View
228
Download
3
Category
Preview:
Citation preview
Investigation Theory A Cognitive Approach
Chris Sanders
Chris Sanders (@chrissanders88)
Analyst @ FireEye Founder @ Rural Tech Fund PhD Researcher GSE # 64 BBQ Pit Master Author:
Practical Packet Analysis Applied NSM Investigation Theory Course
Symptoms of a Cognitive Crisis1. Demand for expertise greatly
outweights supply2. Most information cannot be trusted or
validated3. Inability to mobilize and tackle big
systemic issues
Ethnography of the SOC
“An analyst’s job is highly dynamic and requires dealing with constantly evolving threats. Doing the job is more art than science. Ad hoc, on-the-job training for new analysts is the norm."
Sundaramurthy, S. C., McHugh, J., Ou, X., Rajagopalan, S. R., & Wesch, M. (2014). An anthropological approach to studying CSIRTs. Network, 100, 2.
Ethnography of the SOC
“The profession [security] is so nascent that the how-tos have not been fully realized even by the people who have the knowledge…the process required to connect the dots is unclear even to analysts.
Sundaramurthy, S. C., McHugh, J., Ou, X., Rajagopalan, S. R., & Wesch, M. (2014). An anthropological approach to studying CSIRTs. Network, 100, 2.
Symptoms of a Cognitive Crisis1. Demand for expertise greatly
outweights supply2. Most information cannot be trusted or
validated3. Inability to mobilize and tackle big
systemic issues
The Cognitive Revolution1. Understand the
processes used to draw conclusions
2. Develop repeatable methods and techniques
3. Build and advocate training that teaches practitioners how to think
What separates novice and
expert analysts?
Mapping the Investigation Sample:
Novice and expert analysts Methodology:
30+ case studies Stimulated recall interviews Focus on individual investigations of
varying types Perform key phrase analysis – analyze
results
Key Phrase Mapping Dual Process Theory
Intuition: Implicit, unconscious, fast Reflection: Explicit, controlled, slow
IntuitionExperimentation
RestructuringImaginationIncubation
MetacognitionEvaluation
Goal SettingMaking Plans
ReflectionAnalytically
Viewing DataRule-Based Reasoning
Considering Alternatives
Results
Expe
rimen
tation
Restruc
turing
Imag
inatio
n
Incub
ation
Evalu
ation
Goal S
etting
Making
Plan
s
Viewing
Data
Consid
ering
Alter
nativ
es
Novices Experts
Intuition Metacognition Reflection
Analyzing the Flow of
the Investigation
Investigations as Mental Labyrinths
The investigation is the core construct of information security.
How do we study them when everyone has a different toolset? Follow the Data!
Alert
OSINTReputation
File Hash
Sandbox Behaviors
AV Detections
(VT)
Imphash More File Hashes
Friendly Host
Network PCAP
Host
Windows Logs
Security Log
System Log
App LogRegistry
File SystemHostile
Host NetworkPCAP
Flow
Studying the Investigation Process
Studying the Investigation Process
What data did analysts look at first?
72%16%
12%
Observed
PCAP FlowOSINT
Data Suggests: Analysts prefer a higher context data set…
…even if other data sets are available …even if lower context data sets can lead to a resolution.
Did the first move affect analysis speed?
Data Suggests: While PCAP provides richer context, it may slow down the
investigation if that’s where you start Starting with a lower context data source can increase
speed when working with higher context data
PCAP Flow OSINT
16
10 9
Avg Time to Close
What happens when Bro data replaces PCAP?
46%
25%
29%
Observed (Bro)
Bro Flow OSINT
72%
16%
12%
Observed (PCAP)
PCAP Flow OSINT
What happens when Bro data replaces PCAP?
PCAP Flow OSINT
16
10 9
Avg Time to Close (PCAP)
Bro Flow OSINT
10 10 11
Avg Time to Close (Bro)
Data Suggests: Better organization of high context data
sources can yield improvements in analysts performance
What data sources were viewed most and least frequently?
Data Suggests: Network data is used more frequently than host data…
…even when host data can be used exclusively to resolve. …even when easy access is provided to host sources.
Revisting data is more prevalent on higher context data sources
PCAP Flo
wOSIN
T
Host FS
OS Log
s
Memory
Data Sources Viewed Data Sources Revisited
PCAP84%
Flow11%
OSINT5%
How many steps were taken to make a disposition judgement?
Data Suggests: At some point, the number of data sources you
investigate impacts the speed of the investigation Understanding where data exists and when to use it can
impact analysis speed
6-10 11-15 16-20 21-250
5
10
15
6
129
3
Number of Steps
6-10 11-15 16-20 21-2505
1015202530
9 12 14
24
Avg Time to Close
Did analysts investigate friendly or hostile systems first?
9%
91%
Observed
Friendly Hostile
Data Suggests: Analysts are more compelled to investigate unknown external
threats than internal systems Analysts don’t fully understand their own techniques
41%59%
Friendly
Friendly Hostile
Thank You!
Mail: chris@chrissanders.orgTwitter: @chrissanders88
Blog: chrissanders.orgTraining:
chrissanders.org/training
Recommended