Share this page!

Chris Sanders Profile picture
Twitter logo
28 Oct, 17 tweets, 3 min read
One of the things I do in my Investigation Theory course, for those willing, is work with students individually to help them learn to ask better investigative questions. For example, one student started with this Suricata rule:

1/
The task here is to start by asking a couple of investigative questions, assuming you have access to any evidence you might want. This student posed these two:

1. How long as this machine been infected?
2. How many beacons has the machine sent?

2/
In this case, the student is making some assumptions that the machine is already infected, but we don’t really know that for certain yet. The first goal should be proving or disproving the infection.

How do you do that? 3/
For malware, the answer usually involves reading a bit about the malware and figuring out other characteristics you can use to confirm infection.

That’s pretty easy with Poison Ivy! So, I recommended that to the student. 4/
The student did some general digging on PI and pulled out some broad capabilities of the malware. They asked:

“Has this malware stolen any sensitive information?”

This still needs some work.

5/
So, PI can be used to steal information, but this isn’t specific or actionable enough to investigate. A good investigative question is something you can answer directly with evidence.

So, I gave some examples from another scenario and encouraged more specific PI research… 6/
They did some digging and found that when PI goes through an auth proxy it may write a registry key where it writes sniffed auth information (the link in the rule mentions this). That’s something we can work with! 7/
With that in mind, they came up with these two questions:

1. Does the proxy use basic authentication?
2. Has a registry key been written to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BJ\STATIC\MessageFile?
8/
This is good!

Now, even if the answer is no to both, PI might still be on the box and this may not be enough to dismiss the alert.

So, I pushed the student a bit…assuming the answer is no, how else could you prove the existence of PI malware on the system? 9/
Again, the key is specific and actionable. In this case, the student started with, “Are there any suspicious processes running on the system?”

10/
That's not a horrible question, but it's broad and a bit more appropriate to ask when you've run out of other leads.

So, for the student, how can you make this question more specifically relevant to PI?
11/
The key here, again, is the research.

They made quick work of this one and looked up a list of common process names for PI. The question then became: “Is there any evidence of processes launching or running using $list_of_process_names associated Poison Ivy?”

12/
This is great because it’s easily answerable! Running process list, Windows logs, EDR logs, whatever you have.

It’s super actionable, speaks to the validity of the alert, and can identify something critical on the timeline.

13/
These aren’t the only questions you’d ask in this investigation or where you'd likely start, but that’s okay. The point of this exercise is taking a stab and investigative questions and refining. We do this in the first week of the class.

14/
Great analysts ask great questions that leverage existing evidence, are specific, and have a high likelihood of revealing some interesting relationship or part of the investigative timeline. This is a craft we continually develop.

15/
It surprises some folks that I interact with every single student who chooses to in Investigation Theory, but that is what makes it an actual class and not just a bunch of videos. You get the opportunity for feedback and to push yourself.

16/
If you want to learn to ask better investigative questions, I'm accepting new students now. The journey begins here: networkdefense.co/courses/invest….

17/17

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Chris Sanders

Chris Sanders Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @chrissanders88

Chris Sanders Profile picture
27 Oct
This was something I left intentionally vague in the poll to see how people interpreted it. Namely, some interpreted as competitive within your team, others as competitive in relation to a goal/adversary. Reveals some predispositions and bias, perhaps?
Consider the example of a wide receiver. They are internally competitive with their teammates because there are only so many spots on the team and passes to catch. At the same time, they are externally competitive towards the other team because they want to win the game.
In security, I observe that internal competitiveness is often over exhibited relative to the value and external competitiveness under exhibited relative to the value.
Read 11 tweets
Chris Sanders Profile picture
5 Sep
I mentioned that the idea for Intrusion Detection Honeypots #idhbook was floating around in my head for a long time. Something I didn't mention in the book, is that it was my time as a pen tester many years back that crystaized some key parts of the concept for me. 🍯 1/
As the attacker, it's all about iterative discovery. You access something, look around, and leverage your access to move on to the next thing. You do this until you reach a goal, whatever it may be. 2/
Good attackers exhibit some common traits -- seeking to decrease ambiguity, adaptability, and curiosity are big ones. You have to take what the network gives you and manipulate it. I really learned the value of these things in the offensive context at @inguardians. 3/
Read 12 tweets
Chris Sanders Profile picture
25 Jun
Let's talk about the differences between novices and experts. But, instead of cyber security, we'll use airport baggage screeners as an example. These are the folks who use the scanner screens to find forbidden items in luggage 1/
We all expect that experts are faster than novices. That's often correct, but WHY? 2/
Experts go through a few steps when looking at a bag image. First, they perceive the whole image quickly, looking for something to draw their attention. Maybe a dark spot or an unknown pattern. This holistic analysis is nearly automatic. 3/
Read 16 tweets
Chris Sanders Profile picture
16 Jun
The most frequent mistake inexperienced analysts make when asking investigative questions is not being specific enough. For example, "Is this external IP bad?". That's a fine question, but it's not answerable without asking more questions. 1/
A deeper question might be, "Does this IP appear on any reputation lists?" or "Is it found in malware sandbox executions in public repos?" or "Have we encountered this IP in any other investigations?" . 2/
Another example, "Is this system infected?". We definitely want to know that, but it's more specific questions that get us there. 3/
Read 9 tweets
Chris Sanders Profile picture
12 Jun
A lot of how adults learn relates to motivation, and for good reason! Adults have agency to choose what they learn. One interesting facet here is the role goal setting plays in learning and what it reveals about your motivation. 1/
First, let's consider expectancy-value theory. If you expect you might not do well in something, you're likely to devalue it, thereby avoiding it. If you expect to do well, you may value something and set goals related to it. 2/
There are several types of goals, but two common types are mastery-driven and performance-driven goals. The different between the two can help you recognize where your motivation lies and what barriers might be limiting you. 3/
Read 11 tweets
Chris Sanders Profile picture
27 May
We often say that we want to develop critical thinking skills in ourselves and others. But, how do we recognize when someone has those skills? What does that look like? Three ideas... 1/
First, people who have critically examined topics rarely speak in absolutes because supporting evidence is rarely absolute and there are often gaps. Words like "most of the time", "all things being equal", "possibly" and other estimative language pepper the conversation. 2/
Second, people who think critically are sometimes less likely to interject opinions at all unless specifically prompted. That's because they know that these discussion require nuance that not every forum (like Twitter) invites. 3/
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @chrissanders88