Investigative Frameworks
With so much data being available to modern investigators, one of the biggest challenges we face is figuring out which pieces of information are important and which ones are a waste of time. That’s where investigative frameworks come into play. These frameworks have a drastic impact on the success or failure of any inquiry and understanding the concepts surrounding the framework tool is a fundamental skill all investigators should possess.
What Is An Investigative Framework?
Investigative frameworks are roadmaps used to direct the course of an investigation. Just as street maps help us get from one physical location to another, frameworks serve a similar purpose. They help us focus our investigations and progress them from start to finish in a structured and orderly fashion that we can report on and that our clients can easily understand. Most of us were first exposed to investigative frameworks during middle school when we were taught the 5 W’s of writing a research paper — who, what, when, where, why. These are the questions we were taught to answer and report on during the course of our research. That is, the framework we were instructed to use.
Why Do We Need Investigative Frameworks?
To answer this question we must first understand the concept of “beginning with the end in mind.” The core function of an investigator is to provide answers to questions posed by a client. “Who shot J.R.?” “Is my employee stealing from me?” “Is my computer infected with malware?” “Is my network susceptible to a cyber-attack?” We conduct investigations to answer questions for the client — that’s the whole point of our job. So it only makes sense to begin an investigation with a deep understanding of what the client’s question actually is to ensure that we gather the right information during our inquiry.
On the surface, the questions of “Who shot J.R.?” or “Is my employee stealing from me?” seem simple enough. The client is asking us to identify the individual who committed the act or provide a yes/no answer to a question of if an act is being committed. However, the investigator must then go one step further and determine why the client is asking us to provide answers to these questions. Do they want the simple knowledge alone (unlikely) or do they intend to take action on that knowledge (more likely)?
For a prosecutor asking the question of “Who shot J.R.?” they would generally want to press charges against the person we identify. They will need some very specific pieces of information to do so. Understanding what each of these required pieces of information are at the outset of the investigation will ensure that we gather all the info needed during the inquiry that will allow the client to take action on our findings.
For a CEO asking the question of “Is my computer infected with malware?,” they would likely want to understand how it became infected, what data has been compromised, what other devices in their organization might be compromised, and (most importantly) how to prevent similar infections in the future. So then, choosing the proper investigative framework at the beginning of the investigation will allow us to provide a more comprehensive assessment of the circumstances to the client which they can then utilize to achieve their ultimate goals.
How To Select The Correct Framework
Selecting the correct framework for any given investigation will depend almost entirely on the purpose of the investigation itself. That is, what question(s) are you trying to answer and how will these answers ultimately be used by the client? This is the starting point for framework selection. It is only after understanding these key points that a framework should be selected (or built from the ground up).
While the Manual of Model Criminal Jury Instructions, Section 11 — Conspiracy would serve as an excellent framework to investigate a criminal organization for the purpose of prosecuting its members in federal court, it wouldn’t work well at all for a cyber intel analyst seeking to identify which specific threat actors are actively attacking their client’s organization with the goal of understanding common TTPs (tactics, techniques, and procedures) used by those actors and concrete steps the client can take to protect their infrastructure against the same. Some combination of the Diamond Model of Intrusion Analysis, Cyber Kill Chain, and MITRE ATT&CK would be much more useful for this purpose.
Sometimes It Takes Two (or more)
It’s always important to remember that there are no hard and fast rules for utilizing frameworks during investigations. They are simply tools the investigator can use to make life easier. And just as you can’t build a house with a hammer alone, sometimes it takes more than one framework to build out an investigation.
Take for instance a routine cybersecurity investigation undertaken for the purpose of strengthening network defenses. We might be asked to identify the top three threats to our existing infrastructure and provide recommendations to harden the network against them. In this case, it would be a good idea to use the Diamond Model of Intrusion Analysis as a starting point to help us focus on the four basic elements of an intrusion — adversary, capability, infrastructure, and victim.
Using Diamond, we could come at the issue from a variety of angles. Which adversaries are targeting victims in our same sector? What capabilities (i.e., tools) are they using? Which parts of our infrastructure are vulnerable to those capabilities? What infrastructure are the adversaries using? After getting a handle on these initial questions, we might bring in the Cyber Kill Chain as a second framework to understand how the questions we formulated using Diamond apply to the different phases of our adversaries’ attack lifecycle — reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and action on objectives.
The Kill Chain would help us drill down on how the answers to the questions posed by Diamond change as our adversaries move through the different stages of a cyber attack. Their utilization of publicly available social media infrastructure to harvest employee biographical and contact information during the reconnaissance phase of the attack would differ from their use of compromised email accounts belonging to financial service organizations during the delivery phase. We would likely again see a change of infrastructure utilized during the command and control phase as they would have set up dedicated C2 servers to control all assets compromised during the attack.
After we get a handle on the answers to our Diamond questions as they relate to each phase of the Kill Chain, it would be time to drill down even further into the technical details of how each part of the attack is carried out so we can provide recommendations for mitigation to our client. For this, we would turn to MITRE ATT&CK as a third framework to give us specific details about processes our client might want to monitor (or disable altogether) in order to strengthen their systems against known TTPs of the attackers.
For instance, if we have found the attacker to commonly use unsigned executables (T1036) during the malware installation phase, we might recommend that our client implement application control software to block the execution of unsigned executables across their environment (M1038). Using ATT&CK, we could provide similar recommendations for our findings as they relate to each phase of the Kill Chain.
So when it comes to using frameworks, investigators are only limited by their knowledge of the existing models that are out there, as well as their creativity in combining multiple frameworks to achieve the purpose of the investigation.
Always remember to begin your investigations with a clear understanding of where you want to go with them, what questions you want to answer, and — most importantly — how those answers are going to be used by the client. By keeping all of this at the front of your mind throughout the investigation, you’ll end up with a much better product at the end.
