5W+H — question to ask when analyzing security incident

When you are analyzing security incident, what is your ultimate goal, what answers you want to get? And why? If you want answers, what would be your questions? Proper questions are essential for getting useful output from your investigation. Asking the right one will give you a chance to get a full picture of the situation and will give a proper base for the next steps.

OK, so what we are talking about. Let’s have look at a set of questions known as 5W+H. Asking 5W+H is not cybersecurity-related. It is a set of proper questions to ask if you want to have a complete view of a problem or situation. This can be a tool for journalists, researchers, police… In general, by anyone, that includes security researchers and analytics.

So let’s go through those questions and see what input to our Incident Response they may provide.

What happened?

Actually, during Incident Response that will be your first question, a trigger for the whole process. Starting from What you are going to build general situational awareness. First What answer will be a base for all next questions. So where it can guide you? At first, you have to understand What does your alert mean. Is it a full story or what we see is just symptoms which need more context? Is incident security-related or is it a failure? Is it webpage defacement or data were stolen? Is this irregularity in users’ outbound transfer or data exfiltration? Is this real incident or false positive.

Next steps, based on answer What will be the decision about if a response is needed and choosing a proper response playbook. What will be also an indicator to assign priority to the incident.

There might be more of 5W during the IR process, and all those should lead to the last What, which will be, hopefully, accurate description of the whole situation and base to appropriate response and post-incident actions.

Where did it take place?

This question is focused on assets or identities affected by the incident. What kind of environment were affected, is it test or prod? What is the location of your assets, internal or hosted? Are identities your own or outsourced? What kind of data was affected, PII, confidential?

Answer for Where is second main factor, together with What in prioritization process. Classification of affected resources determines if other than technical response is needed. I.e. we may need PR and legal department support if there was a possibility of PII data disclosure.

Answer Where points also on log sources which should be analyzed.

When did it happen?

Understanding of incident timeline is crucial in IR. When the incident was detected, When did it started? How its phases maps on Cyber Kill Chain? How much time had an attacker to work on his objectives? Is there a pattern of the attacker “working hours”? How fast he moves on?

Answers for this question may lead to conclusions about several things. How much damage could be done? How much data could be extracted? Is there a time correlation with a specific event like new company project (Why) or phishing campaign (Who).

It also determines the timeframe for logs which has to be examined.

Who did this?

This is usually the hardest question to answer. Clues found during an investigation may point to specific threat actors. But we may never find out Who did it.

Identification of the attacker will support an investigation in several aspects. You can find possible motives and resources in scope of interest of an attacker (Where). You can focus on known TTPs (How) connected with identified threat actor.

Knowledge Who Attacker is will give you an opportunity to decide if there is a possibility to take legal actions against the attacker. This might be especially important if the attack was not random, but targeted on you or you. Especially if you’ll manage to attribute it to a specific entity like your business competitor.

Why did it happen?

On this question you may look from at least two different perspectives.

First perspective is about determining motives of the attacker. Why did he decided to attack us? Were we just random victims or rather attack was targeted? Crosshair on our back is because our organization is from a specific industry or attack was performed or inspired by competitors?

Finding motives may lead us to answer Who. It may also help with identification Where was the interest of an attacker focused.

Second aspect of this question is about finding the root cause of an incident. Why it was possible to happen? Was that technology or process flaw or human error or even intentional action?

When we know Why did an incident occurs, what was a cause we can use this knowledge to find countermeasures. What and how it vulnerabilities can be fixed? How to be better prepared next time to avoid this happens again or at least minimize effects of an incident.

Looking on Why question it is worth mentioning about 5Why method. It may be beneficial especially in the investigation of second aspect of Why question.

How did it happen?

This question focus on TTPs used during the attack. What were tactics, techniques and procedures used during an attack?

This knowledge is closely connected with second Why, finding root cause. It may also help to attribute the attack to an actor (Who).

Some tips.

There is no right order in answering those questions. Often getting an answer on one question gives a clue on the other.

Try to ask all questions at least once. Only this way you will get whole picture.

It is to remember that you may ask all questions many times. You may use them in every moment and for every aspect of your investigation. This approach allows you to build a big picture filled with details up to required level.

Quite often accurate answer for one question depends on other questions answers. Don’t give up. Ask unanswered questions again after a while. Maybe in the meantime, you have found a missing piece of the puzzle.

Not always you will find all answers to your questions. But getting answers is like taking of blindfold. Increasing knowledge about the incident helps in taking better-aimed actions during Incident Response and post-mortem.

So ask the right questions.

Just a security guy.