Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

4/4/2016
03:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

A Day In The Life Of A Security Analyst

'The network doesn't lie' and host detection systems are also key tools for the analyst.

Some days start out quiet—too quiet—for a cybersecurity analyst. Others, not so much.

 “We never know what is going to happen. A day can start out calm or start out on fire and very quickly go from one or another,” says Jim Treinen, a security analyst for ProtectWise, who spends his days defending both his own company’s network as well as that of its customers.

Treinen, vice president of security research at cloud security provider ProtectWise, says his team is divided into two different groups. The first consists of the classic network security researcher-type analysts, who gather the bits and bytes of network traffic off the wire to determine what is good and bad, and who also pulls apart malware. The second group focuses on security analysis, performing behavioral analysis, machine-learning, and all the heuristic analysis that goes into judging what is legitimate activity and what is not.

First order of the day: Situational Awareness

For an analyst coming on shift, the first task of the day is a hand-over of activity and information from the analysts on the previous shift, especially if they are in a 24/7 security operations center. The analyst gets a briefing on the current events: ongoing incidents or things that are suspicious that need monitoring.  “We start there,” Treinen says.

“What are the key activities on the network? What are we monitoring? Is there something that we see that is a potential risk that we need to really come up to speed on quickly?”

And they watch to see what happens next. 

“The biggest problem we deal with especially in these large networks is the vast volume of things we need to watch. So where do we focus?”

An analyst can use a combination of tools and clues pulled from monitoring the network to determine which parts of the network to focus on first. This is where the hand-off, or situational awareness, from the previous analysts is helpful, as well as are tools that detect abnormal activity.

Fighting Attacks: Reactive Mode

Security analysts tend to work in two modes:  reactive mode, where they respond to alarms and information from their security tools; and calm/proactive mode, where they can proactively hunt for activity they think deserves attention so they aren’t always chasing down an event.

But what happens if things start to go bad quickly – a malware attack, virus escalation, a denial of service attack, or discovery of data theft?

The ideal scenario is to intercept attackers before they cause damage or steal information, according to Treinen. If analysts detect adversaries setting up an infrastructure to launch an attack or tunneling into the network, ideally, they would shut the infrastructure down and move to remediate the compromised machines before damage is done. That’s why analysts need to constantly monitor for activity such as a compromised host system calling out for malware updates or applications calling out for command and control type activity.

But the ideal doesn’t always happen.  So if a network is under attack, the logical step for the analyst is to develop a case file or incident file and start tracking the assets the security team thinks are under attack as well as track where the attacks are coming from. This activity becomes the focus point in the network.

“Depending on the types of tools you have in hand, you can trade searches off of that or elevate the monitoring of specific applications,” Treinen says.

An analyst will also watch for lateral movement to determine if the adversary is using the primary compromised applications or systems as a jumping point to get deeper into the network.  Automated remediation systems, or even the network engineering teams, should start closing systems down if that is warranted.

Doors into the network and systems need to be shut quickly. Analysts are also be focused on preserving any type of forensic evidence the SOC team can use internally to figure out how the bad guys got in or to preserve evidence if the organization calls in law enforcement. The bad guys most likely attempt to clean up after the attack to effectively delete their tracks.

Fighting Attacks: Calm Mode

Analysts can use the quieter times to proactively catch and mitigate attacks and security breaches. “If you have the right team and proactive analysts who are curious by nature and if they see something, they can pull on that thread to see where it leads them,” Treinen says.

Highly skilled attackers leave minimal tracks because they are stealthy. But an experienced senior analyst whose interest in an activity is piqued might be able to yield some fruit doing more in-depth analysis. Attackers are constantly changing the domains and IP addresses they use in order to escape detection, for example.  “If you keep enough history and enough memory of what has actually happened on your network, you can discover something you didn’t see before,” Treinen says.

Using tools that reconstruct the state of a network at any given point in time can give an analyst a powerful forensic search capability. Instead of just analyzing log data, the analyst can reconstruct the full network down to the packet-level to see who was talking to whom and which protocols were in use. Or the analyst might find evidence of compromised systems from a zero-day attack lying latent in the network, poised for future attack. 

“The network doesn’t lie; it gives you a true recording on what is going on,” Treinen says.

However, it takes more than one approach to find malicious activity; there is no silver bullet. So an analyst must also rely on host-based detection systems. You need a view of both network and host activity to get a full picture of threats, according to Treinen.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...