The Role of Curiosity in Security Investigations

curiousgeorgeI’ve written a lot about the metacognitive gap in digital forensics and incident response. As an industry, we aren’t very effective at identifying the skills that make our expert practitioners so good at what they do, and we are even worse at teaching them. While there are a myriad of skills that make someone good at finding evil and eradicating adversaries, what’s the most important? What is the “X Factor” that makes an investigator great?

That’s a highly subjective question and everyone has an opinion on it biased towards his or her own experience. Regardless, I recently posed this question to some of my coworkers and Twitter followers. The most common answer I received was centered on curiosity.

Based on these results, I conducted a semi-formal survey where I asked 12 experienced analysts to rate the importance of possessing a highly curious mind while attempting to solve an investigation.

In the first survey item, I asked respondents to address the statement “A curious mind is important for an investigator to arrive at a state of resolution in an investigation with accurate and thorough results.”

All 12 investigators responded Strongly Agree using a 5-point Likert scale.

In a second question, I asked respondents to address the statement “A curious mind is important for an investigator to arrive at a state of resolution in an investigation in a timely manner.”

Using the same rating sale, 10 investigators responded Strongly Agree and 2 responded Agree.

Finally, I asked respondents to address the statement “A curious mind is a primary factor in determining whether an investigator will be successful in resolving/remediating an investigation.”.

Using the same rating sale, all 12 analysts responded Strongly Agree.

Clearly, expert practitioners believe that a curious mind is important in terms of accuracy, thoroughness, and speed at which an investigation is conducted. While curiosity isn’t the only thing makes an investigator successful in their craft, it certainly warrants attention as a key player. In this post I will talk about curiosity as a trait, how it manifests in the investigative process, how it’s measured, and whether it’s a teachable skill.

What is Curiosity?

There are many definitions of curiosity scattered across psychology research text, but the one I think most accurately depicts the construct from an applied perspective comes from Litman and Spielberger (2003). They state that curiosity can be broadly defined as a desire to acquire new information, knowledge, and sensory experience that motivates exploratory behavior.

Lowenstein (1994) also provides relevant insight by defining curiosity as “the desire to know.” In this sense, he describes that a desire to know more can arise when a person encounters stimuli that are inconsistent with an idea he or she holds. When this is experienced, the person may feel some kind of deprivation that can only be alleviated by resolving this inconsistency and closing the knowledge gap that has been identified. This jives well with the thoughts of other great psychology thinkers like Kant and Freud.

Curiosity takes form early in life when infants start exploring the world around them to test the limitations of their own body. Many developmental psychologists agree that this curiosity and simple but constant experimentation is the foundation of early learning and normal development. As we grow older, our curiosity continues to spark experimentation.

While curiosity has been considered a research-worthy construct from a theoretical perspective, there has been little effort put into pinning down the neural substrates that underlie it. This is unfortunate, but something to look forward to as neurology and brain imaging techniques continue to rapidly advance.

As it relates to computer security investigations, curiosity manifests practically in a number of ways that most of us can easily recognize. A few of those include the following:

 

Dead End Scenarios

The most dreaded scenario in an investigation occurs when an investigator reaches a point where there are still unanswered questions, but there are no leads left to pursue answers. This is common, especially when things like data retention and availability often limit us. In these scenarios a required data source might not be available, a lead from other evidence could run dry, or the data might not point to an obvious next step.

A limited amount of curiosity can be correlated with an increased number of dead end experiences encountered by an investigator. Without adequate motivation to explore additional avenues for answering questions, the investigation might miss logical paths to the answers they are seeking. They may also fail to adequately ask the appropriate questions.

 

Hypothesis Generation

The investigative process provides many opportunities for open-ended questions, such as “What is responsible for the network traffic?” or “Why would this internal host talk to that external host?” The process of reasoning through these questions is usually characterized initially by divergent thinking to generate ideas to be explored in route to a possible solution. This manifests as an internal dialog when conducted by a single analyst, but can be expressed verbally when a group is involved.

When presented with an open-ended question, curiosity is responsible for motivating the internal evaluation of hypothetical situations. Without curiosity, an individual won’t conduct mind-wandering exercises and may only consider a small number of potential hypotheses when there is potential for many other valid ones. In this scenario an investigator might not be pursuing the correct answers because they haven’t considered all of the potential questions that should be asked.

Note: It’s probably worth noting here that creativity plays a role in this process too, and is linked to curiosity depending on which model you subscribe to. That, however, is a little beyond the scope of what I want to talk about here.

 

Data Manipulation

Looking at the same data in different ways can yield interesting results. This can include using sed, grep, and awk to pull specific columns out of a data stream for comparison, using uniq and sort to aggregate field values, or reducing PCAP data into flows for comparison of multiple data streams.

While having the skills to manipulate data is a separate discussion, having the desire to find out if the manipulation of existing data into a new format will yield useful results is a product of curiosity. Investigators who lack curiosity to find out if such an exercise would be fruitful end up in more dead end scenarios and may take longer routes towards resolving investigations.

 

Pivoting to Tangential Evidence

The goal of collecting and reviewing evidence is to yield answers relevant to the question(s) an investigator has asked. However, it’s common for the review of evidence to introduce tangential questions or spawn completely new investigations. Within an investigation, you might review network connections between a friendly internal host and a potentially hostile external host only to find that other friendly devices have communicated with the hostile device and warrant examination. In another example, while examining web server logs for exploitation of a specific vulnerability, you might find unrelated evidence of successful SQL injection that warrants a completely separate investigation.

