Category Archives: Investigations

Investigating Like a Chef

Whenever I get the chance I like to try and extract lessons from practitioners in other fields. This is important because the discipline of information security is so new, while more established professions have been around, in some cases, for hundreds of years. I’ve always had a keen interest in culinary studies, mostly because I come from an area of the country where people show that they love each other by preparing meals. I’m also a bit of a BBQ connoisseur myself, as those of you who know me can solemnly attest to. While trying to enhance my BBQ craft I’ve had the opportunity to speak with and read about a few professional chefs and study how they operate. In this post I want to talk a little bit about some key lessons I took away from my observations.

If you have ever worked in food service, or have even prepared a meal for a large number of people you know that repetition is often the name of the game. It’s not trimming one rack of ribs, its trimming a dozen of them. It’s not cutting one sweet potato, its cutting a sack of them. Good chefs strive to do these things in large quantities while still maintaining enough attention to detail so that the finished product comes out pristine. There are a lot of things that go into making this happen, but none more important than a chef mastering their environment. This isn’t too different than a security analyst who investigates hundreds of alerts per day while striving to pay an appropriate amount of attention to each individual investigation. Let’s talk about how chefs master their environment and how these concepts can be applied to information security.

Chefs minimize their body movement. If you are going to be standing up in a kitchen all day performing a bunch of repetitive and time sensitive tasks, then you want to make sure every step or movement you make isn’t wasted. This prevents fatigue and increases efficiency.

As an example, take a look at Figure 1. In this image, you will see that everything the chef needs to prepare their dish is readily available without the chef having to take extra steps or turn around too often. Raw products can be moved from the grocery area, rinsed in the sink, sliced or cut on the cutting board, cooked on the stove, and plated without having to turn more than a few times or move more than a couple of feet.

chef_mentalmoves

Figure 1: A Chef’s Workspace is Optimized for Minimal Movement

Chefs learn the French phrase “mise en place” early on in their careers. This statement literally means, “put in place”, but it specifically refers to organizing and arranging all needed ingredients and tools required to prepare menu items during food service. Many culinary instructors will state that proper mise en place, or simply “mise” in shorthand, is the most important characteristic that separates a professional chef from a home cook.

There is a lot of room for mise in security investigations as well. Most analysts already practice this to some degree by making sure that their operating system is configured to their liking. They have their terminal windows configured with a font and colors the make it easy to read, they have common OSINT research sites readily accessible as browser favorites, and they have shortcut icons to all of their commonly used tools. At a higher level, some analysts even have custom scripts and tools they’ve written to minimize repetitive tasks. These things are highly encouraged.

While analysts don’t have to worry about physical movement as much, they do have to work about mental movement. In an ideal situation an analyst can get to the end of an investigation with as few steps as possible, and a strategic organization of their digital workspace can help facilitate that. I’ve seen some organizations that seek to limit the flexibility analysts have in their workspace by enforcing consistent desktop environments or limiting access to additional tools. While policies to enforce good security and analysis practices are great, every analysts learns and processes information in a different way. It isn’t only encouraged that analysts have flexibility to configure their own operating environments, it’s critical to helping them achieve success.

Beyond the individual analysts workstation, the organization can also help out by providing easy access to tool and data, and processes that support it. If an analyst has to connect to five systems to retrieve the same data, that is too much mental movement that could be better spent formulating and answering questions about the investigation. Furthermore, if organizations limit access to raw data it could force the analyst to make additional mental moves that slow down their progress.

Chefs make minimal trips to the fridge/pantry. When you are cooking dinner at home you likely make multiple trips to the fridge to get ingredients or to the pantry to retrieve spices during the course of your meal. That might look something like this:

“I think this soup needs a bit more tarragon, let me go get it. “

or…

“I forgot I need to add an egg to the carbonara at the end, I’ll go get it from the fridge.”

