,
13 tweets,
3 min read
Read on Twitter
How could #Apple have missed this escalation to their PSIRT, you're asking?
Today, lets talk about "Analyst Fatigue".
Analyst Fatigue is a term to describe a bias which begins to set in after a long period in a type of job where you receive many escalations to triage.
Today, lets talk about "Analyst Fatigue".
Analyst Fatigue is a term to describe a bias which begins to set in after a long period in a type of job where you receive many escalations to triage.
Think about "vulnerability reporting" email addresses for a company that size. Do you know how many issues they get daily? Probably a LOT. Many, if not most, of these will be poor quality. For example:
-example bad vuln report-
Issue: "Complete compromise of search homepage."
Steps to reproduce: "1) Save copy of index.html, 2) Edit with your javascript code, 3) Open modified index.html in browser, 4) OMG I owned search!"
Issue: "Complete compromise of search homepage."
Steps to reproduce: "1) Save copy of index.html, 2) Edit with your javascript code, 3) Open modified index.html in browser, 4) OMG I owned search!"
Now, the analysts watching this queue have to sift through tons of these to find real serious issues to escalate internally. The fatigue sets in and they all start to look alike."
Now imagine you're an analyst doing triage and you get the following report in:
Now imagine you're an analyst doing triage and you get the following report in:
Issue: "I can spy on anyone with Facetime."
Description: "Step 1) Call a friend Step 2) Add your own phone number to the call Step 3) You can listen in on the call"
As a fatigued triage analyst, I can EASILY see how someone would mis-read and mis-escalate that.
Description: "Step 1) Call a friend Step 2) Add your own phone number to the call Step 3) You can listen in on the call"
As a fatigued triage analyst, I can EASILY see how someone would mis-read and mis-escalate that.
"Oh geez", they might say, "Shock. You added yourself to your own Facetime call and can hear the call? No kidding."
*files as false positive / poor report*
This is an easy mistake for a triage analyst to make. Now - I keep using the words "Triage Analyst". Why?
*files as false positive / poor report*
This is an easy mistake for a triage analyst to make. Now - I keep using the words "Triage Analyst". Why?
It turns out this repetitive, frustrating, mostly routine work isn't something you can staff with a senior or staff engineer. Not only will they not want to do that all day, they CANNOT do that all day because the work is too low on their ladder.
A senior or staff engineer who spent an entire quarter triaging vuln reports would get a horrible performance review, because the work they'd done doesn't match their expectations of performance in complexity.
So this job must be done by more junior level engineers.
So this job must be done by more junior level engineers.
What's all this add up to?
Junior level engineers as the first level of triage, becoming fatigued from too many false positives, and missing a real escalation.
This is a problem endemic in Security. Not just PSIRTs, but Detection & Response too. Also called "Alert Fatigue".
Junior level engineers as the first level of triage, becoming fatigued from too many false positives, and missing a real escalation.
This is a problem endemic in Security. Not just PSIRTs, but Detection & Response too. Also called "Alert Fatigue".
One good Blog article about Alert Fatigue: alienvault.com/blogs/security…
"The fix for this, then, is to make the Triage folks all senior engineers and PUT it on their ladder!" I can hear you saying.
WRONG. Senior engineers would quit that job so fast their chairs would follow the cavitation vacuum out the door with them.
WRONG. Senior engineers would quit that job so fast their chairs would follow the cavitation vacuum out the door with them.
Besides, you think Senior people are immune to analysis fatigue? Heck no! It's a human nature thing, not a tech thing.
So anyway what I'm saying is, this is a MUCH harder problem to solve than a simple glance at this mis-escalation can give the full picture of.
So anyway what I'm saying is, this is a MUCH harder problem to solve than a simple glance at this mis-escalation can give the full picture of.
Solving the issue of a big tech company missing an important issue, even if it was reported to their PSIRT, requires finding a way to deal with human nature itself and curtailing analysis fatigue _in addition to_ all the great procedural things @k8em0 can teach you.
