Author Archives: Chris Sanders

Know Your Bias – Availability Heuristic

This is part three in the Know your Bias series where I examine a specific type of bias, how it manifests in a non-technical example, and provide real-world examples where I’ve seen this bias negatively affect a security practitioner. You can view part one here, and part two here. In this post, I’ll discuss the availability heuristic.

The availability heuristic is a mental shortcut that relies on recalling the most recent or prevalent example that comes to mind when evaluating data to make a decision.

For the security practitioner, this type of bias is primarily an attack on your time more so than your accuracy. Let’s go through a few examples both inside and outside of security before discussion ways to mitigate the negative effects availability heuristic can have.

Availability Heuristic Outside of Security

Are you more likely to be killed working as a police officer or as a fisherman? Most people select police officer. However, statistics show that you are as much as 10x more likely to meet your end while working on a fishing boat [1]. People get this wrong because of the availability heuristic. Whenever a police officer is killed in the line of duty, it is often a major news event. Police officers are often killed in the pursuit of criminals and this is typically viewed as a heroic act, which means it becomes a human interest story and news outlets are more likely to cover it.

Try this yourself. Go to Google News and search for “officer killed”. You will almost certainly find multiple recent stories and multiple outlets covering the same story. Next, search for “fisherman killed”, and you’ll find a lot fewer results returned. When there are results, they are typically only covered by the locale the death happened in and not picked up by national outlets. The news disproportionately covers the death of police officers over fishermen. To be clear, I’m not questioning that practice at all. However, this does explain why most tend to think that the police work is more deadly than being a fisherman. We are more likely to trust the information we can recall more quickly, and by virtue of seeing more news stories about police deaths, the availability heuristic tricks us into thinking that police work is more deadly. I’d hypothesize that if we posed the same question to individuals who were regular viewers of the Discovery Channel show “The Deadliest Catch”, they might recognize the danger associated with commercial fishing and select the correct answer to the question.

One thing we know about human memory and recall is that it is efficient. We often go with the first piece of information that can be recalled from our memory. Not only does the availability of information drive our thoughts, it also shapes our behavior.  It’s why advertisers spend so much money to ensure that their product is the first thing we associate with specific inputs. When many Americans think of cheeseburgers they think of McDonalds. When you think of coffee you think of Starbucks. When you think of APT you think of Mandiant. These aren’t accidental associations — a lot of money has been spent to ensure those bonds were formed.

Availability Heuristic in Security

Availability is all about the things you observe the most and the things you observe most recently. Consider these scenarios that highlight examples of how availability can affect decisions in security practice.

Returning from a Security Conference

I recently attended a security conference where multiple presenters showed examples that included *.top domains that were involved with malicious activity. These sites were often hosting malware or being used to facilitate command and control channels with infected machines. One presenter even said that any time he saw a *.top domain, he assumed it was probably malicious.

I spoke with a colleague who had really latched on to that example. He started treating every *.top domain he found as inherently malicious and driving his investigations with that in mind. He even spent time actively searching out *.top domains as a function of threat hunting to proactively find evil. How do you think that turned out for him? Sure, he did find some evil. However, he also found out that the majority of *.top domains he encountered on his network were actually legitimate. It took him several weeks to realize that he had fallen victim to the availability heuristic. He put too much stock in the information he had received because of the recency and frequency of it. It wasn’t until he had gathered a lot of data that he was able to recognize that the assumption he was making wasn’t entirely correct. It wasn’t something that warranted this much of his time.

In another recent example, I saw a colleague purchase a lot of suspected APT owned domains with the expectation that sinkholing them would result in capturing a lot of interesting C2 traffic. He saw someone speak on this topic and thought that his success rate would be higher than it was because they speaker didn’t cover that topic in depth. My colleague had to purchase a LOT of domain names before he got any interesting data, and by that point, he had pretty much decided to give up after spending both a lot of time and money on the task.

