Have you ever looked around the house for a specific tool to complete a task? And, after looking high and low, even scouring through that bottomless “junk drawer,” you were unsuccessful locating it. Then, you decide to just use what you have readily available. You know, using that flathead screwdriver as a chisel or a prybar, which inevitably breaks because you did not use the correct tool for the task. I recall back as far as my childhood hearing my father’s voice in my head, “take your time and use the correct tool for the job”. As I mentioned in my previous blog posts, “Pops” always stressed safety and effectiveness, even when selecting the correct tool for the job.
The same is true today with cybersecurity investigation tools, more commonly known as Endpoint Detect and Respond (EDR) tools. Selecting the correct EDR tool is as important as the actual incident investigation.
When selecting an EDR for your organization, ask yourself, “Does it offer:
- Continuous monitoring and analysis that shows a more in-depth view of the endpoint and helps users locate spikes in endpoint activity?
- A snapshotting feature that gathers the base forensic information you would want when an endpoint is compromised?
- Threat severity for events by tagging them as Critical, High, Medium, or Low and match those events to the MITRE ATT&CK™ framework with context?
And most of all, does it deeply integrate with the rest of your security stack, where actions can be taken directly on the endpoint, firewall, or network especially for those critical events where time to respond is a factor?”
As a feature in Cisco’s AMP for Endpoints Advantage, Orbital Advanced Search is the “correct tool” for Incident Investigation. Orbital Advanced Search has an entire category dedicated to Forensics, which contains queries to collect data such as installed programs on the host, types of failed login attempts, operating system attributes, and more.
Let’s start with one Incident Investigation Catalog query that you can run weekly.
YOU WANT TO: Check to see if there is any anomalous user account activity on a host
Orbital Catalog Query to run: Windows Events for Account Modifications Monitoring – This query retrieves Windows Event Logs related to user account modifications. Some of the related Event Log include:
- a user account was created
- a user account was enabled
- an attempt was made to change an account’s password
- an attempt was made to reset an account’s password
- a user account was disabled
- a user account was deleted
- a user account was changed
- a user account was locked out
- a user account was unlocked
- a user account name was changed
WHY IS THIS IMPORTANT: Windows Event Logs for the ID’s listed above should be investigated for potential system compromise. When investigating a potential compromise, time is of the essence. Investigating an incident often requires an investigator to backtrack for activity details – this requires logs. These logs have to be queried and delivered quickly to assess if there is a compromise. The terminology Mean Time to Discovery (MTTD) and Mean Time to Respond (MTTR) are critical measurements when determining how well organizations can react to a compromise. Understanding how credentials were used for access, persistence, manipulation, and privilege change can be pulled from event logs and the data returned can be used to assemble a picture of user account modification on a system.
Select the endpoints you wish to query
Search the Catalog for “Windows Events for Account Modifications Monitoring”
Click the “+” to copy into your SQL query window
Close the Query Catalog Window
Click the Query button
QUERY RESULT: The query results deliver a table of data with rows dedicated to identifying which if any of the changes are related to the list above. Remember, this query is for incident investigation. Therefore, you are looking for anomalous behaviors that occurred without the knowledge of the true user. Having this information delivered to you as a query result allows you to survey the results to look for anomalous behavior so that you can react fast.
FREQUENCY TO RUN: Weekly and/or at the start of an investigation.
That’s it! It’s easy to get you started on your first Incident Investigation using Cisco’s Orbital Advanced Search. Orbital Advanced Search’s Catalog has dozens of pre-built forensics queries to streamline your endpoint incident investigations.
If you don’t already have Cisco AMP for Endpoints and are interested in trying Orbital Advanced Search, sign up for our virtual Threat Hunting Workshop, or request a free trial.
Stay tuned, our next blog discusses IT Operations and how you can use Orbital Advanced Search to check hardware and network hygiene and ensure that a new employee’s device was configured properly without having to physically inspect the endpoint.
CONNECT WITH CISCO