This playbook describes how to use the Stories Workbench to investigate stories related to suspicious target communication.
This playbook outlines a systematic approach for SOC engineers to investigate potential security incidents related to suspicious target communication. It provides a framework for gathering initial information, analyzing network traffic, and drawing conclusions about the nature of the threat.
Use the Details widget in the story to gather basic information about the potential threat. Review the Description of the story and other data to decide if further investigation is required. In addition, the Similar Stories section shows other stories that share similar indicators and observables.
Use the Source widget to review data about the device that is impacted by this suspicious traffic.
You can also use the Indications Catalog for more information (such as the Indication ID), and focus the investigation based on your query.
The Attack Distribution graph can help to understand the nature of the traffic, periodic attacks which resembles bot behavior, a one-time occurrence, or other characteristics.
The Targets section lets you examine the identified targets to learn more about their potential intent and the likelihood that the target is malicious:
-
Assess Cato's malicious score
-
Examine Cato's popularity
-
Consider associated Cato categories
-
Review the number of threat intelligence feeds linked to the target
By now, you should have a solid grasp of the activity captured in this story, the Target Links help you conduct an external search on reputable sources for historical context and signs of malicious behavior. Correlate this data to identify connections with other entities and possible links to known threat actors, campaigns, or techniques.
The Target Actions section can be used to verify if the security engines took responsive actions to the identified traffic.
-
Use the Related Events to open the Events page and review the corresponding events for each target.
-
In the event data, look for additional details regarding the specific IPS event and gather information regarding the nature of the IPS signature, client classification, threat type, and more.
Use the Attack Related Flows section to examine unprocessed data flows related to the story.
-
Assess traffic distribution to identify patterns and volume fluctuations.
-
Analyze supplementary data points from these flows, including URLs, user-agents, file names, and other relevant attributes, and compare them to the findings from the previous investigation step to reveal potential correlations.
For investigations that focus on the target, these are some examples of threat types that are the suspicious communications in a story:
-
Adware
-
Malware
-
Browser extension
-
PuP (Potentially Unwanted Program)
-
Unsecured Network Activity (Suspicious)
-
Policy Violation (Suspicious)
0 comments
Please sign in to leave a comment.