Rantings of a Cyber Security Analyst - (September Edition)

Who, What, When, Where, Why & How. The Five Ws and one H are questions whose answers are considered basic in information-gathering. As quoted from multiple sources, they are often mentioned in journalism, research, and police investigations. According to the principle of the Five Ws and one H, a report can only be considered complete if it answers these questions starting with an interrogative word: -

• Who is it about?
• What happen?
• When did it take place?
• Where did it take place?
• Why did it happen?
• How did it happen?

Each question should have a factual answer and importantly, none of these questions can be answered with a simple "yes" or "no".

In Cyber Security, I feel the above concept needs to be applied to events. Many times, I am called in to assist to investigate on an incident and most of the time, the details of the logs were ignored or were not further investigated.

Imagine a scenario where you hear someone continuously jiggling the door handle of your home. Would you react or just think your door and lock is working and preventing the person from entering and just ignore this? You would want to know who this person is, why is this person trying to enter and what is he trying to do.

Let me use a breach that I recently investigated, where a company was hit with ransomware and called in for assistance, as an example. As with all such breaches, it is understandable that it is a stressful situation to be in and being swarmed with statements like “the product failed me” is not a great feeling.

The first lead in my investigation was the endpoint security logs itself. Prior to the encryption phase, there were detection of tools like PsExec and Mimikatz. These were blocked, but going with the Five Ws and one H, I dug into this detection, found the time stamp, and noticed the tools were detected on C:\Users\Administrator\Pictures\ Now, if the internal security team were investigating, this should raise red flags. Even though the threat at that time was blocked, why were these tools dropped into that folder? Who was it who dropped these tools into this folder? Was it really a legitimate user of the Administrator profile? Looking at when> this happened with the time stamps, it happened at 6am, before any IT staff was on site. So of course, the next questions would be how> it is possible for someone to be using the Administrator account and how was this done remotely.

As this customer did not have any XDR or EDR tools at that point of time, I had to manually go through the Windows Event Logs and hoped the threat actor has not wiped them. Fortunately, they were not wiped and through significant manual sieving of the logs, it was found that Remote Desktop Protocol was used to access the server and was also used to laterally move to other servers.

Not going to share the rest of the investigation, but this should be clear that asking questions helps with investigations. XDR are just tools to help answer these questions quickly through queries to the entire environment.

Just from this initial, high-level investigation, we identified the Administrator credential was compromised and the servers had RDP enabled. In fact, threat actors are, in a way, using the same Five 5s and one H concept in their attacks.

Why is my payload being blocked? What> type of privileges do I have? Where> are the payloads being blocked? How do I overcome this control? When should I execute the activities to not arouse suspicion?

On the defender side, the same concept also applies for incidents, not just breaches. Take for example, you noticed the server security is blocking PowerShell execution and this process is spawned from sqlservr.exe. Instead of answering “yes, the threat is blocked”, start asking questions. How is this possible? What is this server, and does it require MSSQL? Why is this database public facing?

All these questions eventually help close the security gaps, identifying unpatched systems, servers with unnecessary services or access and so on. Of course, to be fair, on the vendor side of things, there must be improvements to assist on filtering out the noise and presenting detections that should be investigated.

However, it must be noted that the investigation still needs to be done by the security team. Products are not able to magically investigate and produce the results for you. Like a crime investigation, the investigator must collect leads, but it is up to the investigator to see if these leads are part of the case, when do these leads fit into the timeline of the crime and build the complete investigation.

Without asking questions, the team will never learn about the weaknesses or risks the environment has. Simply restoring systems after a breach without going through the Five Ws and one H will simply lead to a repeated breach which could have even worst outcomes on the next attack

Let’s start asking questions and stop ignoring the “door jiggles”. Having a static approach to security is not going to cut it against dynamic adversaries.

Biography

Harvey Goh

Harvey Goh is a cyber security specialist having been in the cyber security industry for over 15 years as technical personnel. Currently he is working as part of Sophos’ Managed Threat Response team. He is also a member of AiSP CTI SIG, EXCO and volunteer at CSCIS CTI SIG.

Views and opinions expressed in this article are my own and do not represent that of my places of work. While I make every effort to ensure that the information shared is accurate, I welcome any comments, suggestions, or correction of errors.