My Reflections in a Time of Crisis…

May 09, 2020 by Skye Wu in Discovery

Reality has an interesting way of turning out.

When I started this blog I had grand plans of an upload schedule. I didn’t factor in “writer’s block” and didn’t factor in life.

I anticipated 2020 to be a huge year, this seemed to be the pattern for me year after year. I looked forward to challenging myself in new ways I hadn’t done in the previous years.

Well, I’m happy to report 2020 has definitely been big… for many. Boy did I learn a lesson or 50…

I am a little bit ashamed to admit; despite doing what I do as a day job, I was someone who downplayed the potential impact of COVID-19.

Sincere medical advice from the professionals in the news sounded like fear mongering in my non-medical ears.
Restrictions being implemented in cities like Shanghai sounded inhumane.
I scoffed my parents’ pleas to work at home and avoid public transport and going to the cities. Also when they said we should stop meeting every Sunday night for group dinner as they were still going to work.

I’m not sure why I went against my better judgement.
Maybe it was the indignation I felt, playing down something I felt like I was being blamed for seemed easier for me to deal with.
The seemingly subtle covering of fellow passengers nose and mouth when they spot me step on the train. One poor young man was so afraid of me he buried his face deep into his backpack he was hugging tightly. I felt a mix of compassion, pity and fury. I thought about trying to move somewhere else so he could be more comfortable. But I stood my ground. This became my new normal; unless I was travelling with my husband on public transport… for those of you wondering why well, let me just say one of the things I love about him are his kind soft blue eyes…

I realised how wrong I was when I spoke with a dear friend who is a medical doctor. She taught me so much about this virus; what the medical professionals knew at the time. She explained to me the immediate implications, the medium and long term impacts. Told me that it was only a matter of time before WHO declared a global pandemic (a week before the WHO declaration).

COVID-19 and government reaction / management across the globe has really opened my eyes. I realised that having access to the latest and greatest technology / tools makes little difference in the midst of a great crisis. I think about the countries with some of the most advanced medical equipment in the world; and their access to some of the greatest medical minds. In the end, we are told washing our hands with soap is the best way to combat the virus.

I realised that this has a good parallel to what Discovery is about; helping companies understand where the gaps are in their protections. We may not find the next equivalent of the COVID-19 virus. By finding risks uncovered with data driven analysis we can provide advice to help organisations better manage or improve their existing capabilities. This will enable them to respond and manage an equivalent of COVID-19 if / when it happens in the security world.

Until next time! I hope everyone stay healthy and keep safe.
PS: What are some of your learnings from this pandemic? Drop me a message on Twitter or LinkedIn.

Disclaimer: All statements and comments are my own. They do not reflect the views of any past or present employers.

Uncover your Truth: The loud and proud

September 15, 2019 by Skye Wu in Cyber Security, Data analysis, Discovery, Investigations

“My name is Sherlock Holmes. It is my business to know what other people don’t know.” - Sherlock Holmes

My very first Discovery question was actually “magic mirror show me all the bad anomalies hiding in this data.” Very soon, I realised I was chasing down many a rabbit hole that led me nowhere. For some reason I *thought* that all anomalies represent an action by a hacker or a cyber criminal. I’m not sure why, I guess I thought only bad people do weird things wrong?

I hope at least some of you, my dear readers, got a chance to take a look at your data after the last post!

As promised, here are some questions I would often ask of the data I’m interrogating. I do not start my analysis with any pre-set ideas of what I may find. I try to be as unbiased as possible.

These are the 5 general Discovery steps I take to interrogate data.

Question 1: Define my timeframe. Will I be interrogating 1 day, 1 week, 1 month or 1 year worth of data?
This heavily depends on the platform you can complete this work on and also how much data exists in the logs you’re working with. I love working with Proxy logs as they contain a wealth of information, but they are often HUGE. When in doubt, start with 1 day (24 hours).

Question 2: What are my top talkers within this time frame? By top talker, I mean, what device/account/services are making the most noise? Who are my known normal candidates? This is a quick way to identify your noisy normal but also show you very noisy anomalies.

Question 3: Who are the unusual top talkers? Identify the accounts / devices, understand their function.

