Active Response

Always A Bad Day For Adversaries

Tag: incident response

The Art of Intrusion Analysis and Incident Response

“In every block of marble I see a statue as plain as though it stood before me, shaped and perfect in attitude and action. I have only to hew away the rough walls that imprison the lovely apparition to reveal it to the other eyes as mine see it.”  Michelangelo (1476-1564)

Michelanglo was once asked how he came to carve such a beautiful statue of an Angel in the Basilica of San Domenico. His response is seen above.

I have many times expressed that intrusion analysis and incident response is more art than science.  Expertise lies with experience rather than book knowledge and gut instinct is invaluable and as likely correct as an educated guess.

I then wondered: if Intrusion Analysis is an art, to which art should it compared?

I recalled this, one of my favorite artistic quotes, and how aptly it applies to the domain of intrusion discovery and analysis.

In many ways, the answers we analysts seek is in the data.  It only requires us to “hew away the rough walls” of the unimportant data revealing the activity of interest.

I teach many new analysts that to find the new and unknown you must distinguish the old and known, remove that, and you are left with what you are seeking.

Analysts Should Expect the Unexpected

Diocyde tweeted a good but older (2009) article about hiding malicious executable code (malware) in the Windows Registry: Malware IN the Registry a.k.a. if it can’t be Done, Why Am I Looking At it?

The post is a good description of what almost all incident responders/intrusion analysts encounter regularly: Is that right?  How could that be?  Hey [analyst sitting in the next cubicle] is this what I think it is?

After 9 years of intrusion analysis in various organizations, I can say that this happens to me very regularly.  Now, I expect the unexpected.  Not much surprises me any longer.

However, it is fun to watch a new analyst come upon these things and me, nonchalantly, describe what they are seeing and how cool it is.  They are always astonished at the tactics of the adversaries and the lengths to which they will go.

While we should always expect the unexpected, we should never lose our respect for the adversary and their ability to find new ways to astound and confound us.  For when we lose that, we blind ourselves.

Powered by WordPress & Theme by Anders Norén