Mastering IR Sniping A Deliberate Approach to Cybersecurity Investigations with Chris Brewer

Chris Brewer: Every contact by a criminal leaves a trace. So if it's physical evidence or digital evidence, any time a file is touched or interacted with, there's something that's left behind. [ Music ]

David Moulton: Welcome to "Threat Vector," a segment where Unit 42 shares unique threat intelligence insights, new threat actor TPTs, and real-world case studies. Unit 42 is a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. [ Music ] In today's episode, I'm going to be talking with Chris Brewer about IR sniping. Chris is a Director in Unit 42 and an expert in digital forensics and incident response with decades of experience. Chris, give me the TLDR definition of IR sniping.

Chris Brewer: Yeah. So it's a targeted, deliberate way of approaching an investigation. You can't really go and do one host at a time approach. It doesn't work. It works for five, ten bots. When you've got 5,000, 20,000, 30,000, you've got to have that new methodology. And that's where IR sniping comes in. The sniper response methodology is taking a targeted, deliberate approach to an investigation.

David Moulton: Chris, before we get much further into this, I want you to talk about the guiding principles for this methodology.

Chris Brewer: Yeah. There's some foundations there with the guiding principles. These have been around for a very long time. I think it's kind of the -- the core piece of any investigation. If it's computer investigation, crime scene, whatever it happens to be. And one of the big ones is the Locard Exchange Principle. Basically, the idea behind that -- every contact by a criminal leaves a trace. So if it's physical evidence or digital evidence, anytime a file is touched or interacted with, there's something that's left behind. The other idea for this one is Occam's razor. The simplest explanation is often the right one. It's really easy to get excited. It's, like, oh, it's China or it's Russia or it's APT. Usually it's the simplest explanation there. And the last one is the Alexiou Principle which is probably new to a lot of folks. But basically that one has four big things. It's what questions are you trying to answer? What data do you need to answer that question? How do you analyze that data? And then, finally, what does that data tell you?

David Moulton: What about IR sniping helps you do your job better, faster, more effectively?

Chris Brewer: Yeah. So kind of taking that same approach and understanding that, and then focusing on the stuff that the lawyers, that counsel, that the client really care about. And we can kind of summarize that with these basically four big questions. So what did they take? That's the data exfiltration question. The -- are they still here question. That's, hey, is the bad guy still present inside our environment? The command and control, the IP address's domains. And then the third big question is -- where did they go? What's the lateral movement? What all -- what are all the systems that were touched -- what all is impacted here? Did they spread out to ten systems? Are they -- 500 systems? They hit our routers and switches as well? It's understanding that -- where did they go? And the fourth big question, usually when you're running an investigation, it kind of answers itself. And that's -- how did they get in? So finding patient zero, identifying how they got into the environment.

David Moulton: Chris, would you say that using IR sniping gives you better results faster in an investigation?

Chris Brewer: Absolutely. When we're running a case, we'll assign workstream leads to look at these questions and then it doesn't matter if you're getting ten hosts today and you've got 500 the next day. When you're taking this deliberate approach, the answers come really fast. So the nice thing about this methodology as well is you're constantly doing a QC of your own review of your own data because you're repeating the questions, you're repeating the steps, and looking at data again as new stuff comes in.

David Moulton: You presented at Cactus Con on IR sniping. What are some of the things you found the audience reacted to the strongest?

Chris Brewer: So taking this approach, most incident response investigations can be solved within about 72 hours when you're taking this targeted, deliberate approach, focusing on the stuff that matters, getting rid of all the extra noise, then focusing on those four big questions.

David Moulton: Chris, tell us where we can find out more about this approach.

Chris Brewer: Cactus Con was a recorded presentation that's out there on YouTube if you want to Google it. Type in Cactus Con 2023. It's out there. I've also got the GitHub link out there as well. Those are great places. Or if you want to talk with on LinkedIn, I'm always on there as well. [ Music ]

David Moulton: Chris, thanks for sharing where people can learn more about IR sniping. We'll make sure that those are linked up in our show notes. I'm so glad you were able to take time away from the work you're leading at Unit 42 to talk with me today on "Threat Vector." Join us again on the CyberWire Daily in two weeks. In the meantime, stay secure, stay vigilant. Goodbye for now. [ Music ]