Kaspersky Unified Monitoring and Analysis Platform
English

Contents

Example of incident investigation with KUMA

Detecting an attack in the organization IT infrastructure using KUMA includes the following steps:

  1. Preliminary steps
  2. Assigning an alert to a user
  3. Check if the triggered correlation rule matches the data of the alert events
  4. Analyzing alert information
  5. False positive check
  6. Determining alert severity
  7. Incident creation
  8. Investigation
  9. Searching for related assets
  10. Searching for related events
  11. Recording the causes of the incident
  12. Response
  13. Restoring assets operability
  14. Closing the incident

The description of the steps provides an example of response actions that an analyst might take when an incident is detected in the organization's IT infrastructure. You can view the description and example for each step by clicking the link in its title. The examples are directly relevant to the step being described.

For conditions of the incident for which examples are provided, see the Incident conditions section.

For more information about response methods and tools, see the Incident Response Guide. On the Securelist website by Kaspersky, you can also find additional recommendations for incident detection and response.

In this Help topic

Incident conditions

Step 1. Preliminary steps

Step 2. Assigning an alert to a user

Step 3. Check if the triggered correlation rule matches the data of the alert events

Step 4. Analyzing alert information

Step 5. False positive check

Step 6. Determining alert severity

Step 7. Incident creation

Step 8. Investigation

Step 9. Searching for related assets

Step 10. Searching for related events

Step 11. Recording the causes of the incident

Step 12. Incident response

Step 13. Restoring assets operability

Step 14. Closing the incident
Page top
[Topic 245892]

Incident conditions

Parameters of the computer (hereinafter also referred to as "asset") on which the incident occurred:

  • Asset operating system – Windows 10.
  • Asset software – Kaspersky Administration Kit, Kaspersky Endpoint Security.

KUMA settings:

  • Integration with Active Directory, Kaspersky Security Center, Kaspersky Endpoint Detection and Response is configured.
  • SOC_package correlation rules from the application distribution kit are installed.

A cybercriminal noticed that the administrator's computer was not locked, and performed the following actions on this computer:

  1. Uploaded a malicious file from his server.
  2. Executed the command for creating a registry key in the \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hive.
  3. Added the file downloaded at the first step to autorun using the registry.
  4. Cleared the Windows Security Event Log.
  5. Completed the session.
Page top
[Topic 245800]

Step 1. Preliminary steps

Preliminary steps are as follows:

  1. Event monitoring.

    When a collector is created and configured in KUMA, the program writes information security events registered on controlled elements of the organization's IT infrastructure to the event database. You can find and view these events.

  2. Creating a correlator and correlation rules.

    When a sequence of events that satisfy the conditions of a correlation rule is detected, the program generates alerts. If the same correlation rule is triggered for several events, all these events are associated with the same alert. You can use correlation rules from the distribution kit or create them manually.

  3. Configuring email notifications about an alert to one or more email addresses.

    If notification is configured, KUMA sends a notification to the specified email addresses when a new alert is received. The alert link is displayed in the notification.

  4. Adding assets.

    You can only perform response actions for an asset (for example, block a file from running) if the asset is added to KUMA.

    Performing response action requires integrating KUMA with Kaspersky Security Center and Kaspersky Endpoint Detection and Response.

    Example

    The analyst has carried out the following preliminary steps:

    • Installed the SOC_package correlation rules from the distribution kit and linked them to the correlator.
    • Configured the sending of alert notifications to the analyst's email.
    • Imported assets from Kaspersky Security Center to KUMA.

      According to the incident conditions, after the administrator logged into their account, a malicious file was run, which the attacker had added to Windows autorun. The asset sent Windows security event log events to KUMA. The correlation rules were triggered for these events.

      As a result, the following alerts were written to the KUMA alert database:

    • R223_Collection of information about processes.
    • R050_Windows Event Log was cleared. R295_System manipulations by a non-privileged process.
    • R097_Startup script manipulation.
    • R093_Modification of critical registry hives.

    The information about the alert contains the names of the correlation rules based on which the alerts were created, and the time of the first and last event created when the rules were triggered again.

    The analyst received alert notifications by email. The analyst followed the link to the R093_Changes to critical registry hives alert from the notification.

Page top
[Topic 245796]

Step 2. Assigning an alert to a user

You can assign an alert to yourself or to another user.

Example

As part of the incident, the analyst assigns the alert to themselves.

Page top
[Topic 245804]

Step 3. Check if the triggered correlation rule matches the data of the alert events

At this step, you must view the information about the alert and make sure that the alert event data matches the triggered correlation rule.

Example

The name of the alert indicates that a critical registry hive was modified. The Related events section of the alert details displays the table of events related to the alert. The analyst sees that the table contains one event showing the path to the modified registry key, as well as the original and the new value of the key. Therefore, the correlation rule matches the event.

Page top
[Topic 245829]

Step 4. Analyzing alert information

At this step, analyze the information about the alert to determine what data is required for further analysis of the alert.

Example

From the alert information, the analyst learns the following:

  • Which registry key has been modified
  • On which asset
  • The name of the account used to modify the key

This information can be viewed in the details of the event that caused the alert (AlertsR093_Modification of critical registry hivesRelated events → event 2022-08-23 17:27:05), in the FileName, DeviceHostName, and SourceUserName fields respectively.

Page top
[Topic 245830]

Step 5. False positive check

At this stage, make sure that the activity that triggered the correlation rule is abnormal for the organization IT infrastructure.

Example

At this step, the analyst checks whether the detected activity can be legitimate as part of normal system operation (for example, an update). The event information shows that a registry key was created under the user account using the reg.exe utility. A registry key was also created in the \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hive, responsible for autorun of applications at user logon. Based on this information, one can surmise that the activity is not legitimate and the alarm is not false.

