[Dshield] IDS Analysts

Josh Beckett josh at theoubliette.net
Tue Jan 29 19:13:09 GMT 2008 

> Wow that was all over the place, but what are some of your thoughts
> regarding required knowledge from an analyst?
>

One of the things that I always want to know apart from the basics is if
the person is just trained to be an IT Security person or if it really
flows through their veins.  Do they see the world in terms of systems and
strengths and weaknesses of those systems?

The test that I developed was first thought of with a group of tried and
true security folks at lunch.  We went to a mongolian-style lunch buffet
and one of the things that I noticed was that you would pay the cashier
for a large or small bowl (only one trip allowed) and then step behind the
cashier and pick up the appropriate bowl yourself and proceed down the
food line stuffing it with your choices.  Well this is laughable
explaining it in this context, but so many people when taken to lunch will
drop their guard and expect the basic chatter looking for personality fit
within the team.  At any rate, I first formulated the question with the
group of security veterans: "Did you happen to notice anything about this
place?"
The response was pretty much straight across the board: "What do you mean?"
After a very little bit of coaxing to hint at the system of the cashier
and the line, most of them got it and were able to recognize it for what
it was...a system with weak security controls and very low risk of getting
caught with a childishly simple exploit.  They still will use this test on
occasion to interview people, btw.

I've used similar tricks to ascertain whether the person is truly a
'digger,' meaning they don't just accept what they see, but see it and ask
the right questions when something 'smells' not right.  I've used strange
packet captures and run the interviewee through a series of questions,
starting with the basic - "tell me what you see." I then will begin to
provide the correct information to fill in the gaps that might be obtained
during other investigative efforts that they don't have access to as an
interviewee, providing they ask the right questions.
Ex. packet capture shows an old, odd, and rarely used protocol, mixed
among all the other ebb and flow of the internal network traffic that is
going between two hosts on the same subnet.  I'm talking an old Unix
protocol that jumps out at you if you have ever stared at packet captures
for days or weeks on end.
The first comment you should get when it's noticed is either - "What's
that?" or "Hrmm...that's strange."  And when they ask or comment about it,
I would gradually tell them there are no unix hosts on that subnet and ask
"now what do you think of it?"  Then hopefully they would begin digging
into the guts of the packets and network conversation and begin coming up
with some lucid theories or places that they might want to continue to
investigate.

Anyway...that's some of the stuff that I do, because you can teach just
about anyone with some general network proficiency to read packets or
respond to alerts, but IMHO the mark of a true analyst is that 'digger
mentality.'  They see things others don't see and ask questions others
don't think to ask.

J-

More information about the list mailing list