Question 4: What are my hypotheses for the unusual noisy accounts?
1) Once I have my list of anomalous accounts, I would expand out my time frame to identify whether this is ongoing or ad hoc activity.
2) Gather other data sources to understand additional context.
3) If it is a server, is there a data migration project inflight?
4) If it is a user, what process/s was the user running at the time? Is the user in a team that is working on a special project?

Question 5: Whats my decision?
Once I have all the contextual information I can find, it is time to make a call. Normally they are categorised as follows:
1) Normal: Accepted business processes. E.g. Someone uploading data to an external environment, at the request of their client; it’s been approved by the business and appropriate steps have been taken to protect the data.
2) Risky: Activities that introduce risk into the environment by well meaning employees. E.g. Someone uploads data to dropbox in an unencrypted format because encryption wasn’t working, and the normal secure method wasn’t working and they really, really, REALLY wanted to meet the client deadline.
3) Malicious: Activities with malicious intent. E.g. Someone stealing this data because they want to sell it / out of anger, etc. It is very difficult to identify intent based on log data alone so we must obtain additional business context.

I don’t contact the affected person directly; to me that’s bad investigative practice. In my experience, the police don’t go talking to suspects without having conducted some solid investigation behind the scenes. Discovery projects are investigations, so that is the general rule I follow. Of course there are exceptions to every rule; proceed with caution and understand the risks.

I have trusted people I speak with to acid test my hypothesis, assumptions and findings. I rarely work through an investigation on my own without talking it through with my teammate Jarrod (Hi Jarrod!) and Steve (Hi former / but still my boss boss!)

If you have never gone through this process, I highly recommend that you give this a try. You may learn a few things that you didn’t already know. As I have said, in large environments, this isn’t about finding your highly sophisticated cyber criminal super sleuth attacks. This is a process to understanding your environment and potential risks.

If you’re thinking “oh. but I’m so busy.” The first time I decided I would just have a play with the data in front of me, it took me about 5 minutes to get to my initial “huh this is interesting”. Set aside one hour on a select day, have a go. If your managers are not supportive of you going above and beyond, drop me a message and we can discuss how you can do this on the stealthy. Haha!

If “I don’t have a tool” is preventing you from doing this; open up Excel and import the logs from a format that Excel understands. As long as the data is formatted into columns, you can do this!

In my next post, I will take you through the steps I take to document my analysis process; and what I do with my findings after I have reached a decision. I will include some tips on how your findings can be used as feedback to improve your overall security. I document like I’m going to be interrogated in court; if you’re interested, see you next time!

Skye

PS. I will also be making a very exciting announcement very soon! I’m bursting at the seams with excitement and can’t wait to share this news with everyone!

Disclaimer: All statements and comments are my own. They do not reflect the views of any past or present employers.

Discovery: IT'S not Darts and Dart Boards

August 26, 2019 by Skye Wu in Cyber Security, Data analysis, Discovery, Investigations

“The unseen enemy is always the most fearsome.”
― George R.R. Martin, A Clash of Kings

I never thought I would be quoting George R.R. Martin, but I also never thought I would be writing a blog, so here we are.

Discovery isn’t for everyone. Discovery done right can help reshape how an organisation manages its business through finding anomalies with their data that has so far remained unseen by its controls.

What indicators do you use to find the unseen? Or how do you baseline the weird?
To baseline the “weird” is like trying to understand how long a piece of string is. Or throwing a dart at a dart board and wherever you hit, that’s your anomaly.
If you “know” an indicator, that is looking for knowns which means it’s no longer Discovery. Messes with your brain a little bit? Welcome to my everyday!

How do you find anomalies or weird?
Imagine you are travelling with a giant suitcase. Is it easier for you to find something that does not belong in your suitcase if you had proper organisation vs having everything just thrown in?
For me, it is about understanding what is normal and how things are supposed to work.
Then, if anything does not fall within the pattern of “normal,” I go and understand why.

What tools do we use for this?
A super magic tool that costs you a gazillion dollars in magic beans. HA!
No, let’s start with Excel, or Power BI. Any tool that is capable of some basic visualisation and can do basic maths like max/min/averages. Maths is my worst subject ever; if I can get meaning out of this data, you can too.

