I was quoted recently in a piece that was featured in Dark Reading that discussed the idea of monitoring environments to detect persistent adversaries. It was a solid article and I stand behind my contribution especially my comments on the importance that the analyst (not the tools they have or are using – though those are important in their own right) plays in the full lifecycle of triaging these types of threats. You can read the article here to get the full story.
One point that should be made which I hope the informed reader can infer for themselves is that the article didn’t specify the difference between host and network analysis. My good friend Harlan Carvey pointed that out to me — and I agree that it is perilous to ignore one aspect in favor of another as opposed to viewing monitoring of this sort as being ecosystem driven, that the host view was missing in this piece. Thanks Harlan! So let’s chat for a minute on the role of the analyst in identifying and analyzing events of interest (pre-categorized events that later map to an attack or campaign).
Sight Beyond Sight
In my opinion, there is no substitute for a well-trained analyst; no tool, no process, no procedure can replace or supplant them. An experienced and well trained analyst knows what to look for and knows what he or she is looking at when they see it. It’s difficult to say how much of this is nature vs. nurture but make no mistake, there is a balance that is struck and a certain amount of innate capability that cannot be taught. No tool can ‘instill’ this elementary characteristic that solid analysts share; critical thinking, logic, reasoning and an analytic approach to problem solving.
“No tool can ‘instill’ this elementary characteristic that solid analysts share; critical thinking, logic, reasoning and an analytic approach to problem solving.”
Tools and technology (along with well articulated and vetted process & procedures) cannot always narrow this gap if it exists, though they do help enormously in making the less obvious more obvious to the uninformed viewer. Technology (robust, ecosystem-aware) can communicate in a clear and concise manner what it knows to be occurring. Though this is important it should never be treated as the be all, end all in terms of conclusive analysis. The analyst will still be required (if not lead to) cross-correlate the results derived from one platform against those of another seeking corroboration of results. If a delta exists, he or she will note that and press on seeking a third technological opinion as they apply their own experience to what they are seeing and experiencing.
Experience is Paramount to Success
So, why should we care about what was written in the Dark Reading article I mentioned above? Put very simply we should care because these threats are and remain among us. They have been with us for some time now and their architects demonstrate no signs of slowing their progress due to their levels of success. In many cases they are far less ‘advanced’ or ‘sophisticated’ in terms of their base technology (the malicious payload for example) than one might be lead to think.
The experienced analyst can tell the difference, noting the nuisances in surveillance and reconnaissance techniques employed by the threat actor and the distribution (and receipt) of the malicious payload. Having an experienced eye reviewing the data related to these events of interest is critical to success or failure as the devil is in the details.
Let me give you an example.
During the VOHO campaign an organization we spoke to noted lateral movement occurring within its environments. Their analysts highlighted a file that is ubiquitous to all modern Microsoft Windows operating systems as being malicious and wanted an opinion of it. The RSA FirstWatch team reviewed the file and noted it was benign. After which we suggested that the file on the machines in question be left alone as its state is indicative of normalcy and tampering with it could have negative ramifications on the health of the hosts in question. In this example the analysts of one organization thought they had narrowed activity of the threat actors down to a specific file that in actuality it was a normally functioning file that the victim organization was not aware of.
The experienced eye of the analyst, in this case, saved quite a bit of time, energy and additional work that could have come as the result of the victim organization making an erroneous change to the file in question rendering the host inoperable.