3. Analyzing The Session Data

Once you have added data to Cyber Triage® from one of the collection methods previously listed, then analysis begins. Your goal during this process is to review the data to make a conclusion about if the system is compromised and how badly. Cyber Triage® will help you as much as possible.

3.1. Threat Scores

As data comes in from the remote host, file, or disk image, Cyber Triage® will start to analyze it and assign a score:

  • Bad: The item is believed to be bad because several malware scanners thought so, it is on a bad list, the user manually identified it, or some other low false positive-based approach.

  • Suspicious: The item has characteristics that make it anomalous or similar to what is seen during an attack. The approaches used to identify these items have false positives and Cyber Triage® is going to need you to make the final decision.

  • Good: The item was part of a hash database of known items, part of a Good List, or the user manually identified it as good. This score is for items that are OK and not associated with an attack.

  • Unknown: No score was assigned to the item.

Your main responsibility is to confirm the Bad items and decide on the Suspicious items. You can also review the other items.

3.2. Interface Overview and Workflow

When Cyber Triage® starts, you’ll see the Dashboard that displays the number of Bad and Suspicious items, the number of background tasks, and other general session information.

../../_images/3_1.jpg

Dashboard Interface

As you can see from the interface, there are three sections:

  • The left-hand side menu allows you to navigate between the dashboard and the various data types that were collected.

  • The middle part displays the selected data type

  • The right-hand side displays a timeline of the items that have a Bad score.

The middle section for non-dashboard selections has a table on top and a set of tabs on the bottom. The table shows the items of the selected data type and the bottom shows details that are related to a selected item.

../../_images/3_2.jpg

Bad Items

As you navigate around the UI investigating the endpoint, you can use the arrows in the upper left to go back in your history. This is useful when you see something suspicious, click around to investigate it, and then want to go back to your original place to continue your review.

../../_images/3_3.jpg

Backward and Forward Arrows

3.3. Marking an Item as Good, Bad, or Suspicious

When you select an item in the table, you can choose to change its score in the area below.

../../_images/3_4.jpg

Change Score

  • Bad: Use this score if you know the item is related to an incident and want it to be reported on.

  • Suspicious: Use this score if you want to make sure you review it again in the future. This can be used as a bookmark for your workflow.

  • Good: Use this score if Cyber Triage® marked and item as Good or Suspicious and you want to override that score because you know it is not related to an incident.

If the item is initially Suspicious, you can change the score to Bad if it is in fact bad or mark it as Good if it was a false positive. Changing a Suspicious item to Good or Bad will decrease the number of suspicious items listed on the dashboard and the counters on the left-hand menu.

You can use the Add Comment button to store a comment for the file. This will get included in the final report and be visible to future investigations that come across the same item.

3.3.1. Keyboard Shortcuts

If you would rather not use the mouse and prefer keyboard shortcuts, you can also apply scores as follows:

Keyboard Shortcuts

Keys

Meaning

SHIFT + B

Bad

SHIFT + S

Suspicious

SHIFT + G

Good

SHIFT + U

Unknown

SHIFT + C

Add Comment

CTRL + Z

Undo

3.5. Viewing Bad Items

Items with a Bad score are found in the Bad Items menu, as shown in the previous section. These items were found from automated analysis or manually identified as bad. The rows in this table are grouped (typically by path) and have columns for:

  • Type: What type of item was found to be a threat.

  • Description: High level description of the item

  • Malware: Indicates if an executable has been scanned by the external analysis service.

  • New: threats seen for the first time on this host have an asterisk icon.

  • Seen Before: List of other hosts that contain this threat item in the Incident or among all hosts in the database.

What Should You Do: You should review the data here and confirm that it is indeed bad in your environment. A program that gets flagged as malicious could be normal in your environment. If it is, mark it as Good and consider adding it to a Global Good List.

3.6. Analysis Techniques

There are a variety of analysis techniques that Cyber Triage® uses to identify suspicious data. This section outlines some that you may encounter the most. These are not used in the free Lite mode.

