Profile picture
, 10 tweets, 2 min read
My Authors
Read all threads
So much of what distinguishes good analysts boils down to doing the work and avoiding familiar data bias. Let me tell you about a tangible way I see this manifest. 1/
Let's say you get an alert that some malware might be on a system. There are a lot of ways to investigate, but at some point that becomes informed by the characteristics of the malware itself. 2/
You've detected one characteristic, now you need to confirm more to see if this is a false positive. Or ideally you can disprove it really quickly by the absence of some characteristics. Either way that means RESEARCH. 3/
This usually means doing some Googling, looking at the blogs, checking threat intel sources you have access to, and looking for public sandbox reports. 4/
So many analysts don't do those things. They get stuck in the routine of familiar data bias. They know how to look at PCAP or a software inventory and those things answer lots of questions, so they rely on them exclusively. 5/
At all times, the existing evidence (includes the initial alert) should guide investigative questions. The array of data sources available to you help answer those questions, they don't guide the investigation. 6/
You should not look at the exact same data sources in response to every alert. That indicates you're probably not doing the research work or your org isn't giving you the data you need to be successful. 7/
Aspiring and existing analysts, heed these words. You will gain proficiency and become distinguished by doing the research to allowing you to ask the best questions. It is the defining part of the job but it doesn't some without effort and practice. 8/
Managers and organization support, heed these words. You will better achieve your defense goals and retain more of your folks if you praise them for doing the effortful reasoning work and engineer tooling/data access to support it. 9/
All that research for individual cases and alerts snowballs over time. It builds a monumental library of heuristics that make future work easier and enables deeper insight. These are the things that define expertise. 10/10
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Chris Sanders

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @chrissanders88 see all

Profile picture
Chris Sanders
@chrissanders88
If you have some leftover training budget or are planning for next year, my online classes through @NetworkDefense are a great bang for your buck and priced for individuals or entire teams. I want to highlight a few of them...
Investigation Theory is my flagship course and many orgs use it as a baseline training for anyone in an investigative role, whether new or experienced (SOC, IR, intel, etc). It's loaded with original research and I built a a custom lab environment to develop your skills.
Practical Threat Hunting brings tangible structure to the threat hunting process, teaching you how to fish rather than just giving you a few random techniques. It includes a VM for labs and raw data if you want to import into your own systems for practice.
Read 7 tweets
Profile picture
Chris Sanders
@chrissanders88
One of the biggest differences I regularly observe between high and low performing SOCs: expectations surrounding the burden of evidence. Assuming the correct question, analysts achieve an evidence-based answer. 1/
If an analyst wants to assert something, they need evidence to support that. If they can't produce that evidence, is that a data, tool, or training problem? All are identifiable and solvable. 2/
Do you know if that downloaded thing executed? How do you know? Can you prove it?

Great SOCs get that answer with supporting evidence. Poor SOCs make excuses about why they don't need that evidence or why it's outside their control. 3/
Read 4 tweets
Profile picture
Chris Sanders
@chrissanders88
Let's talk about forensic evidence specialties. If you work on the blue team side, you probably feel a lot more comfortable with either host or network evidence. As a matter of fact, vote in this poll and tell me which one. 1/
The evolution of the industry dictated these specialties early on. AV beget host based tools, IDS beget net based tools, and encryption + other things beget more host based tools. Your specialty is likely based in some part by when/where you started your career in this cycle. 2/
Here's the thing though -- you can't be a great investigator without expertise in both host and network-based forms of evidence. It's a false dichotomy that is mostly perpetuated by the way training orgs segment knowledge and the history of the industry. 3/
Read 9 tweets

Related threads

Profile picture
Jae S Um
@jaesunum
A #data informed look at how the #human experience of #lawyering has changed over time.

Just as #clients need better #value propositions, #law firms need better business models. Meaningful #legal #transformation will occur where the two intersect.

legalevolution.org/2019/02/pay-ho…
H/T to @augierakow @robsaccone for the post #inspirelegal 🤓 email chain that #inspired this tweetable.

(Bc I’m a tweetable factory. 🤷🏻‍♀️)
Another reaction to this @wihender post: we NEED to deal with #automation anxiety in #legal.

Legacy models of law practice aren’t built for the pace of #business and volume of #information of the #digital age.

More #hours from more #lawyers can’t be the default answer.
Read 12 tweets
Profile picture
Joseph Stalin
@StalinIsBack
1/8 My favorite #quote by #JosephStalin, which explains the scientific, #DialecticalMaterialist explanation of true freedom in material reality, not just as an abstract ideal. #StalinIsBack #StalinLives #JVStalin #Stalin #StalinQuote #StalinQuotes #Truth #MELS #MarxismLeninism
2/8 Having an #objective, #rational, #ScientificSocialist, #Dialectical, & #Materialist viewpoint allows us to accurately see & evaluate & analyze #Truth & #Reality as they truly materially exist in this universe.
3/8 An idealistic, dogmatic viewpoint, which capitalists have, however, makes one irrational enough to 'see' freedom where freedom stays trapped on a piece of paper while people are oppressed in their actual lived lives.
Read 586 tweets
Profile picture
Naomi Clark [暗悪・直美]
@metasynthie
PRACTICE: Game Design in Detail is starting at the @NYUGameCenter with some opening comments by @flantz! I’ll be live-tweeting a bunch of talks on game design over the next couple days. Feel free to mute #Practice2018 if you’d rather opt out?
First up, social psychologist Daniel Ames of the Columbia biz school on roleplaying exercises for learning how to negotiate #Practice2018
Starting with a few examples of negotiation both simple and complex: two siblings trying to split an orange, pressure from a mother to a daughter to obey tradition at her wedding, an indie developer making an offer to a collaborator #Practice2018
Read 211 tweets
Profile picture
jai
@sillyhobi
pickpocket ◍ yoonkook text au

Jungkook is a pickpocket and one day, he steals Yoongi's phone.
warnings will be added as story progresses. for now, beware of lots of swearing.
this will be a semi-interactive au, because of this i cannot promise updates will be daily. thank you for reading, i hope you enjoy!
Read 342 tweets

Trending hashtags

#machinelearning #CCCP2019 #PRC70 #extreme #PuertoRican #Democrat #InspireXR #BidenIsTrumpLite #TradeWar #Cosmonaut #Vietnam #RedFlag #AntiSemitic #union #nepotism #GoodNews #BoycottGE #decriminalization #TrotskyismIsFascism #positivity #Dialectic #MovementOfMovements #Darwinism #Engels #Haiti
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!