Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Analysis Suggestions in Approaches #4

Open
lo-chr opened this issue Aug 13, 2023 · 2 comments
Open

Support Analysis Suggestions in Approaches #4

lo-chr opened this issue Aug 13, 2023 · 2 comments
Assignees
@obsidianforensics
Labels
enhancement New feature or request

Comments

@lo-chr
Copy link

lo-chr commented Aug 13, 2023
edited
Loading

Expected Behavior

The project should support the description of "analysis suggestions" in the approach definition file. I would propose a new subsection suggestion under the view section.

There are cases, where typical (malicious) activity has similarities from one threat actor to another. It would be helpful to integrate such hints, so that analysts can get an idea what to look for.

Actual Behavior

Feature not included.

Steps to Reproduce the Problem

not applicable

Specifications

  • Version: 1.0.0
  • Platform: not applicable
@obsidianforensics obsidianforensics self-assigned this Aug 13, 2023
@obsidianforensics obsidianforensics added the enhancement New feature or request label Aug 13, 2023
@obsidianforensics
Copy link
Contributor

Hi there, thanks for the suggestion. I've published the Markdown version of the DFIQ specification: https://dfiq.org/contributing/specification/

I see a few places where an analysis suggestion could fit:

  • the Analysis Steps section
  • the Facet description field

Could you take a look and let me know if either fits what you intended with suggestion?

I've put some similar "suggestion"-type bits in some Facets (like the example in the Spec) that inform the analyst what to look for. This was my attempt at an informal "modifier" for the Questions - rather than have different questions for looking for a lot of file downloads at once, or look for only one file download, or even for periodic file downloads, to just have one "file downloaded" question, and then the analyst modify their analysis to fit the Facet.

@lo-chr
Copy link
Author

lo-chr commented Sep 3, 2023
edited
Loading

Hey, thanks for the effort and the updated documentation! Unfortunately, I'm not sure, if one of the suggested fields really solves the issue:

  • The description field in the Facet (in the example) now contains two information in one field:
    • The description of Facet: "Staging" refers to the collection of data of interest onto a local system,
      as a precursor step for future exfiltration of that data.      )
    • The approach how to analyze the underlying data: When reviewing data from Questions in this Facet, look for unusual volumes of results (number or size of files downloaded or sent, for example).
  • Integrating the information in every steps of an approach file, leads to redundancy: I can think of examples, where the "analysis hints/suggestions" are not limited to one or two analysis platforms.
    Example: I would always consider a RunKey that starts a programs from User/[...]/AppData/ as suspicious. I would not want to duplicate this information for every analysis platform but document it in a dedicated field.

Hope this makes sense. :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@obsidianforensics obsidianforensics

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lo-chr @obsidianforensics