Can you piece back the puzzle of the timeline?

Sooner or later, the environment you are responsible for will be hit by a security incident. Small or big. But no matter how significant the incident is, the high-level steps to remediate the incident are the same. Identification, containment, eradication, and post-mortem. And each of these steps has one thing in common. The timeline. In order to contain the incident, you need to find both Patient Zero and Moment Zero. Most people are familiar with the term Patient Zero. But what is Moment Zero?

Moment Zero is the moment the incident started. But that might be a different moment than the user or system reported. A user or system typically reports the attack’s second or later stage. Only in extremely rare cases, the timestamp reported by the user/system is the same timestamp as Moment Zero. For example, a user might call the IT service desk to report a ransomware note is displayed on his/her screen. But displaying the ransomware note is actually the last step of the attack, and therefore it is not Moment Zero. Moment Zero is in this example, the moment, the attacker breached the security of the device.

In most environments, all relevant logging is forwarded to the SOC environment. But that this means the SOC is able to piece back the puzzle of the timeline? It should, but this puzzle can be extremely difficult to resolve. For example, the timestamp of an event. Is it stored in the SOC environment in the local time zone, in UTC-0 time zone, or something else? Are all systems synchronized with a time server? The timestamp, when the event is generated is crucial to recreating the timeline. And the timestamp should contain the time zone information when it is forwarded to the SOC environment.

Do you check regularly if the timestamps of the received logging data in the SOC environment contain time zone information?

If you are in a small environment and/or where all the users and assets are located in the same time zone, having no time zone information available is not such a significant issue. But these kinds of environments are becoming almost nonexistent as almost every company uses one or more cloud services.

Another important piece of the puzzle is user information. Every time logging data is forwarded to the SOC environment; the logging data should contain user information. Well, almost every time. Only in case it is unauthenticated traffic, it is not required as it is not available.

But what is user information?

In most environments that I have seen and/or managed, a user has typically more than one username. Somewhere within the SOC environment, there should be information available to connect the various usernames to a natural person. Yes, also non-personalized accounts and services accounts can and should be mapped to a natural person. This information is typically stored in an IAM solution. The SOC should have read-only access to the IAM solution to retrieve the relevant user information during the incident identification and containment step.

And that brings me to the 3rd and last important element of the timeline. Network information. Inside the logging data, there should be information to indicate from which host or on which host something is done. And this information could be an IP Address, a hostname, or if you are lucky FQDN. But can you link this information to the user? And how trustworthy is the DNS resolving? When is the DNS resolution actually done? At the moment the event is generated? At the moment the event is ingested in the SOC tooling? Or something else?

Volatile data must be captured as fast as possible. Preferable at the time the event is generated. The longer you wait with capturing volatile data, the higher the chance the volatile data is gone or altered.

Now that you have cleaned up all the data, it is time to put all the information on a timeline graph. Only relevant information should be added to the timeline graph.

Yes, you may need to create more than two timeline graphs during timeline analysis.

Finding and identifying Patient Zero and Moment Zero can be a difficult and time-consuming process. And yes, sometimes you will not be able to find Patient Zero and/or Moment Zero.

Therefore, it is essential that during the incident investigation, you document everything. Decisions and assumptions. The better your document is, the easier it is to determine if you are stuck in a loop.

As equal to documenting everything during the incident investigation is rehearsing all the steps before an incident has happened and/or been reported. Practice is essential. You need to have this skill mastered before an incident happened.