It is very hard for someone giving a 30-minute talk to fully support every claim they make. It also isn’t easy to stop and cite additional sources in the middle of a verbal presentation. Because our industry isn’t strict about providing papers to support talks, we end up with a lot of opinions and not much fact. Those opinions get wheels and they may be taken much farther than the original presenter ever intended. This tricks people who are less metacognitively aware into accepting opinions as fact. 

Data Source Context Availability

If you work in a SOC, you have access to a variety of data sources. Some of those are much lower context like flow data or DNS logs, and some are much higher context like PCAP data or memory. In my research, I’ve found that analysts are much more likely to pursue high-context data sources when working an investigation, even when lower context data sources contain the information they need to answer their questions.

On one hand, you might say that this doesn’t matter because if you are arriving at the correct answer, why does it matter how you got there? Analytically speaking, we know that the path you take to an answer matters. It isn’t important just to be accurate in an investigation, you also need to be expedient. Security is an economic problem wherein the cost to defend a network needs to be low and the cost to attack it needs to be high. I’ve seen that users who start with higher context data sources when it is not entirely necessary often spend much more time in an investigation. By using higher context data sources when it isn’t necessary, it introduces an opportunity for distractions in the investigation process. The more opportunity for distracting information, the more opportunity that availability bias can creep in as a result of the new information being given too much priority in your decision making. That isn’t to say that all new information should be pushed aside, but you also have to carefully control what information you allow to hold your attention.

Structured Adversary Targeting

In the past five years, the security industry has become increasingly dominated by fear-based marketing. A few years ago it was the notion that sophisticated nation-state adversaries were going to compromise your network no matter who you were. These stories made national news and most security vendors began to shift their marketing towards guaranteeing protection against these threats.

The simple truth is that most businesses are unlikely to be targeted by nation-state level threat actors. But, because the news and vendor marketing have made this idea so prevalent, the availability of it has led an overwhelming number of people to believe that this could happen to them. When I go into small businesses to talk about security I generally want to talk about things like opportunistic attacks, drive-by malware, and ransomware. These are the things small businesses are mostly likely to be impacted by. However, most of these conversations now involve a discussion about structured threat actors because of the availability of that information. I don’t want to talk about these things, but people ask about them. While this helps vendors sell products, it takes some organizations’ eye off the things they should really be concerned about. I’m certain Billy Ray’s Bait Shop will never get attacked by the Chinese PLA, but a ransomware infection has the ability to destroy the entire business. In this example, the abundance of information associated with structured threat actors clouds perspective and takes time away from more important discussions. 

Diminishing Availability Heuristic

The stories above illustrate common places availability heuristic manifests in security. Above all else, the availability of information is most impactful to you in how you spend your time and where you focus your attention. Attention is a limited resource, as we can only focus on one or two things at a time. Consider where you place your attention and what is causing you to place it there.

Over the course of the next week, start thinking about the places you focus your attention and actively question why information led you to do that. Is that information based on fact or opinion? Are you putting too much or too little time into your effort? Is your decision making slanted in the wrong direction?

Here are a few ways you can recognize when availability heuristic might be affecting you or your peers and strategies for diminishing its effects:

Carefully consider the difference between fact and opinion. In security, most of the publicly available information you’ll find is a mix of opinions and facts and the distinction isn’t always so clear. Whenever you make a judgment or decision based on something elsewhere, spend a few minutes considering the source of the information and doing some manual research to see if you can validate it elsewhere.

Use patience as a shield. Since your attention is a limited resource, you should protect at accordingly. Just because new information has been introduced doesn’t mean it is worthy of shifting your attention to it. Pump the breaks on making quick decisions. Take a walk or sleep on new information before acting to see if something still matters as much tomorrow as it does today. Patience is a valuable tool in the fight to diminish the effects of many biases.

Practice question-driven investigating. A good investigator is able to clearly articulate the questions they are trying to answer, and only seeks out data that will provide those answers. If you go randomly searching through packet capture data, you’re going to see things that will distract you. By only seeking answers to questions you can articulate clearly, you’ll diminish the opportunity for availability bias to distract your attention.

