- The CrowdStrike Incident Response Tracker is a convenient spreadsheet that includes sections to document indicators of compromise, affected accounts, compromised systems and a timeline of significant events
- CrowdStrike incident response teams have leveraged this type of tracker in thousands of investigations
- Download the CrowdStrike Incident Response Tracker Template
Digital forensics and incident response (DFIR) teams are typically tasked with performing complex technical investigations that involve receiving and reviewing system images, memory snapshots, logs and other data sources. This results in volumes of evidence tracking, taskings and technical findings across many workstreams.
Though effective response relies on many elements working harmoniously together, accurately recording and communicating investigative findings is arguably the most critical. One way to do so is to utilize a structured incident response tracker for each investigation that can be used to consolidate and communicate pertinent information in a repeatable fashion. The section below describes how the CrowdStrike Incident Response (IR) Tracker can be utilized and some of the ways it can make managing an incident just a little bit easier.
CrowdStrike IR Tracker Overview
The benefit of using a tool like the CrowdStrike IR Tracker is that it provides a single place for synthesizing key incident information, including:- A consolidated incident timeline that forms the basis of the incident narrative
- Incident indicators (e.g., IP addresses, domain names, malware names/hashes, registry entries, etc.)
- Affected account details and systems of interest
- Incident metadata such as key contacts, meeting details, collected evidence items and incident-related requests and tasks
- Investigation Notes: Area for tracking investigation information such as related incident tickets, conference room and teleconference bridge details, etc.
- Contact Info: External and internal contact information for relevant response personnel
- Timeline: Chronological list of attacker activity and related events
- Systems: Systems accessed or compromised by the threat actor(s)
- Accounts: Accounts exposed or compromised by the threat actor(s)
- Host Indicators: File names, directory paths, cryptographic hashes, registry entries, etc., of interest to the investigation (more detail provided below)
- Network Indicators: External IP addresses, URLs, domain names, user agent strings, etc., of interest to the investigation (more detail provided below)
- Request and Task Tracker: Area for tracking incident-related requests and tasking
- Evidence Tracker: Area for tracking evidence collected during the investigation
- Forensic Keywords: Incident-specific keywords to facilitate forensic analysis
- Investigative Queries: Incident-specific queries for SIEM, log correlation and investigative platforms to facilitate investigative analysis
Host Indicators Tab
First, the Host Indicators tab is used to record the suspected and confirmed host indicators of compromise (IOCs) for the incident. Common examples of host indicators include file names and paths, file hashes, file sizes, service names and registry keys. Having this information readily available for the investigation teams speeds up the analysis and investigation processes. Recording host indicators in a single location gives the team the ability to search for these across additional data sets and pivot to associated indicators from further analysis, and it provides inputs for detection and prevention tools such as a security information and event management (SIEM) or endpoint detection and response (EDR) platform. The short extract shown above provides the investigation team with the context they need to further their collection and analysis of the incident. Given what we can see above, it is a fair assessment that anything found in the “C:\Logs” path is highly suspicious and should be collected for analysis. Other teams can also search for evidence of these host indicators with their tools using the various keys that have been recorded.Network Indicators Tab
Another tab in the CrowdStrike IR Tracker is the Network Indicators tab where the network-related indicators are recorded. An example of just 10 network indicators is shown in Figure 2. Keeping a consolidated list of network indicators simplifies searching additional data sets for the same indicators, helps responders understand what blocks they may want to put in place in the network perimeter, ensures they have an up-to-date list of known network indicators in their SIEM, and pivot to additional threat actor activity from these indicators.Timeline Tab
The consolidated incident timeline is arguably the biggest benefit of the CrowdStrike IR Tracker. The consolidated incident timeline provides a place for responders to track all relevant incident information, including, but not limited to:- Suspect account login times and source and destination system(s)
- File creation, modification, deletion and access times
- Process creation, start and stop times
- Registry key creation times
- Network connections
- Firewall events
- EDR events
- Who: can be evident from the tactics, techniques and procedures (TTPs) identified, but not always possible
- What: impacted systems and data
- Where: impacted systems and networks
- When: earliest and most recent evidence of threat actor activity, as well as key events in between
- Why: can be evident from the TTPs identified, but not always possible
- How: the TTPs of the incident
Conclusion
With this consolidated and organized information, we can focus on helping the organization identify the impact to business assets, and in conjunction with legal counsel, identify any regulatory reporting requirements. The CrowdStrike IR Tracker also helps ensure that the root cause of the incident gets identified, so your organization can remediate the vulnerabilities that were exploited and led to the incident.To make the incident easier to understand for business, we often create attack diagrams or graphical timelines from the consolidated Timeline tab. CrowdStrike often creates these diagrams to succinctly explain incidents for clients that have experienced extensive data breaches of hundreds of systems or over multiple years.
Finally, it is recommended to use an online collaboration spreadsheet technology such as Office 365 or Google Sheets. Using collaboration tools provides an efficient means for different people to update an online document concurrently and minimizes the risk of versioning issues. Data is also updated in near real time, which helps teams communicate effectively. Some of the repetitive copy and paste tasks can be automated with the scripting features provided by the collaboration technology, but we will leave that for a follow-up blog, and we are happy to hear your ideas on how to minimize the effort on keeping the tracker up to date. The CrowdStrike IR Tracker itself is not a panacea to cure all ills of the IR process, but rather a tool that, if used correctly, can greatly increase efficiency of collaboration between individuals and teams. Like all tools, it must be used correctly, and one of the key tenets of the CrowdStrike IR teams is our “tracker hygiene.” We know that if the CrowdStrike IR Tracker is not maintained then the results are going to be poor. The tracker gives back, but it can only give back from the effort that is put into it by ALL team members, ALL of the time. Maintaining the tracker for the incident takes work and discipline, but it is our belief that it is very much worth the effort. CrowdStrike is sharing the CrowdStrike Incident Response Tracker Template
to give the DFIR community a starting point for collecting and recording incident artifacts in a consolidated and organized fashion. It is our hope that this resource is a useful baseline for building upon within your own organization, or when an IR tracker is needed on short notice.
Additional Resources
- To request more information or speak with a CrowdStrike Services representative, complete and submit this form.
- Learn about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.
- Get a full-featured free trial of CrowdStrike Falcon® Prevent™ to see for yourself how true next-gen AV performs against today’s most sophisticated threats.