3.6.1. Executable Analysis

As previously described in Section 2, Cyber Triage® uses ReversingLabs to analyze executables for malware. If you configured the session to upload file content and/or MD5 values, then Cyber Triage® will know the malware results from many scanners.

Scores are assigned based on ReversingLabs’s proprietary algorithms that combine results from many scanning engines as well as their own techniques.

You can get the malware details by going to the File tab at the bottom and choosing Scan Results.

3.6.2. Yara Signatures

Yara signatures are a way that malware researchers share signatures about malicious files. Cyber Triage® can use a set of rules to analyze the collected files. Files that match a rule will be scored as Bad.

Cyber Triage® uses libyara 3.8.1. Documentation can be found at: https://yara.readthedocs.io/en/v3.8.1/

3.6.2.1. Adding Yara Files

To include Yara signatures in the analysis, you need to copy them into a specific folder. You can find that folder by going to the Options panel.

../../_images/3_6.jpg

Options Panel

The default path is %localappdata%\cybertriage\config\yara_rules. However, this location is can be changed by changing the data folder location in the Cyber Triage® options panel.

Cyber Triage® will not search sub directories for Yara files. If you would like to organize your Yara rules with sub directories, then you’ll need to have a Yara file in the root directory that uses an include statements to refer to the other files.

Note

You will not be able to import the entire Yara Rules GitHub repository. This repository has links between its .yar files and causes many false positives. You should copy in only the rules that you are searching for.

3.6.2.2. Scanning Files

Each time a session is ingested or a Yara rescan is initiated Cyber Triage® will take all .yar files in the above folder and compile them into a single compiled Yara file.

Cyber Triage® will use that rule against each file that has not already been marked as Bad by malware scanning.

If a rule matches a file, then the rule name will be specified in the Cyber Triage® score.

3.6.2.3. Memory Images

If you import a memory image, the same Yara rules will be used by the yarascan Volatility module. Documentation to the yarascan Volatility module can be found here: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#yarascan

3.6.2.4. File Location in Team Deployment

When running in a Team environment, processing happens in different locations depending on the type of data you are adding.

  • The Yara rules on the Server will be used for all types of collections except for Memory Images.

  • The Yara rules on the Client will be used for Memory Images. Volatility is run on the client system and the results are sent to the system for processing.

3.6.3. Bad Lists

Cyber Triage® ships with some basic programs and file names on its default Bad List that will cause files to be marked as Bad. You can expand this list based on your threat intelligence. See Section 5.1 for details.

3.6.4. Country Resolution

IP addresses and host names will be resolved to a country using GeoLite2 data created by MaxMind. There should either be a column in each relevant table with this data or it is available in the Hosts tab at the bottom of the screen.

3.6.5. Dynamic DNS

Cyber Triage® will mark hostnames as suspicious if they are part of a dynamic DNS setup, which can be used by malware to avoid network-based detection. If a hostname uses dynamic DNS, then it will be marked as Suspicious.

Cyber Triage® ships with a set of Dynamic DNS providers that it will detect. You can add more providers by going to Options, Dynamic DNS. The domains hosted by dynamic DNS providers are detected using the DNS server for the domain. To add a provider, you add the DNS server names.

../../_images/3_7.jpg

Dynamic DNS providers

3.6.6. Ransomware

Cyber Triage® has several ransomware-specific detection techniques. Ransomware incidents are much like any other incident where attackers laterally move through an environment, but the difference is on their final action (where they encrypt the data instead of just stealing it).

The ransomware-specific techniques include:

  • Detection of ransomware notes based on known naming patterns

  • Detection of possible ransomware notes based on heuristics

  • Detection of data recovery techniques disabling, such as Volume Shadow and Microsoft Backup

Cyber Triage® focuses on making sure you quickly determine when the encryption started so that you can work backwards to determine how ransomware was deployed.

Cyber Triage® does not have decryption features.

