Active Response

Always A Bad Day For Adversaries

Tag: psychology

15 Knowledge Areas and Skills for Cyber Analysts and Operators

Rodin’s The Thinker


Here are some knowledge areas which I consider necessary to conduct effective intrusion analysis and operations. In future articles I will go into further details on how to improve your skills in each of these areas (and link them from here). The knowledge areas are not listed in any particular order.

Every organization’s mission, focus, and needs are different and therefore I don’t pretend to define the ‘perfect’ analyst for any mission.

Critical Thinking and Logic

I will be forthright and say that I consider this skill the most important above all others.  It is a gateway skill which allows an analyst to become proficient in many others.  It is also the skill upon which I rely for analysts to temper their judgments and make the best decision as to how to approach a problem.  Logic is complementary to critical thinking and the two cannot be separated.  Without a proper foundation in logic critical thinking is ineffective.

US-CERT Incident Reponse Report

Critical Reading and Writing

Critical reading is being able to dissect the text of a document to extract the most important information and apply critical thinking skills to the information.Effective/Critical writing and documentation refers to writing correctly, logically, concisely, and effectively for your audience (which likely includes yourself).  Most importantly, write in an organized manner to help others use their critical thinking skills.


As I have said previously: “Study History.  It provides perspective.”  Works like The Cuckoos Egg are a great start; but branch into other areas: military history, biographies of famous leaders, studies of famous events.  Learn how others have been able to assess strategic situations, derive tactics, and evolve their strategy to a quickly changing situation.  All of these skills are useful in intrusion analysis and incident response.  Be able to step back from a situation and apply the lessons learned from others to your own.

Research Methods

In the cyber security domain we face more unknown than knowns.  My favorite saying is “no analyst is an island” meaning that there is nobody who knows it all and we need to rely on others and the greater community to help to solve problems.  Therefore, a significant skill is the ability to conduct effective research on hard problems to find existing solutions – preventing, as the saying goes, “recreating the wheel.”   This skill, more than any other, will increase your effectiveness and efficiency.

This skill can and should be mixed with other skills described – critical reading to get through research material quicker, critical thinking to see through the B.S. and FUD, and effective writing to document your findings so you use it again in the future.

Analytic Approaches and Methods

When facing any problem, being able to identify and evaluate the various approaches to solving the problem is invaluable – some would say critical.  Being knowledgeable in as many analytic approaches as possible is invaluable, and being able to create new approaches on-the-fly is even more invaluable.

Learn analytic methods from others.  Look for their mixture of logic, research, tool use, and lines of critical thinking and apply them yourself.

Network Protocol Map

Network Protocol Map

Network Protocol Analysis

Know your network protocols.  More importantly, be able to research, analyze, and identify new or previously unknown protocols.  Don’t be afraid of packets.  Use your research methods and critical reading skills to dissect protocol definitions and RFCs.



A basic knowledge and ability to write computer programs is very useful in that it practices logic skills, helps one better dissect cyber security activities, and allows one to create and/or modify tools quickly as necessary.


An understanding of the fundamental theorems of psychology is useful when attempting to determine the intent, context, and motivations of an adversary.  For example, knowing and being able to apply the fundamentals of Maslow’s Hierarchy of Needs or Operant Conditioning will go towards influencing your adversary through operations to achieve a positive outcome and better protect your network.

See Also: A Hacker’s Hierarchy of Operational Needs based on Maslow’s Theory of Human Motivation

Hacker Tools and Methodology

Obviously, a working knowledge of hacker tools and methodologies is a must.

Binary Reverse Engineering

IDA Pro Binary Reverse Engineering

IDA Pro Binary Reverse Engineering

All hackers use capabilities and tools to achieve their desired effects.  Most of these are binaries either live on command-and-control nodes or are delivered to the target for operations.  Having a working knowledge and ability to reverse engineer a binary is necessary to conducting effective analysis   Even if your organization has dedicated reverse engineers having this knowledge to effectively communicate and ask intelligent questions of these engineers is just as important.