Curiosity is a key determinant in whether an investigator chooses to pivot to these tangential data points and pursue their investigation. Without the motivation that curiosity provides, an investigator may neglect to provide more than a cursory glance to these data points, or fail to note them down for later review. This can result in missed intrusions or improper scoping.

Relating Curiosity and Experience

Our cognitive processes don’t operate in a vacuum. Any decision we make is influenced by a symphony of different traits and emotions working in concert together. Some work in perfect harmony while others operate as opposing forces, and curiosity is not exempt. When we talk about curiosities role in an investigation, we also have to talk about experience.

Earlier, I mentioned that curiosity is pivotal to human development, and that our experimentation at an early age is motivated by curiosity to learn more about ourselves and the world around us. This isn’t a characteristic that goes away with time; we just become more aware of it. As we get older, we gain more experience and become more selective of what experiments we conduct. This manifests in many forms of our lives and in every day decisions. For example, a person who has never slept in on a Tuesday might hit the snooze button a few times because curiosity motivates them to explore the benefits and/or consequences of that action.

Experience serves as both a motivating and regulating force for curiosity. In an investigation, I believe this is best illustrated by assessing curiosity and experience as they relate to each other. Consider the following scenarios where we assess the level of curiosity (C) and experience (E) possessed by an individual investigator.

High C / Low E:

With a lot of curiosity but little experience, an investigator is jumpy. This person’s curiosity drives them to dig into everything that seems new, and without experience to regulate it, this persons ends up chasing a lot of ghosts. They will encounter dead end scenarios frequently because they will choose to pursue inconsequential leads within the evidence they are reviewing. They will rarely admit to encountering a dead-end scenario because their lack of experience doesn’t permit them to realize they’ve encountered one. This person will generate many ideas when hypothesis generation is required, but many of those ideas will be unrealistic because of a lack of experience to weed out the less useful ones. They will seek alternate views of data constantly, but will spend a considerable amount of time pursuing alternate views that don’t necessarily help them. Instead of learning to use tools that get them close to the views they want, they’ll spend time attempting to do more manual work to get the data precisely how they desire even if going that extra 20% doesn’t provide a discernable benefit to their investigation. Even though this person will spend a lot of time failing, they will fail fast and gain experience quickly.

Low C / High E

An investigator possessing a lot of experience but little curiosity could be described as apathetic. This doesn’t necessarily mean they aren’t effective at all, but it does make them less likely to investigate tangential leads that might be indicative of a larger compromise scope or a secondary compromise. In many cases, a person in this state may have started with a high degree of curiosity, but it may have waned over time as their experience increased. This can result in the investigator using their experience as a crutch to make up for their lack of curiosity. They won’t encounter too many dead end scenarios because of this, but may be more prone to them in new and unfamiliar situations. This person will manipulate data, but will rely on preexisting tools and scripts to do so when possible. They will carefully evaluate the time/reward benefit of their actions and will trust their gut instinct more than anything else. This person’s success in resolving investigations will be defined by the nature of their experience, because they will be significantly less successful in scenarios that don’t relate to that experience. These individuals won’t be as highly motivated in terms of out-of-the-box thinking and may be limited in hypothesis generation.

High C / High E

Because this person has a high level of curiosity they will be more motivated to investigate tangential leads. Because they also possess a high level of experience, they will be more efficient in choosing which leads they follow because they will have a wealth of knowledge to reflect upon. When encountering a dead-end scenario, this person should be able to move past it quickly, or if they claim they’ve hit a true dead end, it’s more likely to be an accurate representation of the truth. This person will excel in hypothesis generation and will provide valuable input to lesser experienced investigators relating to how their time could be best spent. They will seek to perform data manipulation when possible, but will be adept at realizing when to use already available tools and when to create their own. They will realize when they’ve found a data manipulation solution that is good enough, and won’t let perfect be the enemy of good enough. This presents an ideal scenario where the investigator is highly capable of resolving an investigation and doing so in a timely manner. These individuals are ideal candidates for being senior leaders, because they can often effectively guide less experienced investigators regarding what leads are worth pursuing and what the right questions to ask are. This person is always learning and growing, and may have several side projects designed to make your organization better.

Low C / Low E

This presents an undesirable scenario. Not only does this person not have the experience to know what they are looking at, they don’t have enough curiosity to motivate them to perform the necessary research and experimentation needed to learn more. This will handicap their professional growth and have them getting outpaced by their peers with a similar amount of experience.

 

If you are an investigator or have spent time around a lot of them then the descriptions you read in each of these scenarios might remind you of someone you know, or even yourself at different points in your career. It’s important to also consider progression, because the level of curiosity and experience of a person changes throughout their career. In these scenarios, a person always starts with no experience but their level of curiosity may affect how quickly that experience is gained.

 

High Curiosity – Sustained

c1

In this ideal scenario, an investigator learns very quickly, and the rate at which they learn also grows. As they realize there is more to learn, they begin to consume more information in more efficient ways.

 

High Curiosity – Waning

c2

While many start very curious, some experience a waning level of curiosity as their experience grows. When this happens, these investigators will rely more on their experience and their rate of learning will slow.

 

Low Curiosity – Sustained

c3

An investigator with a sustained level of low curiosity will continually learn, but at a very slow rate through their career. Peers with a similar number of years experience will outpace them quickly.

 

Low Curiosity – Growing

c4

If an investigator is able to develop an increased level of curiosity over time, their rate of learning will increase. This can result in dramatic mid to late career growth.

