Joshua woke up on a frigid Friday morning in Washington, DC and put on a black baseball cap. He walked to the L’Enfant metro station terminal and found a nice visible spot right near the door where he could expect a high level of foot traffic. Once positioned, he opened his violin case, seeded it with a handful of change and a couple of dollar bills, and then began playing for about 45 minutes.
During this time thousands of people walked by and very few paid attention to Joshua. He received several passing glances while a small handful stopped and listened for a moment. Just a coupe lingered for more than a minute or two. When he finished playing, Joshua had earned about twenty-three dollars beyond the money he put into the case himself. As luck would have it, twenty of those dollars came from one individual who recognized Joshua.
Joshua Bell is not just an ordinary violin player. He is a true virtuoso who has been described as one of the best modern violinist in the world, and he has a collection of performances and awards to back it up. Joshua walked into that metro terminal, pulled out a three hundred year old Stradivarius violin, and played some of the most beautiful music that most of us will hear in our lifetime. That leaves the glaring questions: why did nobody notice?
Inattentional blindness (IB) is an inability to recognize something in plain sight, and it is responsible for the scenario we just described. You may have heard this term before if you’ve had the opportunity to subject yourself to this common selective attention test: https://www.youtube.com/watch?v=vJG698U2Mvo.
As humans, the ability to focus our attention on something is a critical skill. You focus when you’re driving to work in the morning, when you are performing certain aspects of your job, and when you are shopping for groceries. If we didn’t have the ability to focus our attention, we would have a severely limited ability to perceive the world around us.
The tricky thing is that we have limited attention spans. We can generally only focus on a few at a time, and the more things we try to focus on, the less overall focus can be applied to any one thing. Because of this, it is easy to miss things that are right in front of us when we aren’t focused on finding them. In addition, we also tend to perceive what we expect to perceive. These factors combine to produce situations that allow us to miss things right in front of our eyes. This is why individuals in the metro station walked right by Joshua’s performance. They were focused on getting to work, and did not expect a world-class performer to be playing in the middle of the station on a Friday morning.
Manifestations in Security
As security investigators, we must deal with inattentional blindness all the time. Consider the output shown in Figure 1. This screenshot shows several TCP packets. At first glance, these might appear normal. However, an anomaly exists here. You might not see it because it exists in a place that you might not expect it to be, but it’s there.
Figure 1: HTTP Headers
In a profession where we look at data all day it is quite easy to develop expectations of normalcy. As you perform enough investigations you start to form habits based on what you expect to see. In the case of investigating the TCP packets above, you might expect to find unexpected external IP addresses, odd ports, or weird sequences of packets indicating some type of scan. As you observe and experience these occurrences and form habits related to how you discover them, you are telling your mind to build cognitive shortcuts so that you can analyze data faster. This means that your attention is focused on examining these fields and sequences, and other areas of these packets lose part of your attention. While cognitive shortcuts like these are helpful they can also promote IB.
In the example above, if you look closely at other parts of the packets, you will notice that the third packet, a TCP SYN packet initiating the communication between 192.168.1.12 and 203.0.113.12 actually has a data length value of 5. This is peculiar because it isn’t customary to see data present in a TCP SYN packet whose purpose is simply to establish stateful communication via the three-way handshake process. In this case, the friendly host in question was infected with malware and was using these extra 5 bytes of data in the TCP SYN to check in to a remote host and provide its status. This isn’t a very common technique, but the data is right in front of our face. You might have noticed the extra data in the context of this article because the nature of the article made you expect something weird to be there, but in practice, many analysts fail to notice this data point.
Let’s look at one more example. In Figure 2 we see a screen populated with alerts from multiple sources fed into the Sguil console. In this case, we have a screen full of anomalies waiting to be investigated. There is surely evil to be found while digging into these alerts, but one alert in particular provides a unique anomaly that we can derive immediately. Do you see it?
Figure 2: Alerts in Sguil
Our investigative habits tell us that the thing we really need to focus on when triaging alerts is the name of the signature that fired. After all, it tells us what is going on and can relay some sense of priority to our triage process. However, take a look at Alert 2.84. If you observe the internal (RFC1918) addresses reflected in all of the other alerts, they all relate to devices in the 192.168.1.0/24 range. Alert 2.84 was generated for a device in the 192.168.0.0/24 range. This is a small discrepancy, but if this is not on a list of approved network ranges then there is a potential for a non-approved device on the network. Of course, this could just be a case of someone plugging a cheap wireless access point into the network, but it could also be a hijacked virtual host running a new VM spun up by an attacker, or a Raspberry Pi someone plugged into a hidden wall jack to use as an entry point on to your network. Regardless of the signature name here, this alert is now something that warrants more immediate attention. This is another item that might not be spotted so easily, even by the experienced analyst.