Utilize a peer group for validation. By definition, we aren’t good at recognizing our own biases. When you are pursuing a new lead or deciding whether to focus your attention on a new task or goal, considering bouncing that idea off of a peer. They are likely to have had differing experiences than you, so their decision making could be less clouded by the recency or availability of information that is affecting you. A question to that group can be as simple as “Is ____ as big of a concern as I think it is?”

If you’re interested in learning more about how to help diminish the effects of bias in an investigation, take a look at my Investigation Theory course where I’ve dedicated an entire module to it. This class is only taught periodically, and registration is limited.

[1] http://www.huffingtonpost.com/blake-fleetwood/how-dangerous-is-police-w_b_6373798.html

Practical Packet Analysis Photo Contest

Since the latest edition of Practical Packet Analysis has been released, so many people have been sending me pictures of their copies. It’s been so amazing that I’ve decided to make a contest of it and reward those of you who bought the book and are so enthusiastic about it!

About a month ago I shared that I am developing an online packet analysis course with the same name as the book. This course officially opens in June and is packed with over 40 hours of packet analysis videos and plenty of hands-on labs and packet captures for you to play around with. You can learn more about this course here: http://chrissanders.org/training/#ppa.

This is your opportunity to win a FREE seat in the course. But, it’s only if you’ve already purchased the book. I want you to take a picture of the book and send it to me at chris@chrissanders.org with the subject “PPA Photo Contest”. Now, it’s not quite that simple. I’m going to pick the winner based on who sends me the most creative picture. That can mean taking the book to an exotic locale, a simple action shot of you using the book to dissect some packets, or even a picture of the book with your dog. The sky is the limit, just don’t do anything illegal or dangerous 🙂

The official rules:

  • Your submission must be received by midnight EST on May 10th. If you were thinking about buying the book, this gives you a chance to purchase and receive it and still take your photo.
  • Entries must be submitted directly to me at chris@chrissanders.org with the subject line “PPA Photo Contest”
  • You must have purchased a legal copy of PPA 3rd edition
  • You must consent to allow me to share your picture on social media and my blog. I won’t share them all, but I will share some of my favorites.
  • I will pick one overall winner who will receive a free seat in the PPA online course. If you are already registered for this course, you can exchange that license for a seat in my Investigation Theory course.
  • I will pick a few “honorable mention” winners who will receive discount codes for any of my courses of your choosing, or free seats in my information security writing course.

So, what if you bought an electronic copy of the book? You can still enter! Just take your picture showing the book in your e-reader application or on your tablet. However, when you submit your entry please include a receipt showing your purchase. That can be a screenshot of your amazon order page or the e-mail receipt from No Starch Press.

That’s it! The contest begins NOW and ends at midnight May 10th. I’m looking forward to seeing how creative you can be!

Source Code S1: Episode 3 – Magen Wu

This week, I’m joined by Magen Wu (tottenkoph) of Rapid7 to talk about her career path. We talk about growing up in “God’s Waiting Room”, how we take our hash browns at Waffle House, speaking at security conferences, and our shared interest of psychology and how it applies to information security.

Listen Now:

You can also subscribe to it using your favorite podcasting platform:

If you like what you hear, I’d sincerely appreciate you subscribing, “liking”, or giving a positive review of the podcast on whatever platform you use. If you like what you hear, make sure to let Magen know by tweeting at him @tottenkoph. As always, I love hearing your feedback as well and you can reach me @chrissanders88.

Source Code S1: Episode 2 – Doug Burks

The response for the podcast has been tremendous. Thanks so much to everyone who listened and subscribed!

This week, my good friend Doug Burks joins us. Doug is most widely known for being the creator of the Security Onion Linux distribution that helps you peel back the layers of your network and make your adversaries cry. In this episode we talk about the origin of Security Onion, the reality check in college that helped turn Doug into one of the most disciplined and hard-working people I know, and his part in helping turn Augusta into the information security capital of the south.

Listen Now:

 

You can also subscribe to it using your favorite podcasting platform:

If you like what you hear, I’d sincerely appreciate you subscribing, “liking”, or giving a positive review of the podcast on whatever platform you use. If you like what you hear, make sure to let Doug know by tweeting at him @dougburks. As always, I love hearing your feedback as well and you can reach me @chrissanders88.

