One of my biggest pet peeves during the investigation process is hearing these words: “Did you ask the user?”
In my Think Like An Analyst Series, I go over several ways to help come to a conclusion for an alert. I talk about slowing down, asking questions, changing perspectives, and comparing data. The one thing I don’t discuss, and avoid, if possible, is asking the user a question. I cringe when this avenue is brought up as part of the investigation process. I feel like it’s the equivalent of asking the user to do your job. The only thing that makes these questions worse is when it’s brought up early in the triage process.
So why don’t I care for this question? One of the reasons is I often see this used by an analyst to get an easy win, and it might just do that, but you lose so many opportunities to grow. For example, if you get an alert for “suspicious PowerShell,” you see the alert came from an administrator user, and you would expect them to run PowerShell. Let’s say your first reaction is to reach out to the user and ask, “We got this suspicious PowerShell alert from you at 1:32 pm. Do you know what this is?” First off, sometimes commands and processes could fire off in the background during an installation of the program, and the user might never know that a PowerShell command even ran. Asking this question to the user might leave them confused and combative because you’re accusing them of something they may not know anything about. If they have follow-up questions to you, and you haven’t gone through any of the investigation processes, you might struggle to answer them. This could leave a bad taste in the user’s mouth, and if you ever REALLY need help from them in the future, they might have a negative opinion of you.
Second, what have you learned from asking the user this question? Have you gained any additional knowledge by doing so? Will you be able to triage this alert faster and more accurately next time? Of course not; by asking this question in the early stages of an investigation, you’ve glossed over the PowerShell command without deciphering it yourself. You’ve lost the opportunity to learn and possibly know what it was doing. I’m not saying you need to interpret the whole command (it could be pretty lengthy), but take 5 – 10 minutes and break it down. Learn some of the commands, and the next time you run across something similar, you’ll be able to determine what it’s doing much quicker and if it’s typical for your environment.
The last negative of asking this question is you’re not using the tools. While investigating, you might have to change your perspective on the alert, which might require you to use another tool. By using other tools, you become more familiar with what they’re capable of doing and what they don’t do. One of the worst feelings is working on an incident only to find missing logs, for example, in your SIEM. Do you just stop an investigation because of it? Absolutely not; maybe you go to an EDR, internal documentation, or your ticketing system. You might be surprised by what you can find in other locations, but learning during an active incident is not the best time. You want to be as fluent and familiar with the tools before a stressful time like an incident.
Now I won’t say there won’t be a time and place when you need to ask the user for more information. I have done it myself, but I leave it as a last resort or a confirmation of what I see in the data, not something at the start of an investigation. It can be hard to restrain yourself from asking the user, especially if you’re struggling. If you have time, though, these moments of struggle are when you’ll grow to be a better analyst. I would also encourage you to ask coworkers for additional help before contacting the user that generated the alert. I challenge you the next time you have an urge to “just ask the user,” ask yourself, did you look at all the systems you could to get an answer? Try looking into just one more system for the data before you reach out to that user. Take the opportunity to learn something you didn’t know, even if you end up asking the user for more information. Over the days, weeks, and even months that you do this, you’ll be stronger as an analyst.