Everyone is susceptible to IB, and it is something we battle ever day. How can we try to avoid missing things that are right in front of our eyes?
Diminishing the Effects
The unfortunate truth is that it isn’t possible to eliminate IB because it is a product of attention. As long as we have the ability to focus our attention in one area, then we will become blind to things outside of that area. With that said, there are things we can do to diminish some of these affects and improve our ability to investigate security incidents and ensure we don’t miss as much.
The easiest way to diminish some of the affects of IB is through expertise in the subject matter. In our leading example we mentioned that there were a few people who stopped to listen to Joshua play his violin in the station. It is useful to know that at least two of those people were professional musicians themselves. Hearing the music as they walked through the station triggered the right mechanisms in their brain to allow them to notice what was occurring, compelling them to stop. This was because they are experts in the field of music and probably maintain a state of awareness related to the sound of expert violin playing. Amongst the hustle and bustle of the metro station, their brain allowed them not to miss the thing that people without that expertise had missed.
In security investigations it’s clear to see IB at work in less experienced analysts. Without a higher level of expertise these junior analysts have not learned how to focus their attention in the right areas so that they don’t miss important things. If you hand a junior analyst a packet capture and ask them where they would look to find evil, chances are their list of places to look would be much shorter than a senior analyst, or it would have a number of extraneous items that aren’t worth being included. They simply haven’t tuned their ability to focus attention in the right places.
More senior analysts have developed the skill to be able to selectively apply their attention, but they rarely have the ability to codify it or explain it to another person. The more experienced analysts get at identifying and teaching this information, the better chance of younger analysts getting necessary expertise faster.
While analysts spend most of their time looking at data, that data is often examined through the lens of tools like SIEMs, packet sniffers, and command line data manipulation utilities. As a young industry, many of these tools are very minimal and don’t provide a lot of visual cues related to where attention should be focused. This is beneficial in some ways because it leaves the interpretation fully open to the analyst, but without having opinionated software this sort of thing promotes IB. As an example, consider the output of tcpdump below. Tcpdump is one of the tools I use the most, but it provides no visual queues for the analysts.
Figure 3: Tcpdump provides little in the way of visual cues to direct the focus of attention
We can compare Tcpdump to a tool like Wireshark, which has all sorts of visual cues that give you an idea of things you need to look at first. This is done primarily via color coding, highlighting, and segmenting different types of data. Note that the packet capture shown in Figure 3 is the same one shown in Figure 4. Which is easier to visually process?
Figure 4: Wireshark provides a variety of visual cues to direct attention.
It is for this reason that tools developed by expert analysts are desirable. This expertise can be incorporated into the tool, and the tool can be opinionated such that it directs users towards areas where attentional focus can be beneficial. Taking this one step farther, tools that really excel in this area allow analyst users to place their own visual cues. In Wireshark for example, analysts can add packet comments, custom packet coloring rules, and mark packets that are of interest. These things can direct attention to the right places and serve as an educational tool. Developing tools in this manner is no easy task, but as our collective experience in this industry evolves this has to become a focus.
One last mechanism for diminishing the affects of IB that warrants mention is the use of peer review. I’ve written about the need for peer review and tools that can facilitate it multiple times. IB is ultimately a limitation that is a product of an analyst training, experience, biases, and mindset. Because of this, every analyst is subject to his or her own unique blind spots. Sometimes we can correlate these across multiple analyst who have worked in the same place for a period of time or were trained by the same person, but in general everyone is their own special snowflake. Because of this, simply putting another set of eyes on the same set of data can result in findings that vary from person to person. This level of scrutiny isn’t always feasible for every investigation, but certainly for incident response and investigations beyond the triage process, putting another analyst in the loop is probably one of the most effective ways to diminish potential misses as a result if IB.
Inattentional blindness is one of many cognitive enemies of the analyst. As long as the human analyst is at the center of the investigative process (and I hope they always are), the biggest obstacle most will have to overcome is their own self imposed biases and limitations. While we can never truly overcome these limitations without stripping away everything that makes us human, an awareness of them has been scientifically proven to increase performance in similar fields. Combining this increased level of metacognitive awareness with an arsenal of techniques we can do to minimize the effect of cognitive limitations will go a long way towards making us all better investigators and helping us catch more bad guys.