Building on the concept of mise en place, professional chefs minimize their trips to the fridge and pantry so that they always have the ingredients they need with as few trips as possible. This ensures they are focused on their task, and also minimizes prep and clean up time. They also ensure that they get an appropriate amount of each ingredient to minimize space, clean up, and waste.

chef_mise

Figure 2: Chef’s Gather and Lay Out Ingredients for Multiple Dishes – Mise en Place

One of the most common tasks an analyst will perform during an investigation is retrieval of data in an attempt to answering questions. This might include querying a NetFlow database, pulling full packet capture data from a sensor, or querying log data in a SIEM.

Inexperienced analysts often make two mistakes. The first is not retrieving enough data to answer their questions. This means that the analyst must continue to query the data source and retrieve more data until they get the answer they are looking for. This is equivalent to a chef not getting enough flour from the pantry when trying to make bread. On the flip side, another common pitfall is retrieving too much data, which is an even bigger problem. In these situations an analyst may not limit the time range of their query appropriately, or simply may not use enough filtering. The result is a mountain of data that takes a significant amount of time to wade through. This is equivalent to a chef walking back from the fridge with 100 eggs when they only intend to make a 3-egg omelet.

Learning how to efficiently query data sources during an investigation is product of asking the right questions, understanding the data you have available, and having the data in a place that is easily accessible and reasonably consolidated. If you can do these things you should be able to ensure you are making less trips back to the pantry.

Chefs carefully select, maintain, and master their tools. Most chefs spend a great deal of time and money purchasing and maintaining their knives. They sharpen their knives before every use, and have them professionally refinished frequently. They also spend a great deal of time practicing different types of cuts. A dull or improperly used knife can result in inconsistently cut food, which can lead to poor presentation and even cause under or overcooked food if multiple pieces of food are cooked together but are sized differently. Of course, this could also lead to you accidentally cutting yourself. These concepts go well beyond knives; a bent whisk can result in clumped batter, and an unreliable broiler can burn food. Chefs have to select, maintain, and master a variety of tools to perform their job.

chef_tools

Figure 3: A Chef’s Travel Kit Provides Well-Cared For Essential Tools

In a security investigation tools certainly aren’t everything, but they are critically important. In order analyze network communication you have to understand the protocols involved at a fundamental level, but you also need tools to sort through them, generate statistics, and work towards decision points. Whether it is a packet analysis tool like Wireshark, a flow data analysis tool like SiLK, or an IDS like Snort, you have to understand how those tools work with your data. The more ambiguity placed between you and raw data, the greater chance for assumptions that could lead to poor decisions. This is why it is critical to understand how to use tools, and how they work.

Caring for tools goes well beyond purchasing hardware and ensuring you have enough servers to crunch data. At an organization level it requires hiring the right number of people in your SOC to help manage the infrastructure. Some organizations attempt to put that burden on the analysts, but this isn’t always scalable and often results in analysts being taken away from their primary duties. This is also the “piling on” of responsibilities that results in analysts getting frustrated and leaving a job.

Beyond this, proper tool selection is important as well. I won’t delve into this too much here, but careful consideration should be given to free and open source tools, as well as the potential for developing in house tools. Enterprise solutions have their place, but that shouldn’t be the default go-to. The best work in information security in most cases is still done at the free and open source level. You should look for tools that support existing processes, and never let a tool alone dictate how you conduct an investigation.

Chefs can cook in any kitchen. When chefs master all of the previously mentioned concepts, it allows them to apply those concepts in any location. If you watch professional cooking competitions, you will see that most chefs come with only their knife kit and are able to master the environment of the kitchen they are cooking in. For example, try watching “Chopped” sometime on Food Network. These chefs are given short time constraints and challenging random ingredients. They organize their workspace, assess their tools, make very few trips to get ingredients, and are able to produce five star quality meals.

chef_chopped

Figure 4: Professional Chef’s Competing in an Unfamiliar Kitchen on Food Network’s Chopped

