The Painful Process of Removing False Positives During Incident Response

January 22, 2014

In today’s Whiteboard Wednesday, Jason Weiss, an Engineer at Rapid7, will discuss the topic, “The Painful Process of Removing False Positives During Incident Response”. 

Jason talks about the painful process of going back and forth between systems to try and piece together evidence that will give a security team insight into who may have committed a risky action on their network. 

Threat investigation should be much simpler for security teams. With InsightIDR you are able to automatically detect malicious behaviour across your network, mobile devices, and even on the cloud services that your employees use. You can then drill down to the user level to see which person took this action. Check out InsightIdr to see how we make threat investigation much easier for security teams.

Video Transcript

Hi I'm Jason Weiss with Rapid7. Today's whiteboard Wednesday has us looking at the painful process of removing false positives from a security investigation.

Show more Show less

I'm a big fan of Post-it notes; Post-it Notes are awesome. You can leave a Post-it to remind yourself that you've got a doctors appointment. You can leave a Post-it note to remind yourself to get your lunch before you go to work. You can leave a Post-it note with your pass, no, no, no don't write your password on a Post-it note. That's not what they're meant for.

You know, while we're at it, Post-it notes aren't meant to be used for cyber security investigations either.

Let's work through a real world scenario here. My IPS tells me that it detected some malicious behavior at this IP address. Well when I detect that threat, I might have to go put a Post-it note up that says "Oh I've got a new threat that I need to investigate."

Well in order to figure out who owns that IP address, I need to log into my SIM to go find the host name. There's another Post-it note right? Take that IP address, go over to the SIM, and find out what the host is.

Well I find out that the host's name. Well that's still not telling me who actually committed the malware intrusion that my IPS detected. So now I've got to take that host information, and I've got to go over to my asset management system. I've got to log in there, another Post-it note, find the name of the user, who perpetrated this vicious attack at this IP address.

Well, once I find out the user, I've got to go to active directory. I've got to log into active directory only to find out the name of the user is Swilard, and he is a member of engineering.

Well now I've got all my facts, I can pick up the phone, call over, and find out what's going on. But, man good grief that was a ton of freaking work just to figure out who actually was crazy enough to go to that malicious IP address in the first place.

Well in this case, the engineer in question was actually part of a cross functional team doing some work with marketing. So it actually made sense when he explained it, he was Googling, there was this link, he clicked it, but he knew enough not to fill out the form, so nothing was lost.

But at the end of the day, I murdered a lot of sticky notes, innocent sticky notes trying to figure out what was going on.

Wouldn't it be great if I actually had all this evidence that was easily collated and made available for me? Hey, here's the DNS query, this is the community threat that we detected at that query, here's the IP address, this is the user, this is the asset, all of that information easily available, almost like a dossier. Single PDF, click download, I've got all the information I need.

That's the kind of stuff we're working on here at Rapid7. Don't spend your time killing sticky notes. Save the sticky notes, we love sticky notes.

That's all for this week, we'll see you next time.

On-Demand Demo: Detection & Response

See how InsightIDR can help you detect intruders earlier in the attack chain.

Watch Demo