 

Each of these scenarios represents a bit of an extreme case. In truth, the progression of an investigators career is affected by many other factors, and curiosity can often take a back seat to other prevailing forces. Most of us who have served in an investigative capacity also know that curiosity often comes in peaks and valleys as new ideas or technologies are discovered. For instance, new tools like Bro have sparked renewed interest for many in the field of network forensics, while the maturity of memory analysis tools like Volatility have sparked curiosity for many in host-based forensics. A new job or changes in someone’s personal life can also positively or negatively affect curiosity.

Recognizing and Assessing Curiosity

We’ve established that curiosity is a desirable trait, and we’ve reviewed examples of what an investigator possessing varying degrees of curiosity and experience might look like. It’s only logical to consider whether curiosity is a testable characteristic. Several researchers have tackled this problem, and as a result there are different tests that can be used to measure varying degrees of this construct.

Available tests include, but are not limited to, the State-Trait Personality Inventory (Spielberger et al, 1980), the Academic Curiosity Scale (Vidler & Rawan, 1974), and the Melbourne Curiosity Inventory (Naylor, 1981). All of these tests are simple self-reported pencil and paper inventories designed to ask somewhat abstract questions in order to assess different facets of curiosity. Some use likert scales to evaluate whether statements describe them, where as others use agreement/disagreement choices in response to whether specific activities sound interesting. These tests all use different models for curiosity, spanning three, four, and five-factor models. They also all require someone with an understanding of administering personality tests to deliver and interpret the results.

A paper published by Reio, et al (2016) completed a factor analysis study of eleven different test designed to measure facets of curiosity. Their findings confirmed research done other psychologists that supports a three-factor model for curiosity delineated by cognitive, physical thrill seeking, and social thrill seeking components. Of course, the former of those is most interesting in our pursuits.

Psychometrics and personality testing is a very unique field of research. While many tests exist that can measure curiosity to some degree, their delivery, administration, and interpretation isn’t entirely feasible by those outside of the field. Simply choosing which test to administer requires a detailed understanding of test reliability and validity beyond what would be expected in a normal SOC. Of course, there is room for more investigation and research here that might yield simplified versions of these personality inventories that are approachable by technical leaders. This is yet another gap that can be bridged where psychology and information security intersect.

Teaching and Promoting Curiosity

Many believe that there is an aspect of curiosity that is a product of nature, and one that is a product of nurture. That is to say some people are born innately with a higher level of curiosity than others. The nature/nurture debate is one of the most prolific arguments in human history, and it goes well beyond the scope of my this article. However, I think we can stipulate that all humans are born with an innate ability to be curious.

If we know curiosity is important, that humans are born with a capacity for it, and we have models that can assess it, the practical question is whether we can teach it. As the field of cognitive psychology has grown, academics have sought to increase the practical application of research in this manner, incorporating the last hundred years of research on reasoning, memory, learning, and other relevant topics.

Nichols (1963) provides useful insight about scenarios that can inhibit and foster curiosity. He identifies three themes.

 

Theme 1: Temperance

A state of temperance is a state of moderation or restraint. While we usually think that it’s in our best interest to absorb all the information we can in an investigation, this can actually serve to limit curiosity. In short, a hungry man is much more curious than a well-fed one.

I think Nichols says it best, “Intemperance in a work situation is largely a condition we bring upon ourselves by limiting our mental exercise to a narrow span of interest. This is most commonly manifested in an over-attention paid to the details of what we are doing. Once our mind becomes satiated by an abundance of minor facts, we cannot, merely by definition, provide it with new and fresh ideas that will allow us to expand our intellectual perception. Our capacity to do so is restricted by our inability to cram more into a mind that is already overburdened by minutiae. Instead, if we recognize that our responsibility is to focus on the vital few points rather than the trivial many, we will have released ourselves so that we may—as the juggler does—examine these areas from several vantage points and mentally manipulate them in a way that will be both more productive and give greater self-satisfaction (Nichols, 1963, p.4). “

 

Theme 2: Success and Failure

When know this from basic principles of conditioning that humans will use avoidance techniques to prevent experiencing a stimulus that is perceived as negative. Because of this, an investigator who repeatedly attempts to perform the same activity and fails will be dissuaded from pursuing that activity. As we’ve established curiosity as a motivation to fill knowledge gaps, it’s clear to see the correlation between repeated failure and decreased curiosity.

For example, an investigator who has little scripting ability might decide that they would like to write a script to output the contents packet capture file and print all of the DNS queries and responses. If they attempt this multiple times and fail, they will eventually just move on to other methods of inquiry. At this point they are much less likely to pursue this same task again, and worse, are much less likely to attempt to solve similar problems using scripting techniques.

 

Theme 3: Culture

Whenever someone is surrounded by a group of others without any sense of curiosity, it’s likely that their level of curiosity will slow or cease growing at all. Fortunately, the opposite of the previous case is also true, as Nichols noted, “Just as association with a group methodically killing curiosity soon serves to stifle that precious commodity within us, becoming part of a group concerned with intellectual growth stimulates our personal curiosity and growth. This does not mean that each of us must throw over our present job, don a white lab coat, and head for the research and development department. It does mean that we should be discriminating in our choice of attitudinal surroundings both on and off the job. Specifically, it requires that we surround ourselves with doers, with competition that will give us incentive to exercise the creative abilities that grow out of intellectual curiosity. We all have the opportunity to find and benefit from an environment that stimulates our curiosity if we only seek it (Nichols, 1963, p.4).”