Host-Based Log File and Forensic Analysis

Understanding the internal workings of a host and operating system help not only in investigations where host data is available but also as a learning tool to understand the adversary’s target environment.  This will further inform the analyst by providing greater context to the choices of an adversary given the host environment.

This knowledge should be coupled with that of hacker tools and methodologies and network and host configuration and administration for full effect.

Network and Host Configuration and Administration

As I’ve said in another post, 5 Intrusion Analysis Ideas in 10 Minutes, I believe that cyber security professional should be just as proficient in understanding how networks and hosts are administrated and configured as in how those systems are attacked.

Signature Writing and Detection Tools

Snort Rule Header

Example Snort Rule

Finding malicious activity on your network is important, being able to track that activity and detect when it returns is an imperative.  Therefore, analysts and operators should be proficient in their organization’s particular signature and detection tools and learn how to author the best signatures.

It is just as important to understand how a detection tool works but also it’s biases and limitations – so you know when there are potential false positives and false negatives.  This is one of my 20 Questions for an Intrusion Analyst.

Incident Response Methodology

Incident response methodology is obviously a requirement for anybody who is part of the incident response team in their organization.  However, incident response should be well-known by every intrusion analyst.  This is simply because they will likely be generating documentation and analysis for the incident response team.  The better they understand the methodology, the better they can tailor their documentation and feedback to the needs of response and mitigation.




I am fond of saying, “there is no one tool to rule them all,” meaning no single tool will do everything you need. While I think that too much time is spent by cyber security professionals in becoming proficient in a specific tool-set, I cannot under estimate the criticality of these tools to our profession.  However, I believe that over reliance on our tools breeds ignorance of the data the tool is processing and analysts become unwilling to challenge and blindly trusting the output.

Therefore, it is important to know how to operate and understand the tools that are best for your mission be it OllyDbg or Wireshark.

Lastly, with a strong or competent programming background, as described previously, you are empowered to write your own tools or improve existing tools for the benefit of the community.

A Hacker's Hierarchy of Operational Needs

A Hacker’s Hierarchy of Needs

A Hacker's Hierarchy of Operational Needs

A Hacker’s Hierarchy of Operational Needs

Maslow's Hierarchy of Needs

Maslow’s Hierarchy of Needs

All humans have a basic set of needs which they work to satisfy – as described by Maslow in his seminal, “A Theory of Human Motivation.”  Maslow did not create a true hierarchy.  He describes how there are sometime competing and/or complementary needs.  Instead of a strict hierarchy, these needs form dominating preferences or priorities.

It made me question whether there was a cyber operational equivalent: a set of hierarchical needs or requirements necessary for the adversary/hacker to meet their goal.  Like Maslow, I do not believe that this hierarchy is necessarily serial in nature but rather inform priorities and dominate preferences.  Nor do I believe that they must necessarily be satisfied in order, serially.

For instance, a hacker may create a capability and then sell that capability, or their skills to use the capability, to an organization thereby gaining funding for the rest of the operation.  However, while the capability was the first achieved in the chain, it was a vehicle to achieve a more base need: funding.


Basic Necessities: Obviously those things which allow a person to live and work effectively

Funding: Even the most basic funding is required for equipment (computer(s)) and/or purchasing other things like connectivity to the Internet and the like.

Connectivity: A hacker must be connected to a network to which s/he can reach potential targets

Target Vulnerabilities: A hacker must have a set of vulnerabilities and exposure upon which they can exploit to achieve their goals

Capabilities/Infrastructure: I believe these are both equally important but both are a requirement for operations – the capability to achieve their effect, and the infrastructure to deliver the capabilities to the target victims

Targets: A hacker must have a one or more targets of which they can use to achieve their intent

Access: A hacker must have access to the target to achieve any effects and ultimately achieve a positive outcome

Outcome: The successful exploitation, attack, etc. of which was the entire intent of the hacker

Reward: The reward for their successful operation (fame, fortune, notoriety, etc.)

So, what do you think?  Do they map to your understanding of the hierarchy for the operational needs of a hacker? How would you use this model?