In security investigations, this is all about understanding the fundamentals. Yes, tools are important as I mentioned earlier, but you won’t always work in an environment that provides the same tools. If you only learn how to use Arcsight then you will only ever be successful in environments that use Arcsight. This is why understanding higher-level investigative processes that are SIEM-independent is necessary. Even at a lower level, understanding a tool like Wireshark is great, but you also need to understand how to work with packets using more fundamental and universal tools like tcpdump, as you may not always have access to a graphical desktop. Taking that step further, you should also understand TCP/IP and network protocols so that you can make better sense of the network data you are analyzing without relying on protocol dissectors. A chef’s fundamental understanding of food and cooking methods allows them to cook successfully in any kitchen. An analyst’s fundamental understanding of systems and networking allows them to investigate in any SOC.

Conclusion

Humans have been cooking food for thousands of years, and have been doing so professionally for much longer than computers have even existed. While the skills needed to be chef are dramatically different than those needed to investigate network breaches, there are certainly lessons to be learned here. Now, if you’ll excuse me, writing this has made me hungry.

* Figures 1-3 are from “The Four-Hour Chef” by Tim Ferriss. One of my favorite books.

Teaching Good Investigation Habits Through Reinforcement

Press_for_food-fullThe biggest responsibility that leaders and senior analysts in a SOC have is to ensure that they are providing an appropriate level of training and mentoring to younger and inexperienced analysts. This is how we better our SOC’s, our profession, and ourselves. One problem that I’ve written about previously relates to the prevalence of tacit knowledge in our industry. The analysts who are really good at performing investigations often can’t describe what makes them so good at it, or what processes they use to achieve their goals. This lack of clarity and repeatability makes it exceedingly difficult to use any teaching method other than having inexperienced analysts learning through direct observation of those who are more experienced. While observation is useful, a training program that relies on it too much is flawed.

In this blog post I want to share some thoughts related to recent research I’ve done on learning methods as part of my study in cognitive psychology. More specifically, I want to talk a bit about one specific way that humans learn and how we might be able to better frame our investigative processes to better the investigation skills of our fellow analysts and ourselves.

Operant Conditioning

When most people think of conditioning they think of Pavlov and how he trained his dogs to learn to salivate at the sound of a tone. That is what is referred to as learning by classical conditioning, but that isn’t what I want to talk about here. In this post, I want to instead focus on a different form of learning called operant conditioning. While classical conditioning is learning that is focused on a stimulus that occurs prior to a response and is associated with involuntary response, operant conditioning is learning that is related to voluntary responses and is achieved through reinforcement or punishment.

An easy example of operant conditioning would be to picture a rat in a box. This box contains a button the rat can push with its body weight, and doing so releases a treat. This is an example of positive reinforcement that allows to rat to learn the associated that pressing the button results in a treat. The relationship is positively reinforced because a positive stimulus is used.

Another type of operant conditioning reinforcement is negative reinforcement. Consider the same rat in a different box with a button. In this box, a mild electrical charge is passed to the rat through the floor of the box. When the rat presses the button, the electrical charge stops for several minutes. In this case, negative reinforcement is being used because it teaches the rat a behavior by removing a negative stimulus. The key takeaway here is that negative reinforcement is still reinforcing a behavior, but in a different way. Some people confuse negative reinforcement with punishment.

Punishment is the opposite of reinforcement because it reduces the probability of a behavior being expressed. Consider the previous scenario with the rat in the electrified room, but instead, the room is only electrified when the rat presses the button. This is an example of a punishment that decreases the likelihood of the rat pressing the button.

Application to Security Investigation

I promise that all of this talk about electrifying rats is going somewhere other than the BBQ pit (I live in the deep south, what did you expect?). Earlier I spoke about the challenge we have because of tacit knowledge. This is made worse in many environments where you have access a mountain of data but have an ambiguous workflow that can allow an input (alert) to be taken down hundreds of potential paths. I believe that you can take advantage of a fundamental construct like operant conditioning to help better your analysts. In order to make this happen, I believe there are three key tasks that must occur.