 

I’ve written extensively about creating a culture of learning, but there is something to be said for creating a culture of curiosity as a part of that. In a more recent study (Koranda & Sheehan, 2014), a group of researchers concerned with organizational psychology in the advertising field built upon that practical implications of Nichols’ work and designed a course with the goal of promoting curiosity in advertising professionals. This, of course, is another field highly dependent on curiosity for success. While this study stopped short of using one of the aforementioned inventories to measure curiosity before and after the course, the researchers did use less formal surveys to ascertain a distinguishable difference in curiosity for those who had participated in the course.

Based on all these things we can identify impactful techniques that can be employed in the education of computer security investigators encompassing formal education, shorter-term focused training, and on-the-job training. I’ve broken those into three areas:

Environment

  • When possible, encourage group interaction and thinking as much as possible. It exposes investigators to others with unique experience and ways of thinking.
  • Provide an environment that is rich in learning opportunities. It isn’t enough to expect an investigator to wade through false positive alerts all day and hope they maintain their curiosity. You have to foster it when scenario-based learning that is easily accessible.

Tone

  • Encourage challenging the status quo and solving old problems in new ways. This relates directly to data manipulation, writing custom code, and trying new tools.
  • Stimulate a hunger for knowledge by creating scenarios that allow investigators to fail fast and without negative repercussions. When an investigator is met with success, make sure they know it. Remember that experience is the thing we get when we don’t get what we wanted.
  • Pair lesser experienced investigators with mentors. This reduces the change of repetitive failure and increases positive feedback.

Content

  • Tie learning as much as possible to real world scenarios that can be solved in multiple ways. If every scenario is solved in the same way or only provides one option, it limits the benefits of being curious, which will stifle it.
  • Create scenarios that are intriguing or mysterious. Just like reading a book, if there isn’t some desire to find out what happens next then the investigator won’t invest time it and won’t be motivated towards curiosity. The best example I can think of here is the great work being done by Counter Hack with Cyber City and the SANS Holiday Hacking Challenges.
  • Present exercises that aren’t completely beyond comprehension. This means that scenario difficulty should be appropriately established and paired correctly with the individual skill sets of investigators participating in them.

 

Of course, each of these thoughts presents a unique opportunity for more research, both of a practical and scientific manner. You can’t tell someone to “be more curious” and expect them to just do it any more than you can tell someone “be smarter” and expect that to happen. Curiosity is regulated by a complex array of traits and emotions that aren’t fully understood. Above all else, conditioning applies. If someone is encouraged to be curious and provided with opportunities for it, they will probably trend in that direction. If a person is discouraged or punished for being curious or isn’t provided opportunities to exhibit that characteristic, they will probably shy away from it.

Conclusion

Is curiosity the “X factor” that makes someone good at investigating security incidents? It certainly isn’t the only one, but most would agree that it’s in that conversation and it’s importance can’t be understated.

In this article I discussed the construct of curiosity, why it’s important, how it manifests, and what can be done to measure and promote it. Of course, beyond the literature review and application to our field, many of the things presented here are merely launching points for more research. I look forward to furthering this research myself, and hearing from those who have their own thoughts.

 

References:

Koranda, D., & Sheehan, K. B. (2014). Teaching Curiosity: An Essential Advertising Skill?. Journal Of Advertising Education18(1), 14-23

Litman, J. A., & Spielberger, C. D. (2003). Measuring epistemic curiosity and its diversive and specific components. Journal of personality assessment,80(1), 75-86.

Lowenstein, G. (1994). `The Psychology of Curiosity: A Review and Reinterpretation.

Naylor, F. D. (1981). A state-trait curiosity inventory. Australian Psychologist,16(2), 172-183.

Nichols, R. G. (1963). Curiosity – The Key to Concentration. Management Of Personnel Quarterly2(1), 23-26.

Reio, T. J., Petrosko, J. M., Wiswell, A. K., & Thongsukmag, J. (2006). The Measurement and Conceptualization of Curiosity. The Journal Of Genetic Psychology: Research And Theory On Human Development167(2), 117-135. doi:10.3200/GNTP.167.2.117-135

Vidler, D. C., & Rawan, H. R. (1974). Construct validation of a scale of academic curiosity. Psychological Reports35(1), 263-266.

Research Call for Security Investigators

brainicon_blueI’m currently seeking security investigators for a research study I’m conducting on cognition and reasoning related to the investigative process. I need individuals who are willing to sit down with me over the phone and participate in an interview focused on individual investigations they’ve worked. The interviews will be focused on describing the flow of the investigation, your thought process during it, and challenges you encountered. I’ll ask you to describe what happened and how you made specific decisions. Specifically, I’m looking for investigations related to the following areas:

  • Event Analysis: You received some kind of alert and investigated it to determine whether it was a true positive or false positive.
  • Incident Response: You received notification of a breach and performed incident response to locate and/or remediate affected machines.

Ideally, these should be scenarios where you felt challenged to employ a wide range of your skills. In either domain, the scenario doesn’t have to lead to a positive confirmation of attacker activity. Failed investigations that led to a dead end are also applicable here.

A few other notes:

  • You will be kept anonymous
  • Any affected organization names are not needed, and you don’t have to give specifics there. Even if you do, I won’t use them in the research.
  • You will be asked to fill out a short (less than five minute) demographic survey
  • The phone interview will be recorded for my review
  • The phone interview should take no longer than thirty minutes
  • If you have multiple scenarios you’d like to walk through, that’s even better
  • At most, the scenario will be generalized and described at a very high level in a research paper, but it will be done in a generic manner that is not attributable to any person or organization.

