Triage

Sweeping your environment for finding the evil

Almost all cases start with one or more leads. If there are too many leads, the investigator might need to validate all their leads one by one, which is very time-consuming. Or, if there are too few leads, investigators don't have enough information to continue their case. Both situations are not good for the investigation and can impact the speed of resolution.

Triage is the process of pritiorizing the evidence that they’ll be analyzing. However, prioritizing this evidence is not a straightforward or easy job. An Investigator needs lots of data, leads, or experience to do it well. So, they generally use known attack indicators, called the IOC indicator of the compromise. An indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion [Indicator of compromise ].

An investigator or analyst will generally scan all system data or part of it to discover these IOCs. When they see a match, it typically means that those systems are related to a specific attack type and need to be investigated first. Investigators use YARA, osquery and Sigma rules for these scans. Investigators can define and scan IOCs by using AIR's built in YARA, osquery and Sigma template rules or editors.

Binalyze AIR DFIR Suite provides three different tools to the investigators for triage, which, as stated, are YARA, osquery and Sigma. These tools generally scan assets to find specific data using IOC (Indicator of Compromise).

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a. rule, consists of a set of strings and a boolean expression that determine its logic.

Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others. Sigma is for log files what Snort is for network traffic and YARA is for files.

osquery, an open-source tool, employs SQL-like queries to extract intricate system data. It offers cross-platform compatibility, making it ideal for real-time system monitoring, security analysis, and compliance assessments. Security professionals often use it to detect vulnerabilities, monitor system changes, and ensure adherence to security standards.

Binalyze AIR has a YARA, osquery and Sigma repository, investigators can use a built-in YARA, osquery and Sigma editor to develop and validate their rules. They can also upload these rules to their rule repository. Investigators can then scan their endpoints with those rules easily and remotely. The Triage procedure flow is depicted below.

NB: Character limitation for single triage rule

To prevent the browser becoming unresponsive we have limited the maximum to 350K of characters in a single Triage Rule.

PreviousScheduling Tasks NextTriage Rule Templates

Last updated 6 months ago