5. Advanced Topics

5.1. Offline Environments

Cyber Triage can work in environments that are not connected to the Internet. This section contains some relevant features and settings.

5.1.1. Disable Internet Access

You can configure Cyber Triage to not connect to systems on the Internet and therefore not generate error messages. This setting is in the Options panel.

../../_images/5_12.jpg

5.1.2. Offline Malware Scanning

You can still use the Cyber Triage® Online File Reputation Service when you are on an air-gapped network.

After the collection has been fully imported, you can package up the file MD5 hashes into a text file.

  • Press the Details link on the Dashboard next to the Online File Reputation line.

../../_images/5_1.jpg

Status

  • Choose to Export Hashes and pick a folder.

../../_images/5_2.jpg

Offline Analysis

  • That will produce a JSON text file with the hashes and license information.

  • You can then copy that file to an Internet-connected computer and upload it to https://rep1.cybertriage.com.
    Copy and paste the text file into that page.

../../_images/5_3.jpg

Reputation Service

  • It will download another JSON file that you can then copy back into Cyber Triage® and import using the same Details panel that you used to export the original set of hashes.

5.2. Local NSRL

Cyber Triage® will use its Online File Reputation Service by default to assign a threat score to files. The service uses the NIST NSRL to identify files that ship with known applications (such as Microsoft Windows). If you are not using the online service, you can configure a local copy of the NIST NSRL.

The steps to do this include:

  1. Download the NSRL index

  2. Unzip the file

  3. Open the Cyber Triage® options panel, enable Use Local NSRL, and browse to where you unzipped the .idx file to.

../../_images/5_4.jpg

Options (Use Local NSRL)

5.3. Import Bad Lists

Cyber Triage® allows you to configure items that should always be considered a high threat. These can be added in the Options area. To add an item, choose the Add Entry. You will have the option of adding the item at a global level so that it applies to all future hosts or at the Incident level so that it is applied only to future hosts in the same Incident.

../../_images/5_5.jpg

Options (Bad List Tab)

You can bulk add Bad List items by pressing the Import button. It takes in a CSV file of file names, hashes, or other data types. Use the Generate Sample File button to generate a sample CSV file to determine what columns need to exist.

5.4. Import Good Lists

Cyber Triage® allows you to configure items that should not be considered a high threat. This feature is in addition to using the NIST NSRL to ignore files that were shipped with known applications.

5.4.1. Good List Basics

Good Lists are applied as data is analyzed in the pipelines. They contribute to the overall score of the item and can overrule heuristics that may identify the item as suspicious. Many of the tables will hide items on the Good List from you, but you can choose to Include Items on Good List.

../../_images/5_6.jpg

Startup Items (Good List)

5.4.2. Configuring Good List Items

To add an item to the Good List, right click on it and choose Not a Threat. You can then choose to add it to a global- or incident-level Good List or only for that session.

../../_images/5_7.jpg

Add Item to Good List

You can remove Good List entries in two ways. One is to right click on an item that is on the Good List and choose Remove from Good List.

../../_images/5_8.jpg

Remove Item from Good List

The other is to use the Good List section on the options panel.

../../_images/5_9.jpg

Options (Good List Tab)

The table displays all current Good List entries. If the host is (Global), the entry will be applied to all data. Otherwise, it will only apply to the given host name (across all sessions for that host).

One or more Good List entries can be removed from the table by highlighting them and selecting Remove selected item(s).

5.5. Configuring a Network Proxy

If you need to go through a corporate proxy to access the Internet, then Cyber Triage® will need to be configured to use it for malware scanning. You can configure it in Options, Network Proxy.

You can choose between using the operating system settings for the proxy or to manually enter a proxy. Make sure you press the button to test the connection. Depending on your environment, you may be prompted to accept an SSL certificate that your proxy uses.

../../_images/5_10.jpg

SSL Certificate Information

5.6. Changing Port Number

Cyber Triage® will open TCP port 443 so that the collection tool can send data to it over the network. If you have another application that is using that port, then you can configure Cyber Triage® to us a different one by going to the Options panel and choosing the Network Settings tab.

../../_images/5_11.jpg

Options (Network Settings)

If you change the port number, you will need to explicitly specify this port number when you manually run the collection tool.

5.7. Changing Where Data is Stored

Cyber Triage® uses a “data folder” to store databases, collected file contents, logs and other data. The default location is a ‘cybertriage’ folder in the user’s local AppData folder.

The folder can be quite large, especially as more data is added into Cyber Triage.

You can move this folder to a new location. Note that it is your responsibility to move the existing contents to the new location.

Standard Version:

  1. Launch the options panel and choose General → Data Folder.

  2. Pick a new folder.

  3. Shutdown Cyber Triage

  4. Copy the contents of %LOCALAPPDATA%cybertriageto the new location.

  5. Restart Cyber Triage and verify you can open past cases.

Team Version:

  1. Shut down Cyber Triage Team Server

  2. Open up %appdata%cybertriageconfigv3config.yml in a text editor.

  3. Change “contentDirectoryPath” to the new path (ex. C:newpathcybertriage)

  4. Change “uploadFilePath” to the new path (ex. C:newpathcybertriagefilesCyberTriage)

  5. Save config.yml

  6. Copy the contents of %LOCALAPPDATA%cybertriageto the new location.

  7. Start up Cyber Triage Team Server

5.8. Deploying via EDR

You can deploy the collection tool via an EDR or other IT infrastructure that allows you to remotely run programs. Organizations do this if they can’t use PsExec. To do so, follow the instructions below:

  1. Configure the server to always be listening for connections. Go to OptionsDeployment ModeEnable Collection Tool initiated Sessions.

  2. Record the Server key from this section, which will be used in an argument to the collection tool.

  3. Extract the collection tool as outlined in Extracting the Collection Tool for Live Collections

  4. Configure your EDR to run the ‘CyberTriageCLI.exe’ program. You’ll need to specify the hostname of your server and server key from the options panel. E.x. CyberTriageCLI.exe --server cybertriage.acme.com --server-key=123456

  5. The server will queue up the incoming data and process them as it has capacity. You can track progress from the “All Hosts” section of the main window. See Queueing Up Data.

The collection tool will write temporary files into the folder that it is run out of. Some EDRs or IT systems will run the program from a Windows folder or somewhere that cannot be written to. You may need to configure the EDR or other system to change to a temporary folder before it launches the collection tool.