From recent research...

Upon notification of potential malware infection, SOC analysts tend to spend more time trying to confirm the malware infection, whereas IR/DF analysts tend to assume infection and move toward understanding impact.
Usually, this results in different investigative actions. Confirming infection focuses more on the leading portion of the timeline relevant to the current event. Exploring impact focuses more on the trailing portion of the timeline.
Sometimes the investigative actions can look the same, but that depends on the malware and how the infection presents. Even with similar investigative actions, the intent is different.
I don't think this is too surprising given the nature of the roles and where they come into the process. But, it's food for thought on how the specialties mold folks initial approach and where some additional assumptions creep in.
While this research comes from a study focused on experts, I contrast this with my inexperienced analyst students. They also tend to initially focus on impact (across all disciplines) rather than confirming the initial infection too. But, for different reasons...
First, they don't know how to confirm infections. They haven't gotten comfortable with the work of doing the research, choosing high-quality resilient artifacts, and doing those lookups in evidence. It *can* be easier to focus on "what's next?" rather than "How did we get here?"
Second, inexperienced analysts often put a lot of (too much) faith in the detection source. Particularly in the case of IDS, they haven't yet grasped that an IDS alert is a question in and of itself, and not an answer. This effect is larger with new/novel signatures.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Chris Sanders 🍯

Chris Sanders 🍯 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @chrissanders88

2 Apr
The natural thing for inexperienced analysts to want to do is jump to the worst case scenario and begin investigating that thing. After all, the bad thing is very bad! But, that's usually a bad idea for at least three reasons. 1/
First, all investigations are based on questions. You use existing evidence to drive questions whose answers you pursue in evidence. If there is no evidence that indicates the very bad thing, you are probably jumping the gun by looking for it. It's a reach. 2/
Second, the very bad thing is often very hard to investigate. Exfil is a prime example. The techniques for investigating and proving data exfil are often time-consuming and cognitively demanding. Now you're distracting yourself from the actual evidence you already have. 3/
Read 8 tweets
12 Mar
Over and over again, I observe that highly skilled analysts do something that might seem counter intuitive, but is key to their success.

They constantly review the facts -- what they know. That's the current timeline and the relationships they've uncovered.
Inexperienced analysts resist this sometimes because it feels like it takes up a lot of time. But it's worth the time. This is where analysts discover timeline gaps, identify new investigative questions, and prioritize their next move.
As you might imagine, revisiting the facts depends highly on documenting what you know when you come to know it. That's a habit that gets formed over time but can form faster if you understand the value and are deliberate about it.
Read 6 tweets
19 Jan
For threat hunting, a non-trivial amount of the work is referencing, creating, and updating system and network inventory. This doesn't get talked about enough as a skill set that someone develops. 1/
Threat hunting is all about finding anomalies that automated detection mechanisms don't find. That means manual anomaly detection, which sometimes means weeding out things that are normal. 2/
For example, let's say you discover a binary that runs in the middle of the night on a host and that's weird! So, you eventually search for the prevalence of that behavior and see it running on other hosts in that department. 3/
Read 17 tweets
16 Jan
Last week I laughed at my wife's playoff football predictions because of her reasons, but then she went 5-1. So, here are this week's predictions and her explanations...
Saturday:

Packers over Rams - "The Packers were in the Pitch Perfect movie"

Ravens over Bills - "Bills is a dumb name for a football team."
Sunday:

Browns over Chiefs - "I'm not excited about either of these teams, but there's not a lot going on in Cleveland so I feel like they need this."

Saints over Buccaneers - "Because that's the team you [I] like."
Read 4 tweets
7 Jan
I'm sad and angry about the insurrection that took place in DC yesterday. I have a lot I want to say at some point, but for now I just want to say this in case anyone following me needs to hear it...
Free and fair elections are the bedrock of democracy. While more should be done to make access to elections easier, the presidential election was fair and the results are valid.
There has been no legitimate evidence that suggests any anomalies remotely close to a scale that would overturn a decisive election result. That's after 62 failed lawsuits and multiple recounts and audits.
Read 10 tweets
4 Jan
I think blue team work poses a greater number of challenges than red team work (there's just so much attack surface). However, I think writing a red team report is inherently harder than writing forensic reports. 1/
In a forensic report, a story already happened and you have to tell it. It takes practice and skill to do that well, but there is less of a creative element. The analyst's burden to elicit an emotional response is smaller. 2/
The events in the report themselves have evoked emotion... pain, sadness, etc. It's not as hard to get folks to take action because they've already felt these things. 3/
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!