Time, Straight Lines, and the Next Step

As I shared a couple of weeks ago, I’ve decided to step away from my role at Mandiant/FireEye after three fun and challenging years. During this time I did some interesting work and met a lot of great people who I’m glad to call friends. However, it’s time for something different, and that’s what this post is about.

I’ve spent a lot of time over the past few months thinking about how I spent my time and how my time will be remembered by those around me. Time is the only thing that you can’t get more of, and once it’s gone you can never get it back.

I started a career in information technology and security at a young age because it was a new frontier, I enjoyed the challenge, and there was a demand. As I’ve gotten older, I’ve begun to realize that I don’t love information security — I love how it lets me serve others and help them achieve their goals. When I really thought about it, I realized that there is evidence of my love of service in other facets of my life as well. This is why I love to teach, why I love to gather friends around the BBQ pit, and why I started the Rural Technology Fund nearly ten years ago.

I think it’s easiest to serve people when you can draw the shortest, straightest line between the work you do and how it positively impacts the lives of others. I’ve been fortunate to have some jobs where that line was fairly straight and short, but I’ve also had plenty where the line was miles long and wrapped around in circles. The more I thought about it, the more I realized my happiness is really contingent on my ability to keep that line short and straight.

Here’s how I’m going to do that…

Applied Network Defense

First, I’m thrilled to announce the launch of Applied Network Defense, a new business venture I’ll be leading. Through this organization, I’m going to focus on delivering high quality, affordable online information security training. Many of you may be familiar with some of my existing classes like Investigation Theory and Effective Information Security Writing. These courses will serve as a blueprint for new courses I’ll be teaching, including a Practical Packet Analysis course, and a course called Defense Against the Digital Dark Arts aimed at teaching practical security concepts to college students, IT workers who are interested in focusing on security, and business leaders who want to gain a better working knowledge of how to think about and approach security problems.

AND isn’t just about me, though. Beyond my own teaching, I want to help enable others deliver their expertise to those who need it. I’ll be partnering with other individuals and organizations to help them develop online training to support their products and education goals. This includes a new Bro scripting course, and a new partnership with OISF to offer an official online Suricata course. These will both be released this summer. If you’d like to learn more about this venture or are interested in taking a course or developing one, check out appliednetworkdefense.com

Pro-Bono Consulting

A big part of what I’ll be doing with AND is trying to help those who really need it. I’ve always offered scholarships to my courses for human service non-profit workers, and I’ll continue to do that. I’ll also be devoting one or two days a month towards offering free “pro-bono” consulting for those organizations and very small businesses that can’t afford to pay the price many vendors charge. If you’d like help in that area, you can fill out an application here. If you’d like to join me in this effort, please reach out.

Source Code Podcast

Something that has always fascinated me about our field is that everyone comes from such diverse backgrounds. Most got into IT or security by taking a different path, and everyone has a unique story to tell. I’ve decided to create a new podcast to create a forum for people to tell those stories. My hope is that I’ll create a repository of “origin stories” that will inspire other practitioner and students. I released the first episode of the podcast last week and the feedback so far has been amazing. You can check out the first episode and stay up to date with future episodes here.

Rural Technology Fund

Finally, I’ll be spending more time with the Rural Technology Fund. The impact of this organization has grown tremendously over time. Last year, we made enough targeted donations to public schools to reach over 10,000 students. This year, my hope is to reach as many as 25,000 (we’re already 30% of the way there). I can’t do this alone, so I’ll be spending time fundraising, soliciting volunteers, and getting the word out about all the good work we’ve been doing. You can learn more about the RTF and how you can help here.

I want to end with a personal note. I’m the son of a trucker and a sewing machine operator from a town named Mayfield that nobody ever heard of. To be able to do what I do and interact with so many amazing people through my work is nothing short of a miracle. I don’t belong here, but because I am, I’ll never stop being thankful. I’m incredibly excited about this new journey and I sincerely appreciate all the support of those who have bought a course license, purchased one of my books, donated to the RTF, or simply read this blog.