The most common action an analyst will take is performing a search. Usually in a tool like Security Onion, Splunk, Kibana, and so on. The second most common action an analyst will take is pivoting. That term gets used a lot, but what exactly does it mean? 1/
In the investigative context, analysts pivot when they perform a search in one evidence source, select a value from that search, and use it to perform another search in a different evidence source. 2/ 
For example...
1. An analyst searches in flow data to see who communicated with a suspicious IP.
2. They get a result and identify a Src IP.
3. They search in PCAP data for the Src IP / Dst IP pair to examine the communication. 3/
1. An analyst searches in flow data to see who communicated with a suspicious IP.
2. They get a result and identify a Src IP.
3. They search in PCAP data for the Src IP / Dst IP pair to examine the communication. 3/
Another example...
1. An analyst searches in proxy data to identify visits to uncategorized domains.
2. A result shows a download from an odd looking domain and includes the username of the source.
3. The analyst searches for executions in Windows event logs for this username. 4/
1. An analyst searches in proxy data to identify visits to uncategorized domains.
2. A result shows a download from an odd looking domain and includes the username of the source.
3. The analyst searches for executions in Windows event logs for this username. 4/
One more...
1. An analyst searches in Sysmon logs to find executed files on a host.
2. A result shows an unknown file name and includes a hash.
3. The analyst searches for the file hash in a public sandbox to try and ascertain the file's behavior. 5/
1. An analyst searches in Sysmon logs to find executed files on a host.
2. A result shows an unknown file name and includes a hash.
3. The analyst searches for the file hash in a public sandbox to try and ascertain the file's behavior. 5/
Pivots are how analysts connect evidence sources to answer their investigative questions. Most analysts start to learn this skill by taking simple indicators and searching for them in OSINT reputation sites or Google. 6/
As analysts progress in skill, they start to get better at within-realm pivoting. Things like connecting flow to PCAP, an app log to an OS log, one threat intel source to another, and so on. 7/
When I say realm, I'm referring to how I classify different evidence sources into 1 of 6 realms (not going to detail those here). 8/
Over time, analysts get better at cross-realm pivoting. That might include things like going from a proxy log to a Windows event log, going from the registry to a file, or going from an event log to memory. 9/
Cross realm pivots take a bit longer to learn because that means understanding a greater diversity of evidence sources. Also, tools don't always support these pivots as intuitively. 10/
Speaking of tools, a defining characteristic of good ones is that they help analysts pivot easier. For example, here's a screenshot from Security Onion where you can pivot to a few different things. 11/
Some tools have done this for a long time, particularly for within-realm network pivoting. Here's a screenshot from Sguil where you've got these options. 12/
In some rare cases, the tools that generate the data also provide added fields that make pivoting easier. An example I often refer to is the Zeek UID fields. They allow you to pivot between all the log files it generates, which is incredibly useful. 13/
Ideally, tools would let folks define their own pivots based on the data sources they have mapped. Put those in a context menu that changes based on the field you click on, and you're in business. 14/
Some pivots are a lot more common than others, and some manifest more commonly in specific types of investigations. These provide opportunities to use automation and SOAR-like things to give analysts easier access to those pivots (ala guided investigations). 15/
The analyst role is cognitively defined by the formation of investigative questions and interpretation of evidence. But from an observational viewpoint, these pivots are how you see those things manifest. 16/
To get good at pivoting, you have to understand the capabilities of your evidence (what questions it can answer), comprehension of evidence (what relationships it represents), how to collect it, and how to manipulate it. 17/
The more evidence sources whose capabilities and interpretation you understand, the more you'll be able to pivot into those things. 18/
It's important to distinguish pivoting from the analyst perspective from that of the attacker. The former is about interpreting data from multiple sources, while the latter is about leveraging access on one host to gain access to another. 19/
That's pivoting. Perform a search in one evidence source, select a value from that search, and use it to perform another search in a different evidence source.
It's a simple concept that most analysts leverage constantly but isn't always defined so clearly. 20/20
It's a simple concept that most analysts leverage constantly but isn't always defined so clearly. 20/20
• • •
Missing some Tweet in this thread? You can try to
force a refresh