If you’d like to help, please e-mail me at chris@chrissanders.org with the subject line “Investigation Case Study.”

Launching Makerspaces Across Rural America

When I first started the Rural Technology Fund in 2008 the goal was to provide a few small scholarships every year to students from rural areas pursing an education in a computer-related discipline. Coming from a very rural area myself, I know how hard it is to pursue a passion in an area where no industry exists to support it and where public schools can barely afford basic classroom supplies. As time progressed, the reach of the RTF expanded by repurposing used technical books to public school libraries, supporting high school and university computer science clubs, and donating educational equipment to classrooms. In our short existence, we’ve managed to make a tremendous impact through the efforts of a few volunteers and very few donations. You can learn more about on our impact page here.

As we look to 2016, I believe it’s time that the RTF continues to evolve and grow to impact more students in more places. We are going to continue doing everything we’ve been doing up to this point, but we are also going to challenge ourselves to commit to building 10 makerspace labs in public schools in 2016. This is a huge commitment that will positively impact a great number of students, helping to ensure that students from rural and low income areas have every chance to succeed in high demand computer-related fields.

Please watch the short video below that explains why the RTF exists, and how we are using the MARA project to address a great need.

If you are interested in contributing, you can learn more about the MARA project by visiting http://www.ruraltechfund.org/mara. Technology jobs have the power to change lives and restore communities. With your help, we can empower young people to accomplish these feats!

Infosec Practitioner’s Guide to Philanthropy

elevatordownI came from a small town in western Kentucky where there wasn’t a lot of opportunity. As the son of a trucker and a sewing machine operator we struggled to get by and there were a lot of things stacked up against me as a kid who wanted to be successful in an industry that was not represented at all in my area. Despite those odds, I was fortunate to live in a place where community mattered, and several teachers and others in my life gave of themselves to ensure that I had a fighting chance. Since then, I vowed that no matter where I went or what I did that I would always remember where I came from and give of myself to others. It’s for that reason that I’m passionate about giving back to communities like the one I grew up in, and that’s also why I started the Rural Technology Fund seven years ago. As Kevin Spacey says, “If you’re lucky enough to do well, it’s your responsibility to send the elevator back down.”

Before I get too nostalgic, let me give you my word that the purpose of this post isn’t to make you feel lazy or send you on a guilt trip. While charity is important to me, I recognize that it isn’t to everyone and some people simply aren’t in a position to give their time or money. I write a lot about the importance of giving back, and people frequently ask me what they can do to contribute in a way that is relevant to the profession of information security. The purpose of this post is to discuss a few different ways you can contribute.

What Do You Care About?

Once you’ve decided you want to give back in some way, the first thing you should consider is what you really care about. If you work in infosec then you probably care about technology, but in what way? There are a lot of great technology-focused causes:

Beyond technology and security your interests might lie in other areas. When you watch the news, what stories draw out the emotion in you? What circumstances of the human condition make you angry? These are questions that can help you discover areas you care about. For example:

*Note: I don’t necessarily support all of these organizations, these are just examples. 

Even if you want to support non-technical charities there are ways you can use your technical skills to do so, which I’ll talk about later. Don’t donate your time or money to an organization just because you don’t know what else to do. Everybody cares about something and if you can think of an issue you care about then there is a good chance there is a philanthropic organization out there trying to address that issue.

What Kind of Commitment Can You Make?

Once you’ve thought about what you care about, the next step is to figure out what level commitment you can make. Do you want to donate money, time, or both? This section is organized with that in mind. While reading through this section you should try to be realistic about your commitment. If you are living paycheck to paycheck you probably don’t want to commit to donating hundreds of dollars to a charity. On the flip side, if you work eighty hours a week you probably don’t want to commit to another twenty hours of volunteer work. The last thing you want is to over commit yourself and burn out on something that should be an enjoyable experience.

I have extra cash, but limited time…

Donating to Traditional Charity

The most common method of giving back is to donate money directly to an existing charity. When you do this you are supporting the broader mission of a non-profit, or when possible a specific initiative of the organization. Some popular options include the Rural Technology Fund (shameless plug) and Hackers for Charity.

Pros:

  • Very low time commitment
  • Very easy and can often be done online in a matter of minutes
  • You rely on experts to turn your donation into impact
  • A lot of people donating small amounts can enable a charity to do great things
  • Donations are tax deductible for 501(c)(3) non-profits

Cons:

  • You don’t always get to see the direct benefits of your donation
  • Administrative costs can eat up some of your donation
  • You have little or no say regarding the exact use or allocation of the money
  • An organization that shares your interests may not exist
  • There aren’t a lot of information security related non-profits

Tips for Success:

  • Read as much as you can about the non-profit. Be sure you understand their mission statement, leadership, and how your money will be used.
  • Look for a statistic on what percentage of every dollar is spent on administrative costs. The less the better.
  • If you believe in an organization enough to donate, consider buying some of their swag to help spread awareness.
  • Make sure you are donating to a 501(c)(3) and track your donations for tax season.

Donating to an Interactive Charity

A modern trend in charitable organizations is the concept of allowing donors to connect directly with the people they are helping. These provide a higher level of interactivity compared to traditional non-profits so you can feel a bit more connected to the cause you are contributing to. Two popular interactive charities are Kiva and Donors Choose. Kiva allows donors to provide micro-loans to entrepreneurs in developing nations, and then reloan that money back out when it is paid back. Donors Choose provides a mechanism for teachers to request things they need for their classrooms so that donors can pick the classroom they want to support. I’m a big fan of interactive charities because it makes me feel a lot more connected to those I’m trying to help.

