest, your forensic investigation must include the collection of all artifacts to support your incident and a hand off of all evidence to the appropriate team.
answered 05 Apr '13, 12:53