Follow

Leveraging Cognito for Case Management

Terminology

  • Cognito refers to a Vectra Networks headend – a Cognito brain – along with its sensors, installed and in production on a customer premise.
  • Case: A case is an investigation that a team is working based on what’s been detected. Case data includes PCAPS, detection details and metadata, and other relevant information that Cognito has identified.
  • RBAC: Role Based Access Control
  • PCAP: Files containing packet data captured by Cognito, stored in PCAP format. For more information on PCAP see http://www.tcpdump.org/pcap/pcap.html

Analyst Accounts

For proper workflow management, each analyst should be provided with a distinct Cognito account.  This improves the auditability of syslog output reviews and other relevant analyst activity.

RBAC can be used to control which specific Cognito features and functions each analyst can access.  For example, Tier 1 Analysts may be restricted from creating triage rules, whereas Tier 2 and higher Analysts would have access to triage rule capabilities.

Tags

Tags can be thought of as labels.  They are succinct descriptors that Cognito applies to hosts, to detections, and in some cases, to activities within detections, to aid with categorization and prioritization. Vectra highly recommends the use of precise tagging. Apply tags in orthogonal ways whenever possible.  They can be applied to long-term, short-term, geographical, organizational, departmental, and other perspectives of investigations.  It is important to develop a consistent nomenclature amongst analysts, and to continually strive to “level up” with preciseness and utility when tagging. Accurate and insightful tagging will help later for audits, searches, and reviews.

Strategic Tags

Strategic tags are useful for quick referencing, for metric gathering, and for knowledge transfer.  Tags can use a "Key: Value" format when needed.  A host might have the tags “Role: Domain Controller” and “Business Unit: Finance”. A detection might have tags “Type: Conficker” and “Reason: Pen Test”.

Tactical Tags

Tactical tags are for ephemeral information. Good examples include which red team is attacking from where, which analyst is focusing on a set of detections or hosts, and what’s affecting critical assets vs. what’s affecting less critical ones.  Tactical tags can be deleted during or after investigations. Examples include “WIP – Alice” and “Awaiting: Reimage”.  Tactical tags can impart urgency, or flag the need to be politely uncommunicative regarding specific investigations with the organization.

Notes

Notes can be used to save more detailed case-relevant information about a host or detection.

Links to existing information in Sharepoint, Jira, Confluence, or other enterprise data sources can be saved in the notes field of a Cognito detection or a host page. 3rd party integration can provide incident information, running process lists, email chains, or other data deemed worthy of inclusion.

Notes can be used together with tags in useful ways.  One example is that a detection might have the tag  “Awaiting: Email Response”.  A note on that detection could include details of who has been asked to respond and by when, and what information the response needs to include. Notes can be dated and signed with the analyst’s username for audit tracking as needed.

Coming on shift with Cognito

Alice begins work for the day with coffee and Cognito; hopefully the only C&C she will see today. Alice logs into her personal account, one that has the role “Tier 1 Analyst”.  She is greeted by a dashboard displaying only one host in the Critical quadrant. Clicking through to the host page, she finds one detection each of External Remote Access (ERA), Internal Darknet Scan (IDS), and Automated Replication (AR). She opens each one in a new tab on her browser. From a tag on the host she has information on the host without needing to go look it up in their asset management software; “Role: Payroll Machine” and “Business Unit: HR”.

Looking at the ERA first, she finds a connection to an IP with no domain over a high port. The IDS spans a /20 for TCP port 22; as is the AR on 20 machines. Deeming this something that needs further investigation she tags each Detection with “WIP-Alice”.

Then Alice looks at the PCAPs attached to each detection and beings to pull logs from other security appliances. As she reviews the logs, she copy/pastes all relevant information into detection notes fields.

When Alice finishes with the PCAPs, she can notify her supervisor, who will assign a Tier 2 Analyst to take a closer look.   Alice removes the “WIP-Alice” tag, replacing them with “Over-to-Tier-2”.

 

Was this article helpful?
1 out of 1 found this helpful

Download PDF

0 Comments

Article is closed for comments.