Pros:

  • Low time commitment other than spending time selecting how your donation is used
  • You rely on experts to vet potential recipients and deliver funding
  • Higher interaction than traditional charities
  • Helps you feel much more connected to those you are helping
  • Selecting donation recipients can be a fun family activity
  • Donations are tax deductible for 501(c)(3) non-profits

Cons:

  • You don’t always get to see the direct benefits of your donation
  • Administrative costs can eat up some of your donation
  • You have little or no say regarding the exact use or allocation of the money
  • An organization that shares your interests may not exist
  • There aren’t a lot of information security related non-profits

Tips for Success:

  • Consider giving a donation as a gift. Many of these organizations allow you to buy gift cards to give away so that others can try making a targeted donation. This is a great way to get others involved in an interactive charity so they can see how it works.
  • When you can try involving others. Make a night of looking through donation recipients with your spouse or kids. It’s a great way to instill a sense of charity in others and provides bonding opportunity.
  • These sites often serve a lot of causes, so try to make your donation mean something to you. On Kiva you can make microloans to individuals running Internet cafes or selling computer services. On Donors Choose you can donate computers and electronics to classrooms. On both sites you can also select the region of your donation recipient.
  • Make sure you are donating to a 501(c)(3) and track your donations for tax season.

I have a lot of free time, but not much extra cash…

While many think that the only way to give back is to donate money, the truth is that donating your time is often much more valuable. When you donate time, you have the opportunity to interact and network with other like-minded people and you often get to interact directly with those you are trying to help. There is no greater motivator than witnessing the change you’ve helped make.

Volunteer Your Skills

The thing that makes security so hard is that you have to be a programmer, sysadmin, network engineer, and auditor all in one. Guess what? Those are all skills that are very helpful for non-profit organizations that struggle to make a positive impact and manage administrative costs. Leveraging your skills gives you a great opportunity to serve a non-infosec related cause that you care about. For instance, if you are interested in housing for under privileged families, consider looking up your local Habitat for Humanity chapter and seeing if they need any help keeping their computers or network running, or working on their website. When you donate your time to help with technical tasks it means the organization doesn’t have to pay for those services, which allows more of their funding to go towards mission goals.

Pros:

  • Provides a direct impact to a charitable organization
  • Allows you to use technical skills to positively impact organizations that aren’t necessarily technology focused
  • Generates opportunities for networking with like minded people and others who share your skills
  • Provides an opportunity to keep up technical skills you might not use as much

Cons:

  • Can be time consuming
  • May require some level of freelance contract with the organization
  • Could require you to accept some level of responsibility for things you are helping with, like keeping a website running or getting calls when systems go down

Tips for Success:

  • Start local. There are probably a lot of organizations in your area that could use your help.
  • Think about what you are passionate about and look for organizations that support related causes.
  • Consider working with local industry professional associations like ISSA to arrange group volunteering.
  • When nothing is available locally, look for remote volunteer opportunities. Certain technical skills can be of help without having to be in the same city as the organization you’re supporting.

Share Your Knowledge

One of the things that makes the information security community great is that we have so many people who are willing to share knowledge. While giving presentations at local high schools or colleges isn’t as sexy as speaking at Defcon, it can be just as impactful. You can share your knowledge at many levels in all sorts of venues from high schools to universities to senior citizen communities. While not everybody is going to get something out of discussing exploits and detection systems, its highly likely your security experience can appeal to a much larger audience at a more fundamental level.

Pros:

  • Sharing knowledge with people who care enough to receive it is very gratifying
  • Exposing younger people to information security might spark their interest in pursuing it as a career
  • We all know how important end user security is, so sharing techniques for being safer on the Internet is in the best interest of our industry
  • Speaking events like this are a great way to get more connected with your community

Cons:

  • In smaller areas it may be hard to find and organize events at first until people know more about you
  • Planning and giving presentations can be very time consuming
  • Not everyone is comfortable teaching or speaking

Tips for Success:

  • Contact school administrators to gauge their interested in what you have to offer. Be professional and be prepared with a few ideas for topics and a basic outline of what you’d like to speak about and why it’s important.
  • Considering reaching out to your local city or county government to see if they could use your help. If you live in a small town then chances are that they don’t even have a security staff, so some basic user awareness training could go a long way.
  • Try organizing basic “How to Use the Internet” classes for the elderly in assisted living communities. Teach them how to get online and how to use e-mail so they can receive pictures from their family.
  • If your town has a college or university, see if they have an infosec or technology users group that might benefit from your experience. Consider giving a conference-style presentation or helping setup some hands-on labs. College students often yearn for hands on experience beyond the theory they get in the classroom.

I don’t have a lot of free time or any extra cash…

Get Your Employer Involved

Most organizations of any reasonable size have at least a few people who share common philanthropic interest. In many cases organizations are motivated to support these causes because it is tax incentivized and helps the overall company brand.

Pros:

  • It can provide a way for those who typically couldn’t afford to give back the opportunity to be able to do so
  • Supporting charities in this manner is good for the company brand, and is also tax incentivized
  • Employer sponsored giving can provide great team building opportunities
  • Harnessing the giving power of an entire company can have dramatic and tangible benefits to certain causes

Cons:

  • Your employer might not always be able to contribute to a cause specifically relevant to you
  • It may take a fair bit of convincing to get your employer on board initially

Tips for Success:

  • Ask your boss about providing matching contributions to charitable organizations. Many companies will provide a donation match up to a certain percent, and some will allow for those donations to come from pre-tax income.
  • Get your coworkers together and organize an after hours volunteering event. Something as simple as picking up trash on the side of the road or serving meals as a homeless shelter instills a sense of service and is great for team building.
  • Ask your employer about sponsoring a “Philanthropy Day.” This is an extra day off provided to every employee that they can use to serve the needs of an eligible philanthropic organization. This is low cost to the employer and it can be use to facilitate group volunteering events like I mentioned above. FireEye provides a philanthropy day every year and it was one of my absolute favorite parts of our benefits package.

