Here are 5 cyber security ideas to improve your analysis and understanding which will take no more than 10 minutes of your time.
1. Inspect all events with a sliding scale – Good, Suspicious, Bad
One of the easiest, and worst, mistakes an analyst can make is to be too firm in their judgement. I train analysts, and myself, to use a freely sliding scale when inspecting events, packets, and binaries. This scale moves between known good, suspicious, and known bad as uncovered evidence supports a “goodness” or “badness” final judgement.
It is natural to come to premature conclusions when analyzing data. Many preach against this. I have never known a perfectly objective human. This discounts our naturally occurring and helpful ability to make quick judgments and drive our desire for more data and evidence. Instead, we should preach against the analyst who is hasty in a final judgement and unwilling to accept and synthesize new evidence in either direction.
2. Be willing to accept suspicious
There will be many times when after hours or days of work and collaboration the best judgement is that the event, packet, log entry, or binary, etc. is still not known as either “good” or “bad.” An analyst must be willing to accept this unknown middle ground of “suspicious” where final judgement is elusive. There will be times when there is not enough evidence either way nor is it likely more evidence will be uncovered (e.g. that purged critical log file, the company will not provide a missing piece of information, etc.). Be willing to accept suspicious as an answer and reject the pressure to render a final judgement of good or bad.
However, it is important that an analyst is willing to render an informed judgement to decision makers as to where, on the scale, the event lies and what evidence supports that judgement – and more importantly, what evidence supports a contrary judgement.
3. Goodness Outweighs Badness
Some of the best cyber security analysts I have known have been network engineers and system administrators – those that best understand how systems and users actually work rather than relying on the hypothetical or documentation. This is because the majority of network activity is good/valid versus bad.
The most valuable skill an intrusion analyst can have is to quickly and accurately identify valid activity and separate the non-valid/malicious/bad activity from the pile. My number one recommendation to upcoming intrusion analysts is not just focus on courses and materials which teach intrusion techniques (e.g. SANS) but to spend an equal amount of time on the RFC‘s and other training opportunities which teach the valid operation and administration of modern networks and hosts.
4. Counter-Intelligence is our closest domain partner
Of all the domains I have studied to further my exploration of intrusion analysis and cyber security it is counter-intelligence which I have found to offer the most insight and parallels to this domain. Others may argue with this but counter-intelligence works in a domain where there is an assumed compromised environment and the focus is primarily on detection and damage limitation when compromise occurs.
Of course, counter-intelligence necessarily breeds paranoia – but that is also a good quality in an intrusion analyst, when balanced with the right amount sanity
5. Document everything and don’t get lost in the “rabbit hole”
In the pursuit of an activity with the gathering of evidence and shifting judgments and hypotheses, things can move quickly. When conducting intrusion activity, document everything – even if it seems irrelevant – you never know when a case will hinge on a small, originally, over-looked detail. In this documentation also record all open questions and hypotheses so that when “going doing the rabbit hole” of analysis towards one hypothesis other lines of analysis are not forgotten or discounted without effective evidence gathering.