Upon notification of potential malware infection, SOC analysts tend to spend more time trying to confirm the malware infection, whereas IR/DF analysts tend to assume infection and move toward understanding impact.
Usually, this results in different investigative actions. Confirming infection focuses more on the leading portion of the timeline relevant to the current event. Exploring impact focuses more on the trailing portion of the timeline.
Sometimes the investigative actions can look the same, but that depends on the malware and how the infection presents. Even with similar investigative actions, the intent is different.
I don't think this is too surprising given the nature of the roles and where they come into the process. But, it's food for thought on how the specialties mold folks initial approach and where some additional assumptions creep in.
While this research comes from a study focused on experts, I contrast this with my inexperienced analyst students. They also tend to initially focus on impact (across all disciplines) rather than confirming the initial infection too. But, for different reasons...
First, they don't know how to confirm infections. They haven't gotten comfortable with the work of doing the research, choosing high-quality resilient artifacts, and doing those lookups in evidence. It *can* be easier to focus on "what's next?" rather than "How did we get here?"
Second, inexperienced analysts often put a lot of (too much) faith in the detection source. Particularly in the case of IDS, they haven't yet grasped that an IDS alert is a question in and of itself, and not an answer. This effect is larger with new/novel signatures.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
The natural thing for inexperienced analysts to want to do is jump to the worst case scenario and begin investigating that thing. After all, the bad thing is very bad! But, that's usually a bad idea for at least three reasons. 1/
First, all investigations are based on questions. You use existing evidence to drive questions whose answers you pursue in evidence. If there is no evidence that indicates the very bad thing, you are probably jumping the gun by looking for it. It's a reach. 2/
Second, the very bad thing is often very hard to investigate. Exfil is a prime example. The techniques for investigating and proving data exfil are often time-consuming and cognitively demanding. Now you're distracting yourself from the actual evidence you already have. 3/
Over and over again, I observe that highly skilled analysts do something that might seem counter intuitive, but is key to their success.
They constantly review the facts -- what they know. That's the current timeline and the relationships they've uncovered.
Inexperienced analysts resist this sometimes because it feels like it takes up a lot of time. But it's worth the time. This is where analysts discover timeline gaps, identify new investigative questions, and prioritize their next move.
As you might imagine, revisiting the facts depends highly on documenting what you know when you come to know it. That's a habit that gets formed over time but can form faster if you understand the value and are deliberate about it.
For threat hunting, a non-trivial amount of the work is referencing, creating, and updating system and network inventory. This doesn't get talked about enough as a skill set that someone develops. 1/
Threat hunting is all about finding anomalies that automated detection mechanisms don't find. That means manual anomaly detection, which sometimes means weeding out things that are normal. 2/
For example, let's say you discover a binary that runs in the middle of the night on a host and that's weird! So, you eventually search for the prevalence of that behavior and see it running on other hosts in that department. 3/
Last week I laughed at my wife's playoff football predictions because of her reasons, but then she went 5-1. So, here are this week's predictions and her explanations...
Saturday:
Packers over Rams - "The Packers were in the Pitch Perfect movie"
Ravens over Bills - "Bills is a dumb name for a football team."
Sunday:
Browns over Chiefs - "I'm not excited about either of these teams, but there's not a lot going on in Cleveland so I feel like they need this."
Saints over Buccaneers - "Because that's the team you [I] like."
I'm sad and angry about the insurrection that took place in DC yesterday. I have a lot I want to say at some point, but for now I just want to say this in case anyone following me needs to hear it...
Free and fair elections are the bedrock of democracy. While more should be done to make access to elections easier, the presidential election was fair and the results are valid.
There has been no legitimate evidence that suggests any anomalies remotely close to a scale that would overturn a decisive election result. That's after 62 failed lawsuits and multiple recounts and audits.
I think blue team work poses a greater number of challenges than red team work (there's just so much attack surface). However, I think writing a red team report is inherently harder than writing forensic reports. 1/
In a forensic report, a story already happened and you have to tell it. It takes practice and skill to do that well, but there is less of a creative element. The analyst's burden to elicit an emotional response is smaller. 2/
The events in the report themselves have evoked emotion... pain, sadness, etc. It's not as hard to get folks to take action because they've already felt these things. 3/