Advocate

The first step for any non-profit organization is to advocate for their cause to raise awareness. If people don’t know that a problem exists they won’t be willing to help work towards a solution. Advocacy is very important and it is happening around us all the time. For example, years of advocacy is why many of us think about breast cancer awareness when we see someone wearing pink. Spreading the word about causes you care about isn’t time consuming, usually costs little or no money, and can inspire those with free time or disposable income to take action.

Pros:

  • Requires very little time investment
  • Requires little or no money
  • Inspires others to take care and take action

Cons:

  • Most of the impact of your work is indirect so you won’t always see immediate benefits

Tips for Success:

  • Use social media to highlight information relation to the problem you want to address or the work of organizations who are trying to help.
  • Consider buying clothes branded by the organizations you want to support. Something as simple as a t-shirt is cheap, the money supports the organization, and when people see you wearing it that raises awareness.
  • Think about purchasing items through Amazon Smile. It allows you to direct a small percentage of your purchase to eligible non-profits and gives you an opportunity to share your actions via social media.

Conclusion

While this guide certainly isn’t an all inclusive listing of every way you can give back, my hope is that it has provided some ideas for you to channel your desire to give into something useful. Not everyone is in a position to give back, but if you have a desire to do so then it is possible even with very little free time or money to part with. Are you doing something cool to give back that I don’t have listed here? Consider putting it in the comments below.

Inattentional Blindness in Security Investigations

*Disclaimer: Psychology Related Blog Post*

bellJoshua woke up on a frigid Friday morning in Washington, DC and put on a black baseball cap. He walked to the L’Enfant metro station terminal and found a nice visible spot right near the door where he could expect a high level of foot traffic. Once positioned, he opened his violin case, seeded it with a handful of change and a couple of dollar bills, and then began playing for about 45 minutes.

During this time thousands of people walked by and very few paid attention to Joshua. He received several passing glances while a small handful stopped and listened for a moment. Just a coupe lingered for more than a minute or two. When he finished playing, Joshua had earned about twenty-three dollars beyond the money he put into the case himself. As luck would have it, twenty of those dollars came from one individual who recognized Joshua.

Joshua Bell is not just an ordinary violin player. He is a true virtuoso who has been described as one of the best modern violinist in the world, and he has a collection of performances and awards to back it up. Joshua walked into that metro terminal, pulled out a three hundred year old Stradivarius violin, and played some of the most beautiful music that most of us will hear in our lifetime. That leaves the glaring questions: why did nobody notice?

Inattentional Blindness

Inattentional blindness (IB) is an inability to recognize something in plain sight, and it is responsible for the scenario we just described. You may have heard this term before if you’ve had the opportunity to subject yourself to this common selective attention test: https://www.youtube.com/watch?v=vJG698U2Mvo.

As humans, the ability to focus our attention on something is a critical skill. You focus when you’re driving to work in the morning, when you are performing certain aspects of your job, and when you are shopping for groceries. If we didn’t have the ability to focus our attention, we would have a severely limited ability to perceive the world around us.

The tricky thing is that we have limited attention spans. We can generally only focus on a few at a time, and the more things we try to focus on, the less overall focus can be applied to any one thing. Because of this, it is easy to miss things that are right in front of us when we aren’t focused on finding them. In addition, we also tend to perceive what we expect to perceive. These factors combine to produce situations that allow us to miss things right in front of our eyes. This is why individuals in the metro station walked right by Joshua’s performance. They were focused on getting to work, and did not expect a world-class performer to be playing in the middle of the station on a Friday morning.

Manifestations in Security

As security investigators, we must deal with inattentional blindness all the time. Consider the output shown in Figure 1. This screenshot shows several TCP packets. At first glance, these might appear normal. However, an anomaly exists here. You might not see it because it exists in a place that you might not expect it to be, but it’s there.

IB-1

Figure 1: HTTP Headers

In a profession where we look at data all day it is quite easy to develop expectations of normalcy. As you perform enough investigations you start to form habits based on what you expect to see. In the case of investigating the TCP packets above, you might expect to find unexpected external IP addresses, odd ports, or weird sequences of packets indicating some type of scan. As you observe and experience these occurrences and form habits related to how you discover them, you are telling your mind to build cognitive shortcuts so that you can analyze data faster. This means that your attention is focused on examining these fields and sequences, and other areas of these packets lose part of your attention. While cognitive shortcuts like these are helpful they can also promote IB.

In the example above, if you look closely at other parts of the packets, you will notice that the third packet, a TCP SYN packet initiating the communication between 192.168.1.12 and 203.0.113.12 actually has a data length value of 5. This is peculiar because it isn’t customary to see data present in a TCP SYN packet whose purpose is simply to establish stateful communication via the three-way handshake process. In this case, the friendly host in question was infected with malware and was using these extra 5 bytes of data in the TCP SYN to check in to a remote host and provide its status. This isn’t a very common technique, but the data is right in front of our face. You might have noticed the extra data in the context of this article because the nature of the article made you expect something weird to be there, but in practice, many analysts fail to notice this data point.

