29 Jul 19
29 Jul 19
The decision-making process within a security analysis context will always be a blinding maze of choices. At every step, inaccurate analysis portends catastrophic repercussions. To complicate matters, the digital fingerprint left behind can initiate both structured and unstructured analysis requirements. Whether triaging automatically-generated alerts or performing incident response against an advanced persistent threat, we apply instruments of reason and scientific methods against fluid circumstances.
To adapt to this, most Security Operation Centers (SOCs) will have runbooks to address the majority of events. These are invaluable where the cause, effect, and remediation of issues can be measured and defined. These situations usually have a clear sequence of events, from detection to eradication of the threat.
The sophistication and impact of these attacks can depend on the tools and techniques used. These characteristics can be sorted either by applying an automated criticality level to an alert, or by the designated analyst manually assigning one. This process addresses mundane alerts to prevent misjudgment or inappropriate resource allocation.
In case of ambiguity, analysts escalate these alerts to a higher tier immediately. Periodic reviews of unescalated alerts will usually focus on the analysts’ level of adherence to standard processes and quality of analysis; this also can improve analytic performance and identify deficiencies in the runbooks.
The senior analysts handling advanced threats will rely on experience, judging probabilities on the basis of resemblance, comparing techniques employed by the threat actor with known methods documented by other analysts. The ability to produce theories of exploitation or possibilities of response is highly valued, all such instances need to be followed by the gathering of evidence to support any assumptions. An analyst should be able to synthesize multiple streams of data objectively and coherently describe their interpretation of events, what the implications for the organization may be, and what is the most appropriate remediation option.
The inability to analyze one’s own school of thought is a challenge, leading to difficulties in understanding the logic behind certain actions taken by an attacker. In many cases, analysts may assert that certain actions were not in the best interest of the threat, failing to empathize with the attacker at the point in time they were going through their own systematic approach to compromise a network.
In Kent’s pyramid of analysis, factual evidence is the base; educated assumptions represent the sides; and most likely scenario is the apex of the pyramid. This structured method of solving complex problems enables analysts to produce actionable intelligence even today. Any assumptions are documented thoroughly; not only to support one's own theory, but to gain the trust and support of all stakeholders in the major incident response process. The incident response team may, and often should, be comprised of executive members of multiple departments.
Interdisciplinary teams are recommended for all major incident response scenarios. All alternative interpretations or theories should be studied. Avoiding collaboration can lead to deciding what part of information is more relevant, leading to an incomplete analysis. Analysts may request more data, not acknowledging that the same piece of information can have multiple interpretations.
Acknowledging the human aspect of a threat actor is critical to understand the motive and purpose of the attack, and can also aid during attribution. In this phase, analysts can benefit from previously gathered intelligence, detailing minute observations that can be interpreted as a unique modus operandi. A systematic train of thought is also useful in the lessons-learned phase of the incident response process. This should be accompanied by a framework to structure the information so it can be easily consumed, even while challenging assumptions made.
Technology used today has reached a point where it will greatly aid in the analysis and decision-making process, where querying vast amounts of information can happen within seconds, leaving the challenge to be the quality of the question being asked. However, every analyst will have a unique way of searching the data. Seasoned analysts will also have the benefit of experience, having seen attacks with the same objectives being fulfilled in radically different ways. These experiences can in turn forge heuristics to simplify the decision-making process.
In conclusion: there is always fundamental uncertainty and human nature in complex issues. We study and understand them through the use of a structured approach, unstructured collaborations, intuition, and technology. Each occurrence improves procedures to bring faster response times and higher-quality automation of the investigation. The “eureka” moments of discovering the truth drives people in this profession to strive for new ways to improve the efficiency and effectiveness of the intricate security analysis process.