Saturday, January 30, 2016

The 3 W's of Hunting (Sharing is Caring)


This will be a quickie but I wanted to get something on "paper" while the thoughts were fresh in my mind. Part of this was inspired by my colleague Chris Sanders who just wrote a wonderful blog:


ps. I don't know why this is in all caps. blogger is stupid and i'm too lazy to figure it out. 

The reason I love my job is, not only is every day completely different, it's only different if I make it so. I could run the same searches, find the same shit that every org is bound to have, and the clients would probably be happy. I know from experience and just my basic nature that, in short order, I would end up hating life. Not to mention getting fired because I work with a some of the smartest people in the industry. It's my innate curiosity that makes me love what I do. I do this because it speaks to who I am at my absolute core. I don't just enjoy solving problems, I *need* to solve problems. I'm not truly happy if nothing is wrong.

I thrive on finding things that are actively trying to hide from/lie to me. I’ve been an analyst about everything in my entire life before I even knew what that word meant. It’s not all I am, but it’s tied to how I identify myself in the world. You can’t help but take it more personally than the guy who hates his job and just collects a paycheck.

What makes this gig even better is working with people who share my curiosity. Not only that, they place a premium on tribal knowledge share. We talk about that "X factor", what makes a great analyst great?  Can it be taught? Can it be quantified? What is "X"? This leads to both productive and destructive discussions. Destructive in that, far too many times for far too long, analysts are told "it doesn't matter how you got the conclusion, it's that there's a consensus at the end."

That's all well and good but inevitably junior analysts are left to fend for themselves, hopelessly pawing at the keyboard trying to think of a thread to pull on. Even when they find one, two or a thousand threads, at the end of the day they have no idea how to knit a sweater. You might not be able to clone your more experienced analysts minds and spell out every little detail out for the junior guys, but throwing your hands in the air and saying "eh, figure it out" is a counterproductive cop out.

In this entry and many more to come, I hope to contribute what I can to the conversation. I'm learning something new every single day and I hope that one day what I put down on paper leaves one junior analyst a little less suicidal. So on to todays lesson.

The 3 W's of Hunting.


What thread did you pull on to start down the rabbit hole? If you tell me "oh, i saw some stuff that looked weird." i'm most certainly going to smack you. Note, in detail, the nature of the traffic. Port numbers, host names, IP address's, packet data if you got it.


Timestamps are money. Your hunt needs to have a timeline in order to get the most context out of your expedition. When did Patient Zero show his ugly face? What happened 5 minutes before and 20 minutes after? Found some intel? Good, when was the article written? That intel could have been burned years ago. Follow the breadcrumbs, correlate the times to other suspicious activities that, at first glance, may appear to have nothing to do with your prey.

As with most things in life, timing is everything.


This is the most important of the three. Unless you're a character in some Marvel universe, people can't read minds. Why do you think this is evil? Lead me through your thought process, the parts of your collective experience that tell you this thing is bad news. This is crucial for multiple reasons:

1. To validate it's something.
2. To validate it's nothing.
3. To see the patterns and habits in your own analysis methods. This is the only way you'll get better.

If  the trail does lead to a dead end, the better your note taking, the more easily you'll be able to see exactly where you went wrong and why you went wrong. What's more, others will be able to avoid the same pitfalls in the future.

In the end, you need to make your notes such that, if you got hit by a bus after work, any analyst that needs to pick up where you left off knows exactly why you were playing the game and what rules you were playing by.

That's it for this round. This was mostly stream on consciousness with little editing. As always, open for discussion. Till next time, happy hunting.