With more and more business taking place online, preventing hacking attacks has become a critical function for all businesses.
For large organisations, the risk of attack has become a near-daily occurrence. While most low-level attacks are easily blocked by standard security protocols, hackers develop new techniques and toolkits every day.
That means that cyber defence teams must constantly monitor and investigate new types of attacks in order to develop countermeasures.
The cost of Cybercrime was estimated to be nearly a 1Tn USD in 2020. As a result, cybersecurity is one of the fastest-growing industries.
Among the many specialities of cybersecurity, incident response, cyber threat intelligence, and pen testing are three areas that apply very similar methods and tools than OSINT analysis.
In this post, we will explore how reKnowledge can improve incident response and empower analysts to find critical insights fast.
Recently, we were approached by the Cyber Defence team of a global retail company to explore how reKnowledge could help streamline such incident response investigations.
Like most investigators researching complex attacks, the team needed a solution to:
- speed up the whole investigative process;
- build a reliable and traceable body of evidence;
Which could at the same time:
- be interacted within a digital environment and;
- use data visualisation to communicate complex insights.
There is no easy way of understanding complex hacking attacks and developing the right countermeasures. Incident response is an inherently manual process where analysts need to gather evidence from a multitude of environments (console, web-browser, databases) and deal with a large array of data types (code, picture, text, etc.).
When investigating an attack on their IT infrastructure, the team used spreadsheets and a lot of manual work to collect and organise their body of evidence.
Yet, spreadsheets are not the most efficient way of organising this type of research. Typically, analysts will need to collect a wide variety of information about many different things. From the very technical information such as script, port, file, database, process, exploit kit, to contextual information such as malicious activities, hacktivist groups and so on, the analytical requirements are very different from one to the other.
In addition, cyber-attacks are inherently about navigating a network of technical infrastructure and human operators. But the tabular nature of a spreadsheet makes capturing and organising connections very clunky, to say the least.
While the client also used network graph tools to visualise their body of evidence, those are not designed for qualitative analysis. Often they lack the interactivity needed to drill further into an evidence point. Besides, most of these tools don’t support edge attributes while in complex investigations, the ability to further qualify a connection with extra metadata is critical.
This approach is not only time-consuming, but it is also inefficient. All insights captured by the team are hard to communicate to a wider audience of non-technical people.
With reKnowledge, we solved all of these problems.
To start with, the cyber defence team defined an ontological framework that fits their needs, using our intuitive ontological editor. Not only was the team able to customise the information card for each node class, but it was also able to define the connections of interest.
In this respect, reKnowledge provided a critical advantage compared to other network graph solutions. Whereas traditional network graph solutions don’t support connection attributes, the reKnowledge data model supports such requirements. That means analysts can capture granular details about the connections and then run queries using those attributes information to refine them.
Having customised their knowledge base for their needs, analysts were then able to conduct their investigations. Instead of recording their evidence in multiple spreadsheets, researchers created or updated node and connection information directly in the reKnowledge workbench.
Using the analytical workbench as their mean of capturing information brought the following benefits to the analysts:
- A clear interface, customised for each information class allowing the analysts to capture only the information needed for this class;
- Ability to quickly create connections along with all the necessary attribute information through our interactive interface;
- Ability to share in real-time all the information with their team, thus reducing the duplication of effort;
- Ability to visualise information gaps immediately.
Once the team had gathered all the evidence needed to investigate the case they could start the investigation per se.
Thanks to its interactive analytical workbench, reKnowledge empowered analysts to query, navigate and visualise their evidence through network graph visualisation.
First, the analytical workbench allows the analyst to have a comprehensive view of the system architecture in all its complexity of interconnected relationships and dependencies.
Using our various querying tools and methods an analyst can zero in on specific insights or explore its body of evidence iteratively.
In addition, the body of evidence can be explored sequentially to visualise the various stages of the attacks along with the tools or techniques used and the targets systems.
By visualising such a complex body of evidence, analysts can understand the attack much faster, and identify the points of vulnerability.
Finally, it empowers those domain experts to communicate their findings and insights to a non-technical audience through interactive graph visualisation. Being able to convey the importance of cybersecurity to a non-technical audience is critical. Explaining how attacks occur and their consequence on the organisation’s system is essential to raise awareness across every member of the organisation.
For us, this was a particularly interesting case study because it validated our assumptions that the need for tools to support complex investigation was much larger than our initial target: the OSINT world.
It also validated our domain agnostic approach. In a couple of hours, the cyber defence specialists had devised an ontological model fit for their needs and were gathering evidence.
More importantly, it opened up a whole new and huge market for reKnowledge.
We are already exploring new features to develop specifically for this industry. Ultimately, we envision a solution that would both serve to investigate cyber incidents but also automatically monitor the entire IT infrastructure in real-time based on lessons learned from previous investigations.