"The Core Duo"
Once again I am sitting in an airport (LaGuardia this time) writing another blog post. The good news, is that it looks like my life is taking back on some semblance of normalcy, and I can start writing again. Since my promotion to Managing Consultant, in conjunction with the release the Trustwave Global Security Report, I have been swamped. But, that's all I have to say about that.
So I have recently been doing a lot of speaking and teaching, and came to an interesting conclusion about what are the core (an in my opinion, critical) skills of our trade, which I have affectingly dubbed, "The Core Duo".
When I really started to think about it, what we do (Forensics and Incident Response) really boils down to only two things.
1. Spotting Patterns
2. Spotting Anomalies
Now, I know this sounds really simple...maybe too simple, but let me explain. First of all, simplicity is something that I think is frequently minimized as being undesirable. I think there are a lot of folks who think something to the effect of, "If something can be explained in simple, easy to understand terms, it must not be very complex". I challenge that this is not the case. I think, that even the most complex situations (which we all know, cyber investigations are among the most technical and convoluted anywhere) is made up of components that can be broken down and simplified. Being able to do this is a critical element in actually understanding what you are doing and why you are doing it. That in turn leads to be successful at what you are doing. Which finally, leads to you solving the case, and potentially, some bad guy going to jail.
Ok...so think about your "typical" case. You have stuff (technical term)...RAM dumps, volatile data, forensic images, maybe some log files. You are asked to find something (again, technical term) within that stuff. What are you asked to find will depend on the case, but the theme is the same...go find something specific. Now the fun begins as far as I am concerned...how do you find the something within the stuff?
Well, there are these things we commonly refer to as, "Indicators of Compromise" or IOCs. They are data points that indicate the presence of something within the stuff. So I was thinking, "What makes one data point an IOC and another data point not an IOC?" I argue that it's because that something has to fall into one of two categories. It is either an anomaly, or a pattern.
Let's first explore what I mean by using the term, "Anomaly". It just means that the something is different than all of the other somethings. There is something about THIS something that makes it different. WHAT is different is, why it's anomalous, what does the anomaly mean, etc...that's the easy part. Binaries can be extracted, log files can be parsed, ripped reg hives can be clearly read and compared with forensic timelines...all the things we normally do in a case. BUT (and this is a pretty big but) ALL of that...all of the tools that exist, all of the book and blog posts that have been written, all of the conferences we attend, and all of the money we spend on training...they all hinge on this one thing...can we spot the anomaly. Can we find the one or the two (or whatever) files, amongst the tens or hundreds of thousands that are like the kids on Sesame Street, doing their own thing? THIS is the first core of our trade.
The second core item of the "Duo" is the ability to spot patterns. In my opinion, this applies more to incident response than it does to forensics, although by no means exclusively. Think about a case in which all you have are log files. This is common in my world in E-Commerce cases involving things like SQL Injection, Remote File Inclusion, and Web Shells. Some of these cases literally involve millions of lines of log files that at first glance, all look more or less the same. Anyone who has worked on an E-Comm case knows what I am referring to. Line after line after line after line of logs...and you are thinking to yourself, "What the heck am I even looking for?" Me? I am looking to identify the first sign of an anomaly, then for a pattern of those anomalies.
Some of the logs entries will have something different about them...it's WHAT is different, and HOW we spot them that is the real meat of the analysis. Then, once you spot the anomaly, you would look for a pattern of that anomaly. Does it occur at regular increments? Does it originate from the same location? Does the access show the same thing or things being accessed over and over...can you spot the pattern?
So what does all this mean. OK Chris, we agree with you, to be good at Forensics and/or IR you have to be good at spotting anomalies and patterns. So what? What does that mean to me? Well, I am glad you asked! A couple of things.
1. It gives you an area of focus. Still, one of the most common issues I see while training investigators is analysis paralysis. Simply freezing when confronted with so much data...what do I do...where do I go...how do I even begin? How do I go from gathering data to actually starting to solve cases.
I think that by knowing, that in every case, regardless of what the case may be, you are either looking for an anomaly or a pattern can help you focus on the task at hand, and get down to making progress (not just throwing tools at data and expecting it to solve the case for you. FORENSIC HINT: THAT will NEVER happen .
2. It helps you as you try to tie your data points together. In an "average" case, we may have data points in our timeline, registry hives, RAM, system event logs, and from binary analysis. We have a lot of data points that all indicate that a breach took place, data was accessed, malware was installed, basically tell the story of what happened during that breach. By understanding that what you are looking at are a series of anomalies that form a pattern. This pattern is the backdrop against which you will formulate the rest of your investigation.
So, in conclusion, I know it may sound simple, but what I have named, "The Core Duo" of forensics/IR is the ability to spot Anomalies or Patterns. Knowing and understanding this concept can help investigators (both new and seasoned) begin difficult investigations with a better idea of what something they are trying to find within the stuff.
On a side note, since I have begun using this concept, the students that I have taught (and those in the audience at the conferences I have spoken at) have really liked the idea, and have indicated that it really does work. Once gentleman recently told me that he wrote them down on a sticky note, and attached the note to his monitor.
It very simply stated.
1. What is the anomaly?
2. Can you spot the pattern?
I think that's a great idea! While I don't have sticky notes on my monitor, I DO have Case Notes, and in my notes, I now have an entry under my "Misc" tab that indicates the same thing. I urge you to give it a try and let me know how it goes.