Compromised systems

In this scenario, an organization is alerted that one or more of their systems was compromised by an advanced cyber attack technique such as a watering hole, phishing, brute force, or an SQL injection.

Objectives

To solve the problem in these investigations, the organization has these objectives:

  • Determine the extent of the compromise within the organization.
  • Understand the type of operational risk of the compromise on each system.
  • Uncover any peripheral actions that the initial attack did to circumvent cleanup activities and detection.

Investigation

Use the tools on the Forensics tab to help you investigate.

This image shows the options available in the Forensics tab to help you investigate the problem. Press Shift and click a link in the image to learn more about QRadar Incident Forensics Click this area to get information about document search Click this area to get information about Digital Impression Click this area to get information about Visualizations Click this area to get information about Surveyor Click this area to get information about pivoting data
  1. Use free-from search to search for malicious payload or a compromised asset.
  2. Examine suspect content that is flagged by the product.
  3. Use Digital Impressions and Visualizations to explore entity relationships that result from compromised systems.
  4. Use Surveyor to see a timeline of activities so that you can retrace an attack.
  5. Discover inconsistencies or suspicious interactions across data categories by using free-form search, data pivoting, and suspect content.