Let’s look at one more example. In Figure 2 we see a screen populated with alerts from multiple sources fed into the Sguil console. In this case, we have a screen full of anomalies waiting to be investigated. There is surely evil to be found while digging into these alerts, but one alert in particular provides a unique anomaly that we can derive immediately. Do you see it?

IB-2

Figure 2: Alerts in Sguil

Our investigative habits tell us that the thing we really need to focus on when triaging alerts is the name of the signature that fired. After all, it tells us what is going on and can relay some sense of priority to our triage process. However, take a look at Alert 2.84. If you observe the internal (RFC1918) addresses reflected in all of the other alerts, they all relate to devices in the 192.168.1.0/24 range. Alert 2.84 was generated for a device in the 192.168.0.0/24 range. This is a small discrepancy, but if this is not on a list of approved network ranges then there is a potential for a non-approved device on the network. Of course, this could just be a case of someone plugging a cheap wireless access point into the network, but it could also be a hijacked virtual host running a new VM spun up by an attacker, or a Raspberry Pi someone plugged into a hidden wall jack to use as an entry point on to your network. Regardless of the signature name here, this alert is now something that warrants more immediate attention. This is another item that might not be spotted so easily, even by the experienced analyst.

Everyone is susceptible to IB, and it is something we battle ever day. How can we try to avoid missing things that are right in front of our eyes?

Diminishing the Effects

The unfortunate truth is that it isn’t possible to eliminate IB because it is a product of attention. As long as we have the ability to focus our attention in one area, then we will become blind to things outside of that area. With that said, there are things we can do to diminish some of these affects and improve our ability to investigate security incidents and ensure we don’t miss as much.

Expertise

The easiest way to diminish some of the affects of IB is through expertise in the subject matter. In our leading example we mentioned that there were a few people who stopped to listen to Joshua play his violin in the station. It is useful to know that at least two of those people were professional musicians themselves. Hearing the music as they walked through the station triggered the right mechanisms in their brain to allow them to notice what was occurring, compelling them to stop. This was because they are experts in the field of music and probably maintain a state of awareness related to the sound of expert violin playing. Amongst the hustle and bustle of the metro station, their brain allowed them not to miss the thing that people without that expertise had missed.

In security investigations it’s clear to see IB at work in less experienced analysts. Without a higher level of expertise these junior analysts have not learned how to focus their attention in the right areas so that they don’t miss important things. If you hand a junior analyst a packet capture and ask them where they would look to find evil, chances are their list of places to look would be much shorter than a senior analyst, or it would have a number of extraneous items that aren’t worth being included. They simply haven’t tuned their ability to focus attention in the right places.

More senior analysts have developed the skill to be able to selectively apply their attention, but they rarely have the ability to codify it or explain it to another person. The more experienced analysts get at identifying and teaching this information, the better chance of younger analysts getting necessary expertise faster.

Directed Focus

While analysts spend most of their time looking at data, that data is often examined through the lens of tools like SIEMs, packet sniffers, and command line data manipulation utilities. As a young industry, many of these tools are very minimal and don’t provide a lot of visual cues related to where attention should be focused. This is beneficial in some ways because it leaves the interpretation fully open to the analyst, but without having opinionated software this sort of thing promotes IB. As an example, consider the output of tcpdump below. Tcpdump is one of the tools I use the most, but it provides no visual queues for the analysts.

IB-3

Figure 3: Tcpdump provides little in the way of visual cues to direct the focus of attention

We can compare Tcpdump to a tool like Wireshark, which has all sorts of visual cues that give you an idea of things you need to look at first. This is done primarily via color coding, highlighting, and segmenting different types of data. Note that the packet capture shown in Figure 3 is the same one shown in Figure 4. Which is easier to visually process?

IB-4

Figure 4: Wireshark provides a variety of visual cues to direct attention.

It is for this reason that tools developed by expert analysts are desirable. This expertise can be incorporated into the tool, and the tool can be opinionated such that it directs users towards areas where attentional focus can be beneficial. Taking this one step farther, tools that really excel in this area allow analyst users to place their own visual cues. In Wireshark for example, analysts can add packet comments, custom packet coloring rules, and mark packets that are of interest. These things can direct attention to the right places and serve as an educational tool. Developing tools in this manner is no easy task, but as our collective experience in this industry evolves this has to become a focus.

Peer Review

One last mechanism for diminishing the affects of IB that warrants mention is the use of peer review. I’ve written about the need for peer review and tools that can facilitate it multiple times. IB is ultimately a limitation that is a product of an analyst training, experience, biases, and mindset. Because of this, every analyst is subject to his or her own unique blind spots. Sometimes we can correlate these across multiple analyst who have worked in the same place for a period of time or were trained by the same person, but in general everyone is their own special snowflake. Because of this, simply putting another set of eyes on the same set of data can result in findings that vary from person to person. This level of scrutiny isn’t always feasible for every investigation, but certainly for incident response and investigations beyond the triage process, putting another analyst in the loop is probably one of the most effective ways to diminish potential misses as a result if IB.

Conclusion

Inattentional blindness is one of many cognitive enemies of the analyst. As long as the human analyst is at the center of the investigative process (and I hope they always are), the biggest obstacle most will have to overcome is their own self imposed biases and limitations. While we can never truly overcome these limitations without stripping away everything that makes us human, an awareness of them has been scientifically proven to increase performance in similar fields. Combining this increased level of metacognitive awareness with an arsenal of techniques we can do to minimize the effect of cognitive limitations will go a long way towards making us all better investigators and helping us catch more bad guys.