Patient zero: Identify the source of an attack

In this scenario, an organization is alerted to a suspected breach. It seeks to find the initial point of an attack to isolate the source. The organization must quarantine the compromised entities to prevent the spread of the attack to other parts of the organization.

Objectives

To solve the problem in these investigations, the organization has these objectives:

  • Determine the type of attack.
  • Identify the initial entry point of the threat.
  • Get details about the malicious payload.
  • Understand how the malicious payload was disseminated beyond the point of entry.

Investigation

Use the tools on the Forensics tab to help you investigate.

This image shows the options available in the Forensics tab to help you investigate the problem. Press Shift and click a link in the image to learn more about QRadar Incident Forensics. Click this area to get information about document search Click this area to get information about query filters Click this area to get information about Digital Impression Click this area to get information about Visualizations Click this area to get information about pivoting data Click this area to get information about Surveyor
  1. Use free-form search to search for symptomatic attributes that are associated with malicious payload.
  2. Use content categories to filter out content that isn't relevant to the investigation.
  3. Examine suspect content that is flagged by the product.
  4. Use Digital Impressions and visualizations to explore extended relationships of the malicious payload, perpetrator, or target.
  5. Use data pivoting and follow data linkages to identify patient zero.
  6. Use Surveyor to see a timeline of activities so that you can retrace an attack.