Share this page!

Chris Sanders 🍯 Profile picture
Twitter logo
7 Oct, 14 tweets, 3 min read
Abstractions are something analysts have to deal with in lots of forms. Abstraction is the process of taking away characteristics of something to represent it more simply. So, what does that looks like? 1/
Well, speaking broadly, let's say that I tell you I had scrambled eggs with parsley and tarragon for breakfast. You can probably picture that very clearly in your mind and it will be fairly accurate to reality. However... 2/
What if I just tell you I just had eggs? Or that I just had breakfast? Your perception of reality may differ greatly from what I actually ate. The abstraction increases opportunity for error.

3/
Opportunity for error is the key phrase here.

Let's consider some analyst-relevant examples related to abstraction...

4/
Consider examining a log of a user account changing some firewall rules. You look up the human associated with the account and it's someone in IT. That's expected behavior for that role, so you dismiss it.

However...

5/
An account is an abstracted representation of a human user. Just because it represents the human does not mean that they always control it. The abstraction creates an assumption.

6/
In another example, consider examining the behavior of an individual host that you identify by its IP address. All of a sudden, the host starts behaving completely differently without a clear cause. Suspicious, right?

However...

7/
It turns out the original host lost its DHCP lease during the time of your query. You've actually changed the host you're looking at without realizing it. The IP address represents an abstraction from a host that is subject to change. Abstractions can mask changes.

8/
But alas, abstractions aren't universally bad! Consider my research on opening move impact on speed in an investigation. In the same scenario, analysts who had Zeek/Bro data reached a conclusion much faster than those with only PCAP.

Source: chrissanders.org/2016/09/effect…

9/
Zeek is abstracted from PCAP. We don't always need data in its rawest form to make conclusions, and sometimes, all that extra data can significantly slow us down.

10/
We make abstractions in our minds all the time. They are shortcuts, and they are useful. But, if we don't understand the abstraction we might trick ourselves into serious mistakes.

11/
This is another area where I frequently observe a gap between novice and expert analysts. Experts fall victim to abstractions less often because they are aware of them and what they mean. Novices have to learn this, and sometimes do it the hard way.

12/
Some key questions to ask are:

1. Is this representation abstracted from something?

2. What is it abstracted from?

3. How does the source translate to the abstraction?

4. What assumptions do I make when making decisions from the abstraction?

13/
Abstractions are everywhere in digital evidence, and all told, they're a net positive. But, they present the opportunity for error. The path to expertise includes the awareness of such abstractions to prevent the errors frequently associated with them.

14/14

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Chris Sanders 🍯

Chris Sanders 🍯 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @chrissanders88

Chris Sanders 🍯 Profile picture
17 Sep
One of my research areas that I write about often is curiosity and how it manifests in infosec education and practice. A topic that relates to curiosity is Boredom, which I've done some recent reading on. I thought I'd share a bit about that. 1/
First, what is Boredom? A consensus definition is that boredom is the uncomfortable feeling of wanting to engage in satisfying activity without being able to do so. 2/
When you're bored, two things happen:
1. You want to do something but don't want to do anything.
2. You are not mentally occupied in a way that leverages your capacities or skills.

**these things feed each other** 3/
Read 24 tweets
Chris Sanders 🍯 Profile picture
13 Sep
Let's talk about some lessons gathered from how a student over the weekend quickly went from struggling on an investigation lab and...

"I'm stuck"

to finished and...

"I don’t know if you just Yoda’d the hell out of me or what"

1/x
This particular student emailed and said they were stuck and gave me some misc facts they had discovered. I responded and asked them to lay out a timeline of what they knew already so that we could work together to spot the gaps. 2/
The truth is that when this inquiry is taken seriously, it doesn't often result in us having to spot those gaps together at all because the student figures it out on their own. Why does this happen? Two main reasons... 3/
Read 12 tweets
Chris Sanders 🍯 Profile picture
19 Aug
One of the things I absolutely love about our new @sigma_hq course is that a final challenges includes building your own new rule (we provide a bunch of ideas) with the option of actually submitting it to the public repo. Folks learn and contribute community detection value.
@sigma_hq As part of that, @DefensiveDepth walks students through the process, even if they've never used git before. The Sigma community also does a great job of providing input and additional testing.
It's awesome to watch it all come together. I'm looking at a rule in the public repo now written by a student who didn't know anything about Sigma a month ago. It's been tested, vetted, and now it'll help folks find some evil.
Read 4 tweets
Chris Sanders 🍯 Profile picture
18 Aug
I don't know who needs to hear this today but cyber security work is really hard. Even at the entry level, it's difficult work.

People around you too easily forget that because of the curse of knowledge -- we can't remember what it was like to not know something we know.
Prevalence of incomplete information, lots of inputs, tons of tacit knowledge, an ill-defined domain, high working memory demands, poor tooling and UX, lack of best practices, interpersonal challenges... I could go on. It's really hard.
Even if everybody around you seems to make it look easy -- it isn't. This stuff is complex, difficult, and mentally demanding.
Read 4 tweets
Chris Sanders 🍯 Profile picture
21 Jul
One of the more helpful things new analysts can do is to read about different sorts of attacks and understand the timeline of events that occurred in them. This enables something called forecasting, which is an essential skill. Let's talk about that. 1/
Any alert or finding that launches an investigation represents a point on a potential attack timeline. That timeline already exists, but the analyst has to discover its remaining elements to decide if it's malicious and if action should be taken. 2/
Good analysts look at an event and consider what sort of other events could have led to it or followed it that would help them make a judgement about the sequences disposition. 3/
Read 20 tweets
Chris Sanders 🍯 Profile picture
24 Jun
While we're doing a Detection Engineering AMA, how do you build these sorta skills if you want to do that job for a living? Big question, but I'd focus on three areas for early career folks...
Investigative Experience -- Tuning detection involves investigating alerts from signatures so you need to be able to do that at some level. A year or two of SOC experience is a good way to start.
Detection Syntax -- You have to be able to express detection logic. Suricata for network traffic, Sigma for logs, YARA for files. Learn those and you can detect a lot of evil. They translate well to vendor-specific stuff.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @chrissanders88 has new unrolls!

Check out other threads from @chrissanders88!

Read all threads by @chrissanders88

:(