Hunting for Sharks’ Teeth (and Other IOCs)

Sometimes new lessons about our information security world can arrive from unexpected places.

A couple of weeks ago, following the remarkable twenty-fifth (!) iteration of RSA’s TechFest technical training week for RSA presales staff & partners, I took a few extra days to drive out to Florida’s Atlantic coast to unwind and enjoy some beach time before returning home.

My destination was a stretch of beach that I have repeatedly visited since my childhood – my uncle and aunt had a cottage there, and whenever I visited during the summer, my (slightly older, much wiser) cousin and I would head out to the beach to perform our annual ritual: looking for sharks’ teeth that washed up on the beach overnight. This was always a competitive sport between us, and she inevitably came out the winner.

Together, we would comb across the same sections of the beach, and I would marvel over her skill in seeing patterns (the dark, sharp, triangular shape of a shark’s tooth) mixed in amongst the thousands and thousands of seashells on the beach – patterns I consistently failed to see.

I was certainly “productive,” bringing back lots of items to the kitchen counter for review, but almost everything I brought in from the beach wound up being a tooth-shaped shell – worn down over time by nature into something which looked like a tooth to my inexperienced eye. My cousin would bring far less back from our joint expeditions (less quantity) but always produced finds which were indisputably sharks’ teeth (high quality/high fidelity).

What made her so much better at this exercise than me?

Technique. My cousin wasn’t spontaneously good at this from her first day. Her older brother and older sister, and her parents, all “got there” before she did, and those in-house “experts” shortened her learning curve. Efficient technique doesn’t – or shouldn’t – exist in a single analyst’s head on your team. Encourage your strongest players to mentor and train up the newbies on staff. Make this an explicit part of their job function.

Practice. It also greatly helped that unlike me, my cousin spent the entire summer, every year, on the beach – so my once-or-twice a year experience on the same beach really could not stack up against her three months of practice every summer. Over time, based on her past experience, she came to learn where the “good spots” most likely to yield interesting items were. Take the time to understand the natural ingress/egress points for attackers on your network – and prioritize your limited time there, with real-world exercises whenever possible. And don’t overlook the focus an internal “competition” may bring.

The right tools + preparation. Tools directly related to our beach time – our eyes, sometimes a small bucket, and definitely patience – were sometimes not as important as some essential supporting tools. Which one of us lasted longer on the beach that morning when I forgot my sunglasses, my hat, and my sunscreen – and who did you think would up maximizing her time on the beach, with no competitors around, after I had to go back to the house because I wasn’t equipped properly? Equip your analyst team with the right tools, and the right training, to maximize their potential. Training is not a one-off exercise, but should be a continuous process.

Openness to new approaches. During one of our expeditions, we saw another person on the beach with a scoop and a makeshift filter atop a bucket – this was new to both of us and demonstrated a different way to search. We were looking at the surface area only, but the scooping approach could ultimately show you shells and sharks’ teeth below the surface (a dimension that up until that point we had not considered)! Even an experienced analyst should be open to exploring new techniques and methods.

Whether you’re hunting for sharks’ teeth, or for indicators of compromise (IOCs) on your noisy network, think about what you can do, as either a manager or a more experienced peer, to help elevate your SOC/IR analyst team to the next level.

Leave a Reply

Your email address will not be published. Required fields are marked *

No Comments