Investigative Forensic Workflow-based Case Study for Vectra and Cyphort
By Jennifer L. Mellone
This paper addresses real-world enterprise Vectra and Cyphort detections and walks through a detailed forensic workflow case study resulting in conclusive findings. Even though the workflow is based on the Vectra and Cyphort commercial detection platforms, this workflow is applicable to security events generated by other commercial or free products. Vectra performs behavioral analysis to detect malicious activities on the network. Cyphort performs malware detection. Upon notification of Vectra and Cyphort events, the security analyst must drill into the events with respect to the target host to find out if it was the victim of a malicious attack. This requires an investigative workflow using forensic tools and Internet research. Free forensic tools are primarily used for the analysis, but commercial products Bit9 and Carbon Black are also used to corroborate evidence. The workflow is the same whether the findings are confirmed to be true or false positives.