Investigate provides the data analysis capabilities in RSA NetWitness® Suite, so that analysts can analyze packet, log, and endpoint data and identify possible internal or external threats to security and the IP infrastructure.
Data and Metadata
RSA NetWitness Suite audits and monitors all traffic on a network. One type of service, a Decoder, ingests, parses, and stores the packets, logs, and endpoint data traversing the network. The configured parsers and feeds on the Decoder create metadata that analysts can use to investigate the ingested logs and packets. Another type of service, called a Concentrator, indexes and stores the metadata.
Analysts usually query the Concentrator to discover threats. The Concentrator handles queries, only going to the Decoder when a full reconstruction of sessions, endpoint events, or raw logs is required. ESA, Malware Analysis, and Reporting Engine also query the Concentrator, where they can quickly get all the pertinent metadata associated with an event and generate information on the event without having to go to each Decoder. In some special cases, analysts may query a Decoder.
Analysts can investigate captured data, open results from other NetWitness Suite views in Investigate, and import data from other collection sources. During the course of an investigation, analysts can move seamlessly between the three views in Investigation: Navigate view, the Events view, and the Malware Analysis view.
Analysts use Investigate to hunt for events that drive the incident response workflow and to do strategic analysis after another tool has generated an event. An incident responder who is working on an incident in NetWitness Respond can open the incident in NetWitness Investigate and add events to the incident. A threat hunter who is working in NetWitness Investigate can add an event to an existing incident or create a new incident in NetWitness Respond. In both cases, the analyst drills or pivots into the metadata to filter the number of logs and packets and see suspicious events, while focusing on certain combinations of metadata that lead to an incident.
Triggers for an Investigation
These are a few examples of triggers for an investigation:
- You receive intelligence from a third party about a new active directory hack; you use that to run a search across all of your raw Active Directory log data for the last 24 hours.
- You are asked by the SOC manager to find any Pokemon Go malware due to its current popularity; you craft a query to look for an HTTP session using a specific user agent related to the malware he found on a security blog.
- An incident responder escalates a ticket that shows some odd indicators related to a host; you link to that host to find specific details.
- You are looking for the next zero day attack and pivoting through network metadata to find any abnormal automated sessions leaving the enterprise.
- You are asked by your SOC manager to find any information related to user jarvis, an employee just let go; you query against the past week for that username.
Workflow of an Investigation
This figure shows the general workflow of an investigation. In a typical day, an analyst goes through the steps in the general workflow in a circular fashion. You typically start by executing a query, then filter to a subset of events, reconstruct or analyze an event, and repeat to reconstruct or analyze another event. When you encounter an event that bears a closer look, you view the context around the event, and decide whether to create an incident or add the event to an incident. If you decide not to add the event to an incident, you run an other query to gain further insight, which starts again at the beginning of the workflow. If you find a file or event that potentially contains malware, you can do a Malware Analysis scan of the file or you can open Malware Analysis and start a scan of the service on which the event was seen.
After you enter a query or launch an investigation from NetWitness Respond, defined meta keys are queried and the contents of captured packets, logs, and endpoint events is displayed in the Navigate view.
This figure illustrates the Navigate view.
The Navigate view provides the capability to drill into and query data on a Broker, Concentrator, or Decoder, though investigating a Decoder is not typical. Every situation is unique in terms of the types of information the analyst is attempting to find. Investigation presents the contents of captured packets, logs, and endpoint events as a collection of extracted data in the Navigate view. The defined meta keys are queried, and values are returned along with the number of events. Clicking on a value at any given level, reveals the results in detail.
In the Navigate view, for certain configured meta keys, such as IP address, or hostname, you can search for additional context information around a value using the Context hub. The additional context may include incidents, alerts, and other sources where the value was mentioned.
For example, if there is a concern regarding suspicious traffic with foreign countries, the Destination Country meta key reveals all destinations and the frequency of the contact. Drilling into those values yields the specifics of the traffic, such as the IP address of the originator and the recipient. Checking other metadata can expose the nature of attachments exchanged between the two IP addresses.
The Navigate View also provides a sequential visualization of the data in a timeline. Here you can zoom in on a selected time period.
This figure illustrates the Events view.
The Events view provides a view of packet, log, and endpoint events in list form so that you can view events sequentially and reconstruct events safely. You can open the Events view for a meta value in a current drill point from the Navigate view. For analysts without sufficient privilege to navigate a service, the Events view is a standalone investigation view in which analysts can access a list of network, log, and endpoint events from a NetWitness Suite Core service without having to drill down through meta first.
The Events view presents event information in three standard forms, a simple grid listing of events, a detailed listing of events, and a log view. In addition to the standard forms, you can create a custom column group of selected meta keys, then assign the custom column group to a custom profile for viewing the events list. Once created, custom column groups and profiles are selectable from a drop-down list.
In the Events view, you can:
- Reconstruct an event from the event list. Two reconstruction interfaces are accessible from the Events view: Event Reconstruction and Event Analysis.
- Use Investigation Profiles to tie together various Investigation settings into selectable sets, import and export Investigator meta groups, import and export Investigator column groups.
- Export events and associated files.
- Create an incident from an event, or edit an incident to add or remove events.
Malware Analysis View
This figure illustrates the Malware Analysis view
The Malware Analysis view provides a means to analyze certain types of file objects (for example, Windows portable executable (PE), PDF, and MS Office) to assess the likelihood that a file is malicious. You can open the Malware Analysis view directly or you can use a context menu action to Scan for Malware from a meta value in a current drill point from the Navigate view. The malware analyst can leverage the multilevel scoring modules to prioritize the massive number of files captured in order to focus analysis efforts on the files that are most likely to be malicious.
Contextual Information for an Event
From the Navigate view and the Event view, you can look up details about elements associated with an event (IP Address, User, Host, Domain, MAC Address, Filename, File hash) in the Context Hub. You can interact with the elements of an event to get further insight including related incidents, alerts, custom lists, Archer assets, active directory details, and NetWitness Endpoint IIOCs. From the Context Hub, you can click on a data point to return to the Navigate view.
When you discover an event that merits additional investigation, you can reconstruct an event safely in a form similar to its native form using Event Reconstruction or interactive Event Analysis. The rendering of events restricts the use of dynamic or active code that might be contained in the event to limit any adverse outcome to your system or browser. Cache is used to improve performance when viewing previously viewed events. Each analyst has a separate cache of reconstruction data, and you can only access reconstructed events in your own cache.
The Event Reconstruction opens in a window on top of the Events view. You can see the meta keys and meta values in a list form and page to view the next event in this form. Events can be reconstructed using different methods to suit the type of data: meta data, text, hexadecimal, packets, web, mail, files, or the best reconstruction selected automatically. You can export packet capture files, extract files, and export the meta values for the event. This figure is an example of the Event Reconstruction.
The Event Analysis view is an interactive tool to help analysts see the packets, text, or files in an event with visual cues for certain types of information. Depending on the type of reconstruction, for example, packets, text, or files, different information is relevant. When viewing files, you can export files in a zip archive to your local file system. You can download logs from the Text view, and export packets from the Packet view. This figure is an example of the Event Analysis view.