Page top
[Topic 245873]

Step 6. Determining alert severity

You can change the alert severity level, if necessary.

Example

The analyst assigns a high severity to the alert.

Page top
[Topic 245874]

Step 7. Incident creation

If steps 3 to 6 reveal that the alert warrants investigation, you can create an incident.

Example

The analyst creates an incident in order to perform an investigation.

Page top
[Topic 245877]

Step 8. Investigation

This step includes viewing information about the assets, accounts, and alerts related to the incident in the incident information section.

Information about the impacted assets and accounts is displayed on the Related assets and Related users tabs in the incident information section.

Example

The analyst opens the information about the affected asset (Incidents → the relevant incident → Related alerts → the relevant alert → Related endpoints → the relevant asset). The asset information shows that the asset belongs to the Business impact/HIGH and Device type/Workstation categories, which are critical for the organization IT infrastructure.

The asset information also includes the following useful data:

  • FQDN, IP address, and MAC address of the asset.
  • The time when the asset was created and the information was last updated.
  • The number of alerts associated with this asset.
  • The categories to which the asset belongs.
  • Asset vulnerabilities.
  • Information about the installed software.
  • Information about the hardware characteristics of the asset.

    The analyst opens the information about the associated user account (Incidents → the relevant incident → Related alerts → link with the relevant alert → Related users → account).

    The following account information may be useful:

  • User name.
  • Account name.
  • Email address.
  • Groups the account belongs to.
  • Password expiration date.
  • Password creation date.
  • Time of the last invalid password entry.

Page top
[Topic 245880]

Step 9. Searching for related assets

You can view the alerts that occurred on the assets related to the incident.

Example

The analyst checks for other alerts that occurred on the assets related to the incident (Incidents → the relevant incident → Related alerts → the relevant alert → Related endpoints → the relevant asset → Related alerts). In the alert window, you can configure filtering by time or status to exclude outdated and processed alerts. The time when the asset alerts were registered helps the analyst to determine that these alerts are related, so they can be linked to the incident (select the relevant alerts → Link → the relevant incident → Link).

The analyst also finds the associated alerts for the account and links them to the incident. All related assets that were mentioned in the new alerts are also scanned.

Page top
[Topic 245881]

Step 10. Searching for related events

You can expand your investigation scope by searching for events of related alerts.

The events can be found in the KUMA event database manually or by selecting any of the related alerts and clicking Find in events in the alert details (Incidents → the relevant incident → Related alerts → the relevant alert → Related endpointsFind in events). The found events can be linked to the selected alert, however, the alert must be unlinked from the incident before that.

Example

As a result, the analyst found the A new process has been created event, where the command to create a new registry key was recorded. Based on the event data, the analyst detected that cmd.exe was the parent process for reg.exe. In other words, the cybercriminal started the command line and executed the command in it. The event details include information about the ChromeUpdate.bat file that was autorun. To find out the origin of this file, the analyst searched for events in the event database using the FileName = ‘C:\\Users\\UserName\\Downloads\\ChromeUpdate.bat’ field and the %%4417 access mask (access type WriteData (or AddFile)):

SELECT * FROM 'events' WHERE DeviceCustomString1 like '%4417%' and FileName like ‘C:\\Users\\UserName\\Downloads\\ChromeUpdate.bat’ AND Device Vendor 'Microsoft' ORDER BY Timestamp DESC LIMIT 250

As a result, the analyst discovered that the file was downloaded from an external source using the msedge.exe process. The analyst linked this event to the alert as well.

Search for the related events for each incident alert allows the analyst to identify the entire attack chain.

Page top
[Topic 245884]

Step 11. Recording the causes of the incident

You can record the information necessary for the investigation in the incident change log.

Example

Based on the results of the search for incident-related events, the analyst identified the causes of the incident and recorded the results of the analysis in the Change log field in incident details to pass the information to other analysts.

Page top
[Topic 245885]

Step 12. Incident response

You can perform the following response actions:

  1. Isolate the asset from the network.
  2. Perform a virus scan.
  3. Prevent the file from running on assets.

    The listed actions are available if KUMA is integrated with Kaspersky Security Center and Kaspersky Endpoint Detection and Response.

    Example

    The analyst has information about the incident-related assets and the indicators of compromise. This information helps select the response actions.

    As part of the incident being considered, it is recommended to perform the following actions:

    • Start an unscheduled virus scan of the asset where the file was added to autorun.

      The virus scan task is started by means of Kaspersky Security Center.

    • Isolate the asset from the network for the period of the virus scan.

      The asset isolation is performed by means of Kaspersky Endpoint Detection and Response.

    • Quarantine the ChromeUpdate.bat file and create the execution prevention rules for this file on other assets in the organization.

      An execution prevention rule for a file is created by means of Kaspersky Endpoint Detection and Response.
Page top
[Topic 245887]

Step 13. Restoring assets operability

After the IT infrastructure is cleaned from the malicious presence, you can disable the prevention rules and asset network isolation rules in Kaspersky Endpoint Detection and Response.

Example

After the investigation, response, and cleanup of the organization IT infrastructure from the traces of the attack, restoration of the asset operation can be started. For this purpose, the execution prevention rules and the network asset isolation rules can be disabled in Kaspersky Endpoint Detection and Response if they were not disabled automatically.

Page top
[Topic 245889]

Step 14. Closing the incident

After taking measures to clean up the traces of the attacker's presence from the organization's IT infrastructure, you can close the incident.

Page top
[Topic 245916]