How should we do this and where do we start?
You’re gonna need some log data. Proxy logs, Active Directory logs are good candidates.
You can start with a single log source and build on top of that. I’m a huge advocate of walking before running so as to avoid face planting, big time.

Here are some initial questions you can ask of your data:

What are my top 10 most active devices or user accounts?
What functions do these top 10 perform?
Is this what I would expect?
If anything is unexpected, who is this, what could have caused this surge or drop in the activity?
What business context can I gather that will help me determine whether this activity is:
- Normal - accepted business process
- Risky - done by well meaning an employee but introducing a risk to the organisation.
- Malicious - activity done by individuals with the intent to cause harm to the organisation.
Is this activity seen by existing controls. If yes, was it investigated? If no, should this type of activity be detected as a part of organisation’s ongoing monitoring process?
If all my top 10 noisy accounts are normal and accepted business process, what processes are they running? How critical are they? Do existing controls ensure any changes to their activities are looked at by analysts?

It is a good idea to begin with some in the moment analyses to understand the current state. You may also wish to expand your time frames and see how this activity changes depending on if you were looking at data across a day, a week, a month or several months.

Discovery work is a process, not magic silver bullet. When we are talking about large, and noisy environments, it is important to first manage the noise to reveal the unseen.

Before the next post, have a go at grabbing some log data, import it into Excel or similar and ask the above series of questions.

In the next post I will take you through another Discovery question, steps I take to narrow down large datasets and how I distill knowledge from the data.

If you have a question you would like me to go through, drop me a line via dm on LinkedIn or Twitter.
I am still working on a contact me form so you can all subscribe and get in contact directly through this site.

Until next time!

Skye

Disclaimer: All statements and comments are my own. They do not reflect the views of any past or present employers.

Andante: Discovery Today

August 11, 2019 by Skye Wu in Data analysis, Discovery, Investigations

"My name is Sherlock Holmes. It is my business to know what other people don't know." - Sir Arthur Conan Doyle.

A few years ago, mum was taken to hospital after experiencing severe pain, after months of checkups, the doctors let us know that they had found and removed a few growths that showed to be precancerous. This type of cancer doesn’t show notable symptoms until later stages; we got lucky.

What’s this got to do with Discovery and how can this help with preventing issues from happening in your organisation? Do you want to be able to systematically identify and prevent issues or trust your luck? Every investigation or security incident begins with a series of events / indicators. Unfortunately, no one is walking around with an obvious sign stating that they are:

A criminal hiding in the corporate environment waiting for the perfect moment to conduct a malicious act
A well meaning employee, but about to do something silly with a potentially terrible impact on the business

Many years ago, I was involved in a project for a client that began as a rather small investigation of four employees; there were alleged inappropriate facilitation payments. What began as a small investigation became a project that spanned the global across several years; the team had collected and processed terabytes of data by the time I got involved. The project cost the client millions in fees and regulatory fines.

Would the story be different if the risky behaviours conducted by the employees had been uncovered early? The client would not only have the opportunity to stop the activity, but also update their internal processes and procedures to better identify similar types of activity from occurring in future. It would also put the client in a much better position if they needed to answer questions from regulatory bodies, if those arose. This is just one example of how Discovery can help companies mitigate early, before a situation gets out of the organisation’s control.

Discovery isn’t about predicting the future, it is about using data collected by the organisation to find the organisation’s truth. Traditional controls and frameworks, whilst extremely important, are built on rules and knowns. This means any activity that does not meet these preset requirements will be missed. To really understand Discovery, you have to think like an investigator.

Discovery takes this idea and looks at the entire environment instead of the realm of a specific investigation. There is no known outcome, no known risk; whatever the outcome/s may be is purely data driven. There is always the potential for risks that no one has identified or considered. As organisations grow and become more complex, more of these are likely to exist. Complexity breeds risk.

Here is a rough process of what a Discovery investigation may look like:
Data driven Indicator => Add business context => Hypothesis => Draw additional data sources => Testing to prove/disprove hypothesis => Shortlist potential outcomes & implications => Recommendation for a solution => Acid Testing => Report Finding & Recommendation => Feedback loop / assess

Before the next post, I want you to think about situations where a crisis was averted because of a series of fortunate