I just discovered TB through the Winter Festival offer, and from what I came to understand of it, I feel it could help me do my job better. But before committing to learning it, I would like to make sure it is, indeed, suitable for what I have in mind.
I work on the investigation side of computer incident response. I must quickly ingest a large quantity of information related to IT systems, individuals and timestamps, in a very fluid context (new information coming in non-stop that can change the current understanding of the events at any point) and ultimately make sense of it.
By the end of my engagement, the goal is to know how an intruder got in, what path he took across the IT infrastructure, and exactly what he did / planted / exfiltrated.
Visually, this is usually shown as a graph of various connected IT systems where we follow a trail of many hijacked user or service accounts, and connexions from/to other systems, with the attacker switching accounts regularly, thus making the timing element crucial (so we have both a graph and a timeline)
This is very intense and I usually find myself writing down in a hurry tons of IP addresses, machine names, user names, user accounts names, filenames, and various timestamps (file modification, systems access, etc). I am piecing this information from both a large OneNote document coming from the forensic team and from my own interviews on-site.
And as you can probably guess by now, there are a lot of “I know I’ve seen this user account/IP address/user name somewhere…” moments, or “to what system(s) does this account belong to, again?”.
OneNote, Excel and other tools so far did not help me making interesting relationships “emerge” as new data keeps pouring. It is still a very manual and intuitive process.
That’s where I feel TB could help.
I’m mainly interested in two aspects of what I have understood of how TB works:
Seeing new connexions emerge as I enter new data (I might, for example, get a machine name + its IP address from a suspicious behavior. I don’t have time to investigate it fully at the moment. The next day, I get from another source several IP addresses, with no machine names attached. One of them corresponds to the previous machine. I would like to see the link between the two informations emerge)
Having a useful timeline self-construct. Being able to see that this machine cannot have been compromised from this other machine because the attacker accessed before it. Or better yet, imagine we have seen a specific user account trying to connect to a specific machine at some specific date, in a way that makes us take notice. We can’t investigate right now because there are much more obvious trails to follow at the moment, but I make a note about it. Later, we discover another machine that was clearly compromised, and it turns out that this is where the intruder gained access to this account, and from this point on started using it to connect to other machines. If this new event happened before the previous, then the initial machine becomes much more interesting for our investigation. This is the kind of emerging insight I’m after.
I am very interested in the way that TB allows to enter data unstructured (or using a simple arbitrary text structure to make things easier). In the heat of an engagement, I often only have a couple minutes back at my laptop to dump whatever new information I’ve gathered from interviews, or to insert new data from the forensic team, before being called up again. So this “pour data in, let agents figure out the connexions” approach really works for me.
What are your thought? Can TB help with some / all of these use cases ?
Thank you for your time!