Investigating Attack Scopes
Cyber attacks occur everywhere. Today we will talk about Cyber Incident Investigation Series: Investigating Attack Scopes and discuss how Sqrrl enables them intuitively.
1. INVESTIGATING SCOPE WITH EXPANSIONS
Seasoned investigators search the entire network to see if it is possible to find similar evidence elsewhere when faced with evidence of an attack.
Unfortunately, if you do not have a centralized way to find your data, this is a very cumbersome task. This can mean multiple searches in multiple data sources and a manual attempt to link the sequence of events that they form. In Sqrrl, attacks with an aim in this order are in a few clicks.
The process to perform this scoping in Sqrrl would be the same, and because it allows you to model similar fields across your data sources, it’s still only a one click operation.
2. COMMON SCOPING EXPANSIONS
In other words, taking the results of a query and using a piece of data that was returned to query a broader array of data sources, a larger time span, or a larger array of the attack surface area (more hosts).
When studying a compromise, do not forget to think about the attack. Experienced analysts perform a wide search for the evidence found due to memory of the muscles. Sqrrl simplifies the search process in a few clicks.