Tinderbox Forum

Your ideas for TB in Incident Response

Hello,

This is kind of a followup to my first post here. I’ve just started trying to setup TB in the course of my current Incident Response assignment, which is a simple ransomware infection, thus easy enough to try my teeth on integrating TB in my investigation workflow.

My goal is to start small and at first just see how TB can help me group things together for clarity and maybe at the end produce a nice map of the events for my customer.

From that first quick test, I have a few ideas / needs and I would love your opinion on how to best implement them.

First, what I have:

  • I do have lots of IP addresses, which are setup as notes with some User custom properties such as their hosting company, their type (payload delivery or command & control server) and their host’s nationality. Those will eventually be made through a Prototype, of course.

  • I do have an email object that contained payload delivery links and was received by users (tried at first to use a container for this, but I found it not clear enough (regarding outgoing links) so I ended up making the email a specific note linked to their malicious URL by a “contains” link - which can also be used for malicious attachments

  • I do have users who clicked on some email link and got served malware from one of the payload delivery IP, and then contacted some C2 IPs. These relationships can be represented as links, of course.

  • Later on, I might want to add internal file servers or other resources

My questions (so far ;)):

  • Is it possible to add dates to links? One link might indicate a download from a user to a payload delivery URL, and it would be useful to store the date of that contact, for example. This is super important for a timeline, since the same user might have clicked on different malicious links at different times, contacting different payload delivery URLs. And also for when a user received an email, which might different from when he clicked a malicious link.

  • I would like to have a way to ask TB to automatically group elements according to several similarities, such has:

  • Per host
    
  • Per country of origin
    
  • Per type (C2 or payload delivery, or some other future type I'll add)
    
  • ... and probably many more at some point ;)
    

It would be super cool to be able to select one of those “views” and have TB reformat the map with different coloured adornments for each criteria and grouping the notes of a selected types inside (while maintaining the existing links). I believe agents should be able to do this, but I’m not sure about creating and removing adornments on the fly depending on the search criteria

  • Finally, is it possible to have a note show a the value of User attribute as its own caption? (just like using a variable’s name referring to the attribute in the “Caption” text box)

Automatically import notes

Also, as Eastgate commented on my previous post, it would be quite useful to have a global TB file with all those IP adresses / hosting companies, distinct from the per-case TB document I’ll create for each engagement, so I could better capitalise on this information from one engagement to another.

What would be the best way to automate the transfert of information (notes) between the two?
I was thinking about exporting notes from a per-case file to a folder watched by Hazel or Keyboard Maestro, and that would make TB automatically import any new notes being dropped in this folder, and then remove them. Is this realistic?

Thanks for your insights!

Look at Attribute Browser.

Is it possible to add dates to links?

You can add comments to links, which might be useful. But it might be more idiomatic to represent the user action as a separate note.

Thanks! It’s indeed a useful way to explore the data. But I was imagining a more visual and dynamic way to do it. I’ll dig some more :wink: