Never stop asking “Now What??”

I remember (way) back in 1989 when I had just started my career in IT, HP came out with a slogan, "We never stop asking, 'What if....'" What I've come to learn as I moved into the realm of responding to security intrusions is that you should never stop asking, "Now what??"

If you are a parent (according to Bill Cosby, you need at least two children to qualify) you are probably already very familiar with the "Now what??" scenario (and should probably consider a career in computer security or law enforcement if you're not already there). You know how it goes:

Parent finds broken jar and cookies all over floor:

Parent: What happened here?

Child 1: I got out of bed to get dressed for school (because children will always start their story at the beginning of the day!)

Child 2: ...that's when Timmy pulled my hair!

Child 1: Did not!

Child 2: Did too!

Parent: OK, OK...Now what happened next?

Child 1: We went to school.

Parent: Now what happened after you got home?

Child 2: I was doing my homework.

Child 1: He was playing on his Nintendo!

Parent: Whatever! Now what happened here in the kitchen?

....and so on (and so on) until you either determine the guilty party that (literally) had their fingers in the cookie jar or you just unilaterally punish them all. It gets to be even more fun with four...trust me...I know.

I usually find that I get about three "Now what" deep into the interrogation conversation with my kids before my patience is at an end and I determine how justice will be handled that day. However, not asking "Now what" enough when performing an incident investigation is a sure-fire way to leave necessary stones unturned that could point you to where an intruder has been in your network.

If you regularly read M-unition posts and our M-Trends reports, you're already aware of our mantra "It's not all about the malware". The APT are people on a mission and malware is just one of many tools they use to gain a foothold into your organization. Once in, compromising legitimate user credentials and branching out to other systems using standard operating system tools is a fairly standard modus operandi.

So when your SOC Analyst comes knocking and says they've analyzed some alerts your SIEM has generated and they've confirmed the presence of malware on a system.

  • Did the malware detonate? If so, Now what??
  • Was a C2 channel established? If so, Now what??
  • Were any remote logins from the suspect system to other internal systems observed after the point of infection? If so, Now what?? If so, which accounts were used?
  • Were any data files accessed? If so, Now what??
  • How did the malware get on the system...and did we find indicators of its presence on any other systems in our network? If so, Now what??

In information security, we never stop asking "Now what??" That's my new tag-line going forward.

Look for upcoming discussions on how Mandiant will integrate with SIEM solutions such as ArcSight to accelerate alert triage and forensic evidence gathering during the SOC workflow process and allow you to get to Now What?? faster...if you can't wait, give me a shout!