Share this page!

Chris Sanders 🍯 Profile picture
Twitter logo
30 Dec 21, 18 tweets, 3 min read
When analysts examine evidence, they are looking for cues that have implications for action. Cues lead to decisions about what leads to pursue or how to respond.

There are several types of cues, but I think novelty cues are one of the most critical. Let's talk about why... 1/
A novelty cue is something that indicates the presence of an unknown threat, capability, or technology that the analyst doesn't understand well. 2/
For example, a novel threat might be represented by an IP address, domain name, file hash, or behavior. If you find these things in a suspicious context and don't know about their origin or associations, they become new and interesting. 3/
Analysts often encounter novel capabilities when a an alert or finding suggests a specific malware or threat actor may be on their network, but they don't understand how that thing typically operates or what it does. 4/
An analyst usually investigates threats and capabilities by reading public threat reports, reviewing sandbox output, performing prevalence analysis, performing various threat intel functions, or conducting malware analysis. 5/
A novel technology is usually software that an analyst knows little about. For example, if an analyst determines an attacker compromised a cloud platform service that they have little experience with (like AWS EC2), that service represents a novelty cue that requires research. 6/
The analyst usually reacts to technology novelty by reading about the tech, setting up a lab to play with it, or consulting someone with that expertise. 7/
That last one is notable... in my research, novelty cues were the most common type of cue to lead someone to ask for help from someone else. We usually recognize that experienced analysts can distill useful information and impart it more quickly than independent research. 8/
Novelty cues often lead analysts to assess threat capabilities, identify relationships, or seek help. The first two are the most common analyst decision goals, and the third most commonly comes from a novelty cue. That all speaks to their importance. 9/
Novelty cues exist relative to experience. That means something that is novel to one analyst may not be to another. Junior analysts will experience a lot more novelty than expert analysts, particularly in terms of capability and technology novelty. 10/
An obvious part of learning to be an analyst is reducing novelty through adding more knowledge about things you might encounter: threat actors, common malware, common services and platforms. The more things you see, the less chance you have to see new things. 11/
Somewhat less obvious is recognizing the common types of novelty you'll encounter and streamlining/automating the process of acting upon it. 12/
That also includes recognizing what information is valuable and what isn't. Your time and attention are limited, so knowing where and how to focus those matters. 13/
If you're inexperienced, everything seems novel at times and that can be overwhelming. It's helpful to not focus on everything that is novel, but instead, on places where you are likely to find novelty that matters and has meaning. 14/
For example, most things in the body of a PCAP look weird because entropy in network data is super high. A lot less things in protocol headers looks weird, and even less in some specific headers. 15/
This means that if you know where meaningful novelty is likely to be found, you can focus on a few specific places within a PCAP. So now, maybe you're looking more at Wireshark columns rather than following TCP streams so much. 16/
Even further, maybe you don't even need the PCAP and you can get what you need from Zeek, proxy, or flow data.

As you understand where meaningful novelty is likely to exist, you dramatically reduce the scope of data that you have to retrieve, examine, and parse. 17/
All analysts rely on novelty cues to compel decisions and actions that move the investigation forward.

Embrace not just the unknown, but where you're likely to find it and how to resolve the repeated types of uncertainty you'll encounter. 18/18

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Chris Sanders 🍯

Chris Sanders 🍯 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @chrissanders88

Chris Sanders 🍯 Profile picture
29 Dec 21
I can't say enough how much respect I have for folks who cater professionally. You have to plan for SO MANY VARIABLES and if you miss one thing failures can cascade and ruin your event. Honestly, if you want to hire an entry-level PM, find a caterer and train domain-specifics.
I catered a medical worker appreciation lunch today: pulled pork, ribs, candied bacon, mac and cheese. Started cooking at 9 AM yesterday and went until 3 AM with BBQ. Woke up at 7 and finished everything the moment I had to walk out the door. So tense.
When I cater something I do it for free, so there's not a ton of external pressure on me. Different story for the professional folks... life or death of their business in some cases. They have to put out their best stuff every time.
Read 10 tweets
Chris Sanders 🍯 Profile picture
28 Dec 21
I want to extend a massive thanks to everyone who helped out with the @RuralTechFund Golden Ticket Fundraiser.

We raised $76373 from the community through contest entries. Those came from over 300 people. Image
Along with that, we received $65000 in matches from our partners. That very nearly doubled the amount raised from the community.

A very big thanks to @TrustedSec @DragosInc @DNSFilter @NetworkDefense @splunk #SURGe @blackthornellc @markmorow @Microsoft @AlanOrlikoski
That means we raised $141373 for charity.

OVER 140000 DOLLARS!!!

That'll provide 112,000+ meals
That'll provide 24,000+ kids with access to technology education

That'll help people who need it and may just change some lives.
Read 5 tweets
Chris Sanders 🍯 Profile picture
21 Dec 21
It probably won't be a surprise that my favorite movie of all time is Willy Wonka and the Chocolate Factory (1977). I get asked about that a lot this time of year. Tis the season, so let me to tell you why I love it so much...
You know that scene where everyone walks into the candy room and everything is edible? That magic in everyones eyes? The magic that you probably felt too when you first watched it?

I feel that magic when I watch it and that's the same magic I felt as a kid when I saw a computer screen light up or a circuit board spring to life.
Read 21 tweets
Chris Sanders 🍯 Profile picture
20 Dec 21
We had a big fundraising weekend -- we're past 50K in donations which unlocked another 10K bonus from our friends at Blackthorne Consulting and a SECOND Golden Ticket to be drawn and given away.
The Golden Ticket fundraiser ends on Friday. You can win a free seat in all my
@NetworkDefense training, more training from @DragosInc @TrustedSec, all my signed books, and more.

Entry information and full prize list here: chrissanders.org/2021/12/golden…
This also means we're only $7K from a massive 15K bonus, and within shouting distance of the BBQ tier, where I'll personally cook a pork butt or brisket for the golden ticket winners.
Read 8 tweets
Chris Sanders 🍯 Profile picture
9 Dec 21
Golden Ticket update! We're just a hair shy of our $20K goal which unlocks a 10K bonus from @TrustedSec.

Help us get there by donating to @RuralTechFund or your local food bank and forwarding us the receipt. You'll be entered to win nearly $20k in free training and prizes.
The list of prizes and all the details on how to enter are here: chrissanders.org/2021/12/golden…
We just hit our $20K goal! That comes with a 10K match from @TrustedSec, who are also providing a free seat in one of their training courses to the golden ticket winner. Thanks @HackingDave and crew!
Read 4 tweets
Chris Sanders 🍯 Profile picture
9 Dec 21
Big news!

After a long wait, I'm excited to publicly release my doctoral dissertation, "The Analyst Mindset: A Cognitive Skills Assessment of Digital Forensic Analysts".

You can download it here: chrissanders.org/2021/12/disser….
In the accompanying blog post, I also talk a bit about how I came to this research area, why I think it's important, and a little bit of what's next. While my doctorate is a terminal degree, my dissertation is a beginning toward more things to come. 2/
With that in mind, let me walk you through a high level overview of my research and findings here. This will be a long thread and pretty high level since it's nearly a 200 page document. 3/
Read 53 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @chrissanders88 has new unrolls!

Check out other threads from @chrissanders88!

Read all threads by @chrissanders88

:(