Analysts | Who you are

Introduction 

Due to the nature of our work we are ne er given a finishing line and as such we must break down what analysts do into fudemdemental components and the measurements for them



Who are Analysts


Analysts look at data, turn it into information and place assertions on that information. So where you can find opportunities to measure how well an individual does this task


Preparation

An analyst is expected to analyze any piece of data they are given whether it's the first even record of its time or something of frequent occurrence and large volumn  no human mide can grasp the complexity of that task so the active and deliberate steps taken by the analyst before they are presented with data is important.

Repeated and deliberate exposure to relevant challanges- 
Analysts must forceful recreate scenarios that simulate tasks they would be given. In doing this they aim to both find healthy thought pathways and methodologies while eliminating potential weakness in their approachas. As a simple example there exists 12 sub technoqies in the process injecton techniques, more than likely if you a reading this you are familiar with what is called portable executable injection. Do you know the others, do you how to find each one in your tools. Doing this exercise and those like it means you are usually more prepared than the adversary.


Notes and sources-
Within Cybersecrity there is already to much information for a single person to consume in its entirety as such an analyst must tactically select information that must both be pertaint to their immediate tasks but also useful for further reference. when taking notes structure is key as the analyst mind will wonder into rediscovery if the information can not be easily found in the notes.
Importantly Analysts notes must be written in project like fashion as numerous weaves of information flow into Analysts tasks they and need to be captured.

Studying
Hands on experience will give you acceleration in your journey but theroy and strong understanding provide the trajectory and longevity required for good analyst work. Analysts should never focus on remembering answers or passing tests but instead aqqurinng the capability to detect, stop, respond to and track adversaries. it is for this reason studying will need to look quite different from academics where you are taught topics parrel to adveraries but never how to defeat them. Manifest this in reading blogs descriping adversaries procedures over news item and books on red team tradecraft instead of cyber war stories.


Analysis

As an analyst you must look at data and discern whether that data is evidence of a threat or danger. To do this you must first have a strong understanding of not what questions you could ask but what questions you can ask, this will come from studying your datapline and the underlying systems you monitor. Next you must understand how to validate the quality of the questions you intend to ask, will the question lead you to a deadend, what questions were asked before and what were their outcomes, what bias are you likely to introduce when searching the available data.

Once you have began getting answers to your questions as an analyst you need to correlate it to what an adversary may be trying to achieve and then subsequently avenues to explore to discern of the  behavior was an adversaries.


PART TWO; finding confidence in your assertions SOON

Popular posts from this blog

Endpoint on Adrenaline : One

Image
Introduction   This blog series will capture how to maximise the protection of an endpoint using the various technologies in the Defender suite. The controls outlined in the series will each need to have their own considerations taken into account for a given environment but hopefully at a minimum it will be clear just how powerful of an offering Microsoft has.  Unfortunately due to the highly modular and distinct diversity in controls Microsoft offers things are often overlooked and misconfigured when tests are conducted. With this in mind, the shortest possible route to a solution for this is utilizing the recommendations, CSPM and Secure Score technology contained within Defender 365 and Defender for Cloud as it will automatically conduct posture assessments and inform you of things you have missed and may want to turn on (IE dont take these recommendations lightly) Lastly, I would recommend reading the book “Defender for Endpoint in depth” from packt as it showcases the complexitie
Read more

Brilliance in the Basics

Image
Introduction Tired of watching you and your friends get compromised, do exactly what's in this blog and start eating adversaries alive. Avoiding the memes adversaries win because of simple mistakes and neglect and we all already know what they are so I'm going to list them for you. Its all for free too. Enumerate To put it simply, there shouldn't be anything you don't know about your environment, you should know who all your users are, where all your electronic devices are and what they do, what applications you have and what versions they are. Enumeration is the jet fuel for making good defensive decisions. I wrote about how to enumerate your environment here  Securing your estate: The First Step (goblinloot.net) . Follow these steps and become the arbitrator of your own environment  Your perimeter is a bridge, not a wall Monitor your perimeter as best as you can but always assume it has already been defeated. Monitor endpoint system and process telemetry and southwest
Read more

Investigate

Image
  Introduction This document details how an analyst should conduct investigations and triage in the normal duties of their job. It will describe concepts and logic that enable analysts to look at data, ask investigative questions, evaluate those questions and arrive at assertions about what they have found. An Alert For the most part, analysts begin their investigative work when an alert is generated. Alerts are fantastic because they are a statement that something has happened and something needs to be done about it. Typically alerts are filled with information that an analyst can then use in their investigation. Alerts are generated by detections and these detections can come in many shapes and sizes. Some just look for a particular action like someone unlocking their car door, others might have access to more context like someone who isn’t the owner of the car unlocking the door. Going even further some detections might look at how the car door was opened or at what
Read more