Glossary Term

Incident Investigation

Incident investigation is just one part of a holistic security response program and management process. The overall process begins when the security team is alerted to an incident that has occurred on the network. A security incident can range from denial of service attacks and malicious code (including worms and viruses) to unauthorized access due to credential theft or by a malicious insider.

Once the malicious activity has been identified, the security team will investigate the incident to determine the scope of the incident and formulate a containment and remediation strategy that attempts to minimize the damage.

Incident Investigation Process

A successful incident investigation uncovers the root causes that led to an infiltration of the network by nefarious means. More importantly, incident investigations can help security teams devise effective processes to prevent future attacks.

This process includes:

Immediate Action: Identify what type of attack occurred on the network. For example, was the threat the result of fileless malware that used existing vulnerabilities to infect the system, an insider threat performed by someone with legitimate access to the network, or lateral movement used by cybercriminals to systematically move through a network in search of data or assets to exfiltrate?
Gather Information: After identifying what type of attack occurred, security teams need to learn all they can about the incident to assess the threat further. This includes developing an understanding of the entities—users, devices, applications, etc.—involved in the incident, a timeline of their behaviors over time, the data that may have left the environment and the other parts of the network that might now be impacted.

Incident Investigation Tools

Incident investigation can be a tedious and time-consuming process, especially as the cybersecurity threat landscape continues to grow and evolve. Attacker tactics are changing at a rapid pace to circumvent traditional security practices enacted by organizations. For example, attackers increasingly use stolen credentials and existing tools and processes when compromising networks. These tools, like operating system utilities, business productivity software and scripting languages, are clearly not malware and have very legitimate usage on the network. In most cases, the vast majority of the usage is business-justified, allowing an attacker to blend in.

Traditional approaches to incident investigations leave it to the security analysts to deal with these challenges. This presents two problems: firstly, this is not scalable since experienced security analysts are hard to find and retain and secondly it is time-consuming and thus a very small set of incidents gets thoroughly investigated. In fact, the situation is made worse by the fact that most detection solutions provide no context to get the investigation going and lack any support for the investigative workflows.

Advanced Network Traffic Analysis

Advanced network traffic analysis (NTA), like what the Awake Security Platform provides, is an important part of a complete incident investigation process to identify all the entities on the network and mitigate threats.

Awake first deeply analyzes billions of network communications to autonomously discover, profile and classify every device, user and application across traditional, IoT, and cloud networks. Using a multi-dimensional machine learning approach, Awake then models complex adversarial behaviors and automatically connects the dots across entities, time, protocols, and attack stage. Unlike prior generations of network traffic analysis tools, this approach delivers threat detections with low false positives/negatives while providing the context necessary for triage, incident response, and remediation. This enables security teams to pivot from an alert analysis based approach to one focused on attack analysis.