Friday, July 6, 2012


I've been told more than once that "there are an awful lot of hacks in the information security world". Sadly, this is to be expected, particularly in recent years as people have begun to see dollar signs when they hear the phrases "cyber security" or "information security". Unfortunately, the number of people who say they know how to perform network forensics/network traffic analysis is far greater than the number of people who actually know how to perform network forensics/network traffic analysis. Many people talk a good game with multiple certifications, all the right buzz words, a polished resume, and a smooth social networking profile. It's definitely a buyer beware market on the customer's end, particularly since there is more demand for the skill set than there are people with the skill set. So what is a customer to do to avoid hiring a phony? Find someone, even just one person, whom you trust, and whose work is of the highest caliber, even if they're not working for you. Per my previous blog post "Peer Respect", the community of analysts is a close knit one. I'm sure any trusted member of the community would be happy to share an honest opinion if they have one.

Peer Respect

In the network forensics/network traffic analysis community, peer respect is huge. The community is, in essence, a large and open meritocracy, and its members are particularly respectful of analytical ability, new insights, and fresh thinking. When an analyst proves his or her merit, he or she gains a tremendous amount of respect from the community and is invited into a trusted circle. Trust is everything in this profession. We trust our peers with information that could cause us and our organizations grave damage if it fell into the wrong hands. What do I value most in my professional life? The trust and respect of my peers.

Monday, July 2, 2012

You Can't Teach Analytical Skills

From time to time, I get asked to teach people how to be analysts.  What I've found over the years is that there are those who are naturally analytical and can become solid, experienced analysts.  There are also those who are not naturally analytical.  Teach someone how to use a tool or tools to ask incisive questions of the data?  Sure.  Teach someone what makes one network traffic sample legitimate and another network traffic sample malicious?  Sure.  Teach someone how an attack pattern/intrusion vector works?  Sure.  Teach someone how to be an analyst?  Nope.  Can't be done.  They either have analytical skills or they don't.  My job is to lay the foundation and share my experience.  If a person is analytically inclined, he or she will take off running.  If not?  Then, unfortunately, no amount of training will be able to make an analyst of the person.

End of an Era?

For many years, domain-based intelligence (e.g., lists of known malicious domain names) provided actionable information that could be leveraged to identify infected systems on enterprise networks. In its day, domain-based intelligence represented a considerable step forward over IP-based intelligence, which had proven to be quite prone to false positives. Of late, however, domain-based intelligence has itself fallen victim to a high rate of false positives. There are a number of reasons for this, but chief among them is the fact that attackers have moved from using entirely malicious domains to compromising small corners of legitimate domains. Because of this, URL patterns (e.g., a POST request for /res.php) have proven to be far more effective at identifying infected systems. Now, for sure, there are some entirely malicious domains that are still used. These domains are often randomly generated via algorithms that change daily, hourly, or even more frequently. Quite simply put, the domains change faster than the intelligence lists can share them out. Could it be that we've reached the end of an era vis a vis domain-based intelligence? Has the era of URL pattern based intelligence begun? I know that I am leveraging URL patterns heavily, and I know that I am not alone in that.