3.7. Data Types

We will not review the types of data that Cyber Triage® collected. The data types on the left hand side are organized by user-oriented data and malware-oriented data.

3.7.1. Accounts

The Accounts menu item shows local and domain user accounts and their login activity.

Note

Not all data will be available for all users in this view because some data exists only for local accounts and other data is from logs that roll over.

../../_images/3_8.jpg

Accounts Interface

What Should You Do: Review the accounts to identify those with an abnormal naming convention, in appropriate permissions, or creation times that are similar to the incident timing.

3.7.2. Logins

This menu item shows the remote and local interactive logins to and from the system. You should review this data to look for sessions with suspicious locations or users. Remote logins are used to move laterally within corporate environments.

../../_images/3_9.jpg

Logins Interface

The rows in this table are grouped by the remote host and have columns for local and remote users (when it is known), times, and information about the remote host.

For each remote host, you can use the bottom tabs to identify when the connection happened, details about the user, etc.

What Should You Do: Review this data to look for suspicious hosts, users, and times. Cyber Triage® may mark some of them as being suspicious and you should review those and others to identify them as Good or Bad.

3.7.2.1. Observed Actions

As Cyber Triage® is parsing data from the target system, it keeps track of how various user accounts were used. You can then filter based on those Observed Actions

../../_images/3_10.jpg

Filter Observed Actions

  • Interactive Login or Program Run: Cyber Triage® found evidence that the user had a local or remote interactive login with the system or launched a program (locally or remotely) on the system.

  • File or Service Access: Cyber Triage® found evidence that the user interacted with a file or service on the system. Examples include accessing a file share or owning a file that got copied to the system.

  • Referenced: There was a reference to the user on the system, perhaps in an event log or registry, but no evidence was found of them doing anything on this specific system. Examples include accounts that were created and never used or entries in a log server.

When looking at a domain controller and who had access to it, you can focus on accounts with Interactive Logins and filter out the accounts that only authenticated with the system.

3.7.3. Network Shares

This Network Shares menu item shows the remote network shares that were accessed. Explicit mounts for these shares as well as references to them in programs that were run and folders accessed determine these.

../../_images/3_11.jpg

Network Shares Interface

The rows in this table are grouped by remote host and rows include share name, users, and times.

What Should You Do: You should review this data to look for shares that the user should not have needed access to. This could indicate that the account was compromised or the user is looking for sensitive data.

3.7.4. Programs Run

The Programs Run menu item will show the programs that were executed on the system. This is based on registry data and other system configurations.

../../_images/3_12.jpg

Programs Run Interface

There are a lot of programs that are run on the system and this section can be quite overwhelming. You want to be looking for malicious programs that were run by an authorized or unauthorized user. Cyber Triage® will group these rows based on naming patterns that we have found for many programs, such as having a version number as a folder.

Filtering options on the top you to focus on just the suspicious items, which are those running from temporary folders and folders that should contain only data files. Many of the items in this list will be for deleted files that no longer have content or come from programs that use a consistent naming convention. Cyber Triage® allows you to filter out the items without content and will group items based on similar names.

You can see specific examples execution times at the bottom in the “Execution History” tab.

What Should You Do: Review the items and identify the programs that are bad or suspicious based on their path and malware results. In a corporate environment, you may find it useful to add the events that are known and common to a Good List. For example, many auto update programs will run from the AppData folder and be shown here, but you can choose to add them to a Global Good List.

3.7.5. Web Artifacts

The Web Artifacts menu item shows web history, bookmarks, downloads, and cookies from Chrome, Firefox, Edge, and IE browsers. You can use this information to see what the user was viewing or what they downloaded. This is useful for phishing campaigns that cause the user to download executables or when you suspect an insider.

../../_images/3_13.jpg

Web Artifacts Interface

What Should You Do: Review these items to look for suspicious downloads or search queries. You can filter based on type and date range.

3.7.6. Startup Items

The Startup Items menu item shows the various files that are executed when the system starts. It uses dozens of registry and file system locations to identify the startup files that may contain malware.