What is ‘Cyber’?

Recently, a very amusing website launched to ask a very simple question, “will using the prefix cyber make me look like an idiot?”  It predicated the response based on an answer to three questions: (1) Are you a science fiction author, (2) are you about to engage in dirty instant messaging, and (3) are you using the word to engage in scare mongering?  You can see the answer to my questions below based on my everyday usage of the word:

The site is obviously established to poke fun at the growing use of the word cyber to describe many subjects and items.  There are many in the computer security/information assurance field which agree with that premise and openly disagree with it’s use in any form outside of science fiction or dirty instant messaging.

I come from a background in academia and research.  I understand the importance of word choice and usage.  However, I am also aware of the need to adopt a new lexicon when an existing one is not enough.  I believe this is one of those cases.

I too used to abhor the use of the word cyber in the computer security/information assurance/network security domains.  However, as I matured in my understanding of the topic beyond the technical concepts of these fields and into the human factors and psychology of the field I knew these terms did not adequately describe the full scope of the analysis and operations to secure computer systems.

The word cyber is necessary.

It is necessary because this field is much larger than just securing technical systems.  It MUST also embrace analysis, psychology, human factors, and aggressive operations (hence the name of the blog – ActiveResponse), amongst others.

The other terms used in this area (e.g. Computer Security, Information Assurance, Network Security, etc.) are all fine and have their place.  But they lack one fundamental aspect: the human.

Cyber originated in our lexicon with Norbert Wiener in his seminal 1948 book Cybernetics or Control and Communication in the Animal and the Machine.  He took the word cyber from the Greek word  kybernetes, Greek for “steersman” or “governor.”   It was further adopted by science fiction authors into the cyberpunk and famously, cyberspace (by William Gipson).

Faced with the origin of the word, it has not been co-opted.  In fact, I believe it is a better term than others in many instances.  Primarily because it makes humans and operators the central focus of the activities we study – either their offensive exploitation of systems or our defensive reaction or preventative actions.  It is all done because computers are tools for humans to operate more effectively in any number of areas.  They have no inherit value outside of use by humans.  Many of us technical geeks forget that while we are digging into packets or studying architecture diagrams.

Therefore, I will keep using the word cyber proudly knowing that I am using it to keep the human as the central concept in intrusion analysis, information assurance, computer security, network security, or whatever else you want to define to enable humans to use information and communicate more effectively.

Beware Occam’s Razor

Occam’s Razor: A principle that generally recommends that, from among competing hypotheses, selecting the one that makes the fewest new assumptions usually provides the correct one, and that the simplest explanation will be the most plausible until evidence is presented to prove it false.  [Wikipedia]

Intrusion analysts face a unique problem: discovering and tracking adversaries not wanting to be discovered or tracked.  These adversaries will take significant action to prevent their operations from being discovered [see Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection for examples].  Metasploit, a common exploitation framework, works hard to prevent their tool and modules from detection and signature including creating an Secure Sockets Layer (SSL) encrypted command-and-control channel.

In this environment, the cyber adversary is using Occam’s Razor against the analyst to elude detection.  Given a set of network traffic or events, an adversary wants any unintended observer to believe their traffic is normal and benign.  An adversary practices Denial and Deception in every packet.

Therefore, if an intrusion analyst relies too heavily on Occam’s Razor to describe a network event as benign, but a clever adversary is hiding their activities in that traffic – the adversary wins.

On the other hand, if an analyst does not employ Occam’s Razor effectively in their work, every packet will look suspicious wasting their precious time on unimportant events.

Richards Heuer’s preeminent work on the Psychology of Intelligence Analysis describes a very effective framework for employing the theory of Competing Hypothesis to decide which possible conclusion is the best given a set of facts and assumptions.  However, a common attack on Heuer’s framework is that an adversary utilizing Denial and Deception can easily defeat the analyst and have them select the conclusion the adversary wishes and not the one best describing the activity.

In the end, an intrusion analyst must use both a questioning and suspicious mind with a modicum of Occam’s Razor.

Powered by WordPress & Theme by Anders Norén