Here are 5 cyber security ideas to improve your analysis and understanding which will take no more than 10 minutes of your time.
1. Inspect all events with a sliding scale – Good, Suspicious, Bad
One of the easiest, and worst, mistakes an analyst can make is to be too firm in their judgement. I train analysts, and myself, to use a freely sliding scale when inspecting events, packets, and binaries. This scale moves between known good, suspicious, and known bad as uncovered evidence supports a “goodness” or “badness” final judgement.
It is natural to come to premature conclusions when analyzing data. Many preach against this. I have never known a perfectly objective human. This discounts our naturally occurring and helpful ability to make quick judgments and drive our desire for more data and evidence. Instead, we should preach against the analyst who is hasty in a final judgement and unwilling to accept and synthesize new evidence in either direction.
2. Be willing to accept suspicious
There will be many times when after hours or days of work and collaboration the best judgement is that the event, packet, log entry, or binary, etc. is still not known as either “good” or “bad.” An analyst must be willing to accept this unknown middle ground of “suspicious” where final judgement is elusive. There will be times when there is not enough evidence either way nor is it likely more evidence will be uncovered (e.g. that purged critical log file, the company will not provide a missing piece of information, etc.). Be willing to accept suspicious as an answer and reject the pressure to render a final judgement of good or bad.
However, it is important that an analyst is willing to render an informed judgement to decision makers as to where, on the scale, the event lies and what evidence supports that judgement – and more importantly, what evidence supports a contrary judgement.
3. Goodness Outweighs Badness
Some of the best cyber security analysts I have known have been network engineers and system administrators – those that best understand how systems and users actually work rather than relying on the hypothetical or documentation. This is because the majority of network activity is good/valid versus bad.
The most valuable skill an intrusion analyst can have is to quickly and accurately identify valid activity and separate the non-valid/malicious/bad activity from the pile. My number one recommendation to upcoming intrusion analysts is not just focus on courses and materials which teach intrusion techniques (e.g. SANS) but to spend an equal amount of time on the RFC‘s and other training opportunities which teach the valid operation and administration of modern networks and hosts.
4. Counter-Intelligence is our closest domain partner
Of all the domains I have studied to further my exploration of intrusion analysis and cyber security it is counter-intelligence which I have found to offer the most insight and parallels to this domain. Others may argue with this but counter-intelligence works in a domain where there is an assumed compromised environment and the focus is primarily on detection and damage limitation when compromise occurs.
Of course, counter-intelligence necessarily breeds paranoia – but that is also a good quality in an intrusion analyst, when balanced with the right amount sanity 🙂
5. Document everything and don’t get lost in the “rabbit hole”
In the pursuit of an activity with the gathering of evidence and shifting judgments and hypotheses, things can move quickly. When conducting intrusion activity, document everything – even if it seems irrelevant – you never know when a case will hinge on a small, originally, over-looked detail. In this documentation also record all open questions and hypotheses so that when “going doing the rabbit hole” of analysis towards one hypothesis other lines of analysis are not forgotten or discounted without effective evidence gathering.
Ethan
I totally agree with your statement about learning how systems behave normally. I have been doing research for some time on security engineering and penetration testing. One of the first things that I found out was that, it’s not that easy to hack. It’s not something you can do over night or the faster you type the more likely you are to get in. In fact a secured computer has virtually no vulnerabilities that you can just use out of a program like metasploit. Not to say that they don’t have vulnerabilities, it’s just that you would have to create your own. Now, I said secured computer, and believe or not, many of the organizations that I work with have very good security policies, as far as patch management and monitoring is concerned. Which I was taught that it is uncommon for a company to have good security.
It frustrated me, that in all the classes that I have taken, through organizations like SANS, they will come up and show you how to hack boxes and almost everything they show you will only work if there is no security configured on the box or if there older systems. For example, there was a large portion in a certain class that talked about Null accounts and using them to access a system, that’s good to know but they should continue to tell you that that was mainly a vulnerability in windows 2000 and that in later versions of windows anonymous logins is disabled by default and there is no reason to enable it. I understand that they have to try and get you in the mentality first, but they also give you false notions on hacking and security. And if someone doesn’t go out and try to test the hacking techniques themselves (in a lab of course) as well as security configuration, then they will carry these false notions and make false declarations that an incident happened, when a little more research and knowledge of what was going on would prove otherwise.
For example: We were troubleshooting an issue for a customer and ran wireshark to see why the connection was continuing to fail with our product. When we attempted to connect, in wireshark it would show us the identical behavior that I was taught was a man in the middle attack (I won’t go into details). A little more research using nslookup determined that there was just a duplicate IP configured on the network.
If you just get people who have good analysis skills but little knowledge of the ground work, it’s about as useful as telling them to analyze tires for defects that will affect the tires performance. If they know nothing of tires, then they will declare everything that is not normal as a defect.
Sergio Caltagirone
Great comment. I will use your tire analogy in the future. One challenge is getting security organizations to fund that training as it is not obviously security related.
One thing to remember is that most orgs are not directly compromised any longer but rather through social engineering, phishing, and spear phishing. That is very easy and effective to get malware down.
Ethan
That’s funny that you say social engineering. To me the counter to such attacks is user education and awareness. I just saw a post on LinkedIn where some security person said that security education for users is useless and a waste of money. What!?!?!
In some cases he is right; this brings me back to a previous post that you put up, where you have to make sure that security makes sense to users. That requires understanding the logic of computers and the phycology of the users. Security people are way underpaid!!!
My thought is this: The human can be the strongest or the weakest link. A computer can be fooled (after great lengths) by its own logic. Humans have the advantage that they are not always logical.
Moral of the story is: Screw you Vulcans!
🙂