Uncover your Truth: The loud and proud
“My name is Sherlock Holmes. It is my business to know what other people don’t know.” - Sherlock Holmes
My very first Discovery question was actually “magic mirror show me all the bad anomalies hiding in this data.” Very soon, I realised I was chasing down many a rabbit hole that led me nowhere. For some reason I *thought* that all anomalies represent an action by a hacker or a cyber criminal. I’m not sure why, I guess I thought only bad people do weird things wrong?
I hope at least some of you, my dear readers, got a chance to take a look at your data after the last post!
As promised, here are some questions I would often ask of the data I’m interrogating. I do not start my analysis with any pre-set ideas of what I may find. I try to be as unbiased as possible.
These are the 5 general Discovery steps I take to interrogate data.
Question 1: Define my timeframe. Will I be interrogating 1 day, 1 week, 1 month or 1 year worth of data?
This heavily depends on the platform you can complete this work on and also how much data exists in the logs you’re working with. I love working with Proxy logs as they contain a wealth of information, but they are often HUGE. When in doubt, start with 1 day (24 hours).
Question 2: What are my top talkers within this time frame? By top talker, I mean, what device/account/services are making the most noise? Who are my known normal candidates? This is a quick way to identify your noisy normal but also show you very noisy anomalies.
Question 3: Who are the unusual top talkers? Identify the accounts / devices, understand their function.
Question 4: What are my hypotheses for the unusual noisy accounts?
1) Once I have my list of anomalous accounts, I would expand out my time frame to identify whether this is ongoing or ad hoc activity.
2) Gather other data sources to understand additional context.
3) If it is a server, is there a data migration project inflight?
4) If it is a user, what process/s was the user running at the time? Is the user in a team that is working on a special project?
Question 5: Whats my decision?
Once I have all the contextual information I can find, it is time to make a call. Normally they are categorised as follows:
1) Normal: Accepted business processes. E.g. Someone uploading data to an external environment, at the request of their client; it’s been approved by the business and appropriate steps have been taken to protect the data.
2) Risky: Activities that introduce risk into the environment by well meaning employees. E.g. Someone uploads data to dropbox in an unencrypted format because encryption wasn’t working, and the normal secure method wasn’t working and they really, really, REALLY wanted to meet the client deadline.
3) Malicious: Activities with malicious intent. E.g. Someone stealing this data because they want to sell it / out of anger, etc. It is very difficult to identify intent based on log data alone so we must obtain additional business context.
I don’t contact the affected person directly; to me that’s bad investigative practice. In my experience, the police don’t go talking to suspects without having conducted some solid investigation behind the scenes. Discovery projects are investigations, so that is the general rule I follow. Of course there are exceptions to every rule; proceed with caution and understand the risks.
I have trusted people I speak with to acid test my hypothesis, assumptions and findings. I rarely work through an investigation on my own without talking it through with my teammate Jarrod (Hi Jarrod!) and Steve (Hi former / but still my boss boss!)
If you have never gone through this process, I highly recommend that you give this a try. You may learn a few things that you didn’t already know. As I have said, in large environments, this isn’t about finding your highly sophisticated cyber criminal super sleuth attacks. This is a process to understanding your environment and potential risks.
If you’re thinking “oh. but I’m so busy.” The first time I decided I would just have a play with the data in front of me, it took me about 5 minutes to get to my initial “huh this is interesting”. Set aside one hour on a select day, have a go. If your managers are not supportive of you going above and beyond, drop me a message and we can discuss how you can do this on the stealthy. Haha!
If “I don’t have a tool” is preventing you from doing this; open up Excel and import the logs from a format that Excel understands. As long as the data is formatted into columns, you can do this!
In my next post, I will take you through the steps I take to document my analysis process; and what I do with my findings after I have reached a decision. I will include some tips on how your findings can be used as feedback to improve your overall security. I document like I’m going to be interrogated in court; if you’re interested, see you next time!
Skye
PS. I will also be making a very exciting announcement very soon! I’m bursting at the seams with excitement and can’t wait to share this news with everyone!
Disclaimer: All statements and comments are my own. They do not reflect the views of any past or present employers.