In lesson one, we learned how to observe, but the next step is to dig deeper.
To dig deeper, we need to ask questions. Simply seeing the data or alert won’t get us to our conclusion. All of our questions will be driven by the six basic questions: Who? What? Where? When? Why? And How?
We’ll use art once again to practice and then see how this can relate to being a security analyst. For the picture below, I want you to use the body scan method that we used in lesson one and just observe the picture. Take note of all the objects. Once you’re done, take one object and ask all six basic questions about that object. Not all basic questions will make sense but ask them anyway. If you do all this, you can easily spend more than 5 minutes, but the speed you go at is up to you.
This is by no means an easy piece of artwork to study. Just observing and not making conclusions or assumptions can be extraordinarily hard. We like to solve a puzzle, and this picture is a big one. Starting in the top left, we see a bee hive and what appears to be bees near it; if we go to the right, we see an opening to the outside; we move lower, and we see a dog; move even lower, there’s a table with flowers, jars and a book on it. Finally, if we move more to the left again, we see a person with an object around the neck I can’t identify.
Now, let’s pick one thing and start asking questions. Let’s start in the top left again with the beehive. Who is the beehive? Well, that question doesn’t make sense in this case, so let’s move on. What is the beehive? That’s an interesting question because I ASSUMED it was a beehive, I don’t actually know. So I had to do research. I looked at different kinds of bees and found out that this was not a bee hive but, in fact, more in the realm of wasps. I found out there are different kinds of wasps–there are yellow jackets, paper wasps, and bald-faced hornets. As I was doing my research and learning characteristics that set these apart, I came across a description of paper wasps that “they can be reddish-orange to black, sometimes with yellow highlights.”
When I saw “reddish-orange”, I couldn’t help point my attention to the person in the picture with the reddish hair and an almost orange-yellow dress. Very interesting, but we must move on. Where is this wasp nest? It appears to be in a room of some sort. There are objects such as a table, chair, cloth, and mirror that would indicate it as such. My next question is, Why? Why would a wasp nest be inside a home? While researching, I discovered that paper wasps are social creatures, and it’s not uncommon for them to vigorously defend their nest. This seems to be dangerous to be seated in the same room as a wasp nest. Maybe we can answer this question later when we look at other objects in the room. The next question is How. How did the paper wasps’ nest get there? Is the window always open, and they simply flew in and made a nest? Finally when? When did wasps’ nest start? Research tells me it takes 4 – 6 months to build a nest, so by no means is this a quick process.
I’m going to stop my analysis of this picture above. Just taking time to observe all the objects and understand each could take a long time. If, for example, I come across another painting with bees, wasps, or similar insects, I’ll be able to understand or evaluate the situation quicker. As you see in my analysis above, my assumption was wrong about it being a beehive, and that fact could affect the whole analysis of the painting. That’s why asking these questions is so important, they challenge your assumptions.
As analysts, we need to understand each piece of data given after observing the alert. Let’s work on the alert below that is highlighted in yellow by asking some questions.
We’ll just look at the Src IP. What is the Src IP? Is it a workstation, or is it a server? If it’s a server, what does it do? Who is the most logged-in user? Who else uses that machine? Where is it located? When did this alert occur? Late at night? During work hours? Why did this machine request this external IP? Was this due to an exploit? Phishing email? Driveby? Maybe the How question doesn’t make sense, but look how many questions we asked about one side of this alert! We haven’t even looked at the Dst IP or the request made to the server.
Maybe you think that’s a lot of work and would just like to look at the alert and go from there. Well, like with the painting above, what happens if you guess what the Src IP is and you’re wrong? You think it’s a workstation, but it’s a server. It could affect your analysis and send you down the wrong path. If the source IP is a server, it worries me more than a workstation. Like the picture above, honey bees or wasps aren’t good to have in your room, but having wasps that are known to defend their nests more aggressively seems worse.
Asking these questions can fill the scenario with facts rather than assumptions you made. By asking these questions, you’ll learn about the environment, and in six months, you can just know what a server is and what a workstation is without thinking. Do this exercise for a day, ask these questions for each piece of data you’re given and see how much more you learn that you hadn’t previously known or maybe even assumed.