../../_images/3_14.jpg

Startup Items Interface

What You Should Do: Review the suspicious entries, which are often based on pat and if they are signed. Mark them as good or bad and consider adding them to the Good or Bad Lists.

3.7.7. Triggered Tasks

The Triggered Tasks menu item shows the Windows Scheduled Tasks and WMI Actions that ran on a periodic basis.

../../_images/3_15.jpg

Triggered Tasks Interface

What Should You Do: Review the scheduled tasks and actions to identify ones that could be malicious programs that periodically run to check the system status or query a remote server. Look for suspicious paths, times, or names. You may find it useful to add the scheduled tasks that are known and common in your environment to a Global Good List.

3.7.8. Processes

The Processes menu item shows the process tree for the computer when the collection was made.

../../_images/3_16.jpg

Processes Interface

What Should You Do: Review the suspicious processes that were flagged based on parent process or name. Mark them as Good or Bad.

3.7.9. Active Connections

This Active Connections menu item shows the network connections that were open at the time the collection was made.

../../_images/3_17.jpg

Active Connections Interface

The rows are grouped by remote host and have columns for the process with the connection, remote and local ports, times, and direction.

What Should You Do: You should review this data for connections to unexpected hosts and for processes with unexpected network

3.7.10. Listening Ports

The Listening Ports menu item shows the ports that were listening for new connections when the collection was made.

../../_images/3_18.jpg

Listening Ports Interface

The rows are grouped by port number and have columns for the protocol, process, user, and information about what is usually at that port number.

What Should You Do: Review these to processes that you did not expect to be listening for a connection. These could be backdoor applications into your system. Consider adding ports that are normal in your environment to a Good List.

3.7.11. DNS Cache

The DNS Cache menu items shows the contents of the DNS cache, which contains references to the hosts that the computer tried to resolve to an IP address. You will find addresses in here that the system previously connected to.

../../_images/3_19.jpg

DNS Cache Interface

The rows are grouped by remote host domain and have columns for IP and country.

What Should You Do: You should review the data here for suspicious items and connections to suspicious hosts or countries.

3.7.12. System Configuration

This area shows you various OS and application settings that were enumerated during the collection. These come from various registry keys and other configuration files.

../../_images/3_20.jpg

Settings Interface

What Should You Do: Review the data to detect if any security settings were disabled or determine what the audit settings were.

3.8. Analysis Views

An alternative way of looking at the collected data is by date or file system location. Cyber Triage® supports both of these views.

3.8.1. Timeline

This area shows you the collected items organized by time. You can use this data to identify what happened before and after a specific event.

../../_images/3_21.jpg

Timeline Interface

You can get to this data by either selecting Timeline from the left side and picking a date range or right clicking on most entries in their respective table and choosing View in Timeline.

../../_images/3_22.jpg

Choose View Timeline

At any point, if the timeline becomes overwhelming, you can reduce the amount of data shown by filtering by type:

../../_images/3_23.jpg

Filter by Type

3.8.2. File Explorer

The Files menu item can show several things:

  • If a full file system scan was performed, you can view all file metadata. Though, content for all files will not be available.

  • You can view only suspicious or bad files.

You can get to a file by either choosing the Files menu item and navigating the structure. Or, when you are reviewing an item associated with a file, such as a Startup item, you can right click and choose to View File in Directory.

../../_images/3_24.jpg

View File in Directory

That will then bring you directly to the file:

../../_images/3_25.jpg

File Interface

What Should You Do: Review the suspicious entries. The files flagged as malware will also be in the Bad Items menu item. You can also use this to see what other files are located in the same folder as malware and other Bad Items.

3.8.4. Registry Entries

The Registry Entries menu item shows the suspicious registry entries on the system.

Note

The menu does not currently display the full registry hive. Only the entries that were found to be suspicious based on size and name.

What Should You Do: Review these and mark them as good or bad.