Identify Unique Investigative Domains

First, you must designate domains that lend themselves to specific cognitive functions and specializations. For instance, triage requires different skills sets and cognitive processes than hunting. Thus, those are two separate domains with different workflows. Furthermore, incident response requires yet another set of skills and cognitive processes, making it a third domain of investigation. Some organizations don’t really distinguish between these domains, but they certainly should. I think there is work to be done to fully establish investigative domains (I expect lots of continued research here on my part), and more importantly, criteria for defining these domains. But at a minimum you can easily pick out a few domains relevant to your SOC, like I’ve mentioned above.

Define Key Workflow Characteristics and Approaches

Once you’ve established domains you can attempt to define their characteristics. This isn’t something you do in an afternoon, but there are a few clear wins. For instance, triage is heavily suited to divergent thinking and differential diagnosis techniques. On the other hand, hunting is equally reliant on convergent and divergent thinking and is well suited to relational (link) analysis. These are characteristics you can key on in your workflows moving on to the next step.

Apply Positive and Negative Reinforcement in Tools and Processes

Once you know what paths you want analysts to take, how do you reinforce their learning so that they are compelled to do so? While some of us would like to consider a mechanism that provides punishment via electrified keyboards, positive and negative reinforcement are a bit more appropriate. Of course, you can’t give an analyst a treat when they make good decisions, but you can provide reinforcement in other ways.

For an investigation, there is no better positive stimulus than providing easy and immediate access to relevant data. When training analysts, you want to ensure they are smart about what data they gather to support their questioning. Ideally, an analyst only gathers the amount of information the need to get the answer they want. More skilled analysts are able to do this quickly without spending too much time re-querying data sources for more data or whittling excess away from data sets that are too large. Whenever an analyst has a questions and your tool or process helps them answer it in a timely manner, you are positively reinforcing the use of that tool or process. Furthermore, when the answer to that question helps them solve an investigation, you are reinforcing the questions the analyst is putting forth, which helps that analyst learn what questions are most likely to help them achieve results.

Negative reinforcement can be used advantageous here as well. In many cases analysts arrive at points in an investigation where they simply don’t know what questions to ask next. With no questions to ask, the investigation can stall or prematurely end. When chasing a hot lead, this can result in frustration, despair, and hopelessness. If the tools and processes used in your SOC can help facilitate the investigation by helping the analysts determine their next logical set of questions, then that can serve as negative reinforcement by removing the negative stimuli of frustration, despair, and hopelessness. At this point you aren’t only help the analyst further a single investigation, you are once again reinforcing questions that help them learn how to further every subsequent investigation they will conduct.

Other Thoughts

While the previous sections identified some structured approaches you can take towards bettering your analysts, I had a few less structured thoughts I wanted to share in bullet points. These are ways that I think SOC’s can help achieve teaching goals in every day decisions:

  • How can you continually provide positive reinforcement to help analysts learn to make good decisions?
  • If you are making a decision for analysts, let them know. Little things like data normalization and timestamp assumptions can make a difference. Analyst knowledge of these things further help them understand their own data and how we manipulate it for their (hopeful) betterment. Less abstraction from data is critical to understanding the intricacies of complex systems.
  • You must be aware of when you punish your analysts. This occurs when a tool or process prevents the user from getting data they need, takes liberties with data, fails to produce consistent results, etc. If a process or tool is frustrating for a user, then that punishment decreases the likelihood that they will use it, even if it represents a good step in the investigation. You want to at all costs avoid tools and processes that steer your analysts away from good analytic practices.

Conclusion

This is another post that is pretty heavy in theory, but it isn’t so far away from reality that it doesn’t’ have the potential for real impact in the way you make decisions about the processes and tools used in your SOC, and how you train your analysts. As our industry continues to work on developing workflows and technologies we have to think beyond what looks good and what feels right and grasp the underlying cognitive processes that are occurring and the mental challenges we want to help solve. One method for doing this is a thoughtful use of operating condition as a teaching tool.