Friday, July 22, 2011

Free and Open Discourse

In the world of network traffic analysis and network security monitoring, free and open discourse is extremely important.  Analytical techniques that are subject to discussion and critique will always be better than those that aren't.  Quite simply put, analysts cannot thrive in a bubble, and neither can a robust network security monitoring program.

Unfortunately, there are some organizations that keep their analysts insulated, for whatever reason.  These organizations tend to wall themselves off from the free exchange of ideas.  In my experience, this hurts those organizations, as their analysts often fall behind the collective intelligence.

The good news is that ideas are always willing to be heard if someone is willing to listen.

Friday, July 8, 2011

What? When? Where? How?

When conducting network traffic analysis in support of an incident investigation, it's important to remember the four questions of incident response that an analyst should seek to answer. They are:


The other two question words in the English language, namely the questions of Who? and Why? are best left for law enforcement to answer for a number of reasons. That's a bit beyond the scope of this blog, so I'll brush it aside for now.

The four questions of incident response can be elaborated a bit more as:

What happened? What type of incident has occurred? What damage has occurred?
When did the incident happen? When was the incident detected?
Where did the incident occur? Is it isolated or widespread? Where is the incident coming from?
How did the incident occur? How did the intruders get in (the infection vector)?

If an analyst keeps these four questions in mind, it's much easier to focus an incident investigation/analysis and ensure that the correct supporting evidence is maintained and that the correct information is reported.

It's an intuitive approach that has been proven to help analysts focus their attention to the most value-added activities. Hopefully you'll find it useful as well.