Methodology

The crucial role of analysts for investigations in cybersecurity

Why the role of cyber experts remains essential in the event of an attack - even with automation tools -, and the questions to ask in order to investigate effectively.
5 min

EDR, XDR, SIEM, SOAR… solutions for detecting security events make it easy to automate a large number of operations, collect data and set up alerts as close as possible to the threat.
Nevertheless, despite the integration of Artificial Intelligence, the role of analysts remains crucial in investigating and tracing the source of an incident, in order to qualify it and take action.

Knowledge of cyber risks is definitely found among experts (CISOs, SOCs, etc.).

The motivations for an attack can be multiple and vary depending on the sector: destabilization, threat, sabotage, data theft, ransom…
Cyber attackers fall into 3 categories:

  • hacktivists defending their causes,
  • states that may seek to destabilize governments or countries,
  • and cybercriminals whose motives are purely financial.

So, depending on an organization’s status (public establishment, institution, large group, SMB…), the threat models are radically different, and they define the means to be deployed to deal with them.

In concrete terms, a healthcare establishment is more likely to be the target of a ransom demand in exchange for restoring an infiltrated IS and forcing it to shut down, while a commercial structure is more likely to fall victim to retaliatory measures via a DDoS attack to render its merchant site unavailable.
In another case, public or private structures holdingsensitive information may be coveted for resale on the darknet.

In absolute terms, for any organization, in addition to mastering the cyber context, the ability to detect an incident as far upstream as possible helps to contain the risk in the best possible way. What is detected, and when, is crucial to analysts’ investigative work – andEDR is obviously one of the corners tones of this process.

Security events: understanding what is detected and when

An attacker’s point of entry guides the information to be analyzed.

If a user reports suspicious activity on his or her workstation, a number of questions arise:

  • Did he open an e-mail attachment?
  • When?
  • Who was the e-mail from?
  • Or did he open a shared document on a common server?
  • Which one?
  • When was this file filed?
  • By whom?

If a detection tool generates an alert, the first thing to do is to be able to categorize it: what is the action or file that arouses suspicion? When did the incident occur? On which file or IS space? Who, if anyone, performed the action?
For example, if an alert is generated following the opening of a malicious file, this is a priori the start of the attack, and isolation can be rapid.
On the other hand, if unusual behavior is detected on the IS, such as an administrator account executing suspicious actions, this is probably a sign that the attacker has already advanced, and the investigation may take longer to retrace his steps.

For network investigation, probes can be deployed to identify suspicious flows. For example, if a workstation is communicating with a suspicious site: what is the source workstation? What is the flow’s destination? Is this site already classified as malicious? Since when?

Finally, let’s not forget the case of sophisticated attacks, which involve breaking into an Information System to steal data by stealth, somSMBmes without anyone noticing for a long time. In this situation, the analyst will have to identify traces that have been masked, understand how long they have been there, find ways of detecting a compromise when the detection tools have been deactivated, at what time…?

In all cases, the aggregation and correlation of information enables the investigation to be carried out and the threads to be drawn NCIS, Dr House or Columbo style (depending on the generation). And as mentioned, the earlier a threat is detected, the better it can be contained.

The role of detection tools and, above all, cyber experts

In the face of the threat, detection and remediation tools are essential, and human expertise is crucial to making the most of them. Indeed, the role of cyber experts remains :

  • identify the most appropriate risk prevention solutions,
  • configure detection rules,
  • operate and supervise the tools,
  • create and maintain whitelists,
  • analyze alerts and contextualize them in order to intervene if necessary (investigate, block, isolate, remedy…).

Conclusion: tools facilitate the work of experts, who remain irreplaceable

As you will have understood, tools facilitate the work of analysts, but they are not intended to replace them. Knowledge and understanding of context, and interactions with an organization’s stakeholders, remain their domain.

Even with the development of AI? Yes, more than ever! AI facilitates information feedback, but this information still needs to be analyzed in the light of business knowledge. AI will be able to support analysts in :

  • contextualize disparate elements and identify weak signals ;
  • contextualize analysis by automatically identifying correlations, either between similar attacks, or between behaviors ;
  • cope with changing threats through re-training ;
  • add new methods to complement those based on detection heuristics.

In short, while detection can be automated, the human being still possesses business knowledge, and capabilities that a machine will never be able to match, such as :

  • analyze and clarify the context of an alert ;
  • set up crisis units (decision-making, business, technical) to take the necessary decisions to manage a crisis;
  • define the actions to be taken and set up the internal and external organization in the event of an attack;
  • understand the impact of an attack on the organization, and thus choose to isolate all or part of the IS;
  • correlate ideas and information to lead the investigation, and have epiphanies that push you to explore new or unexpected avenues!

 What does our AI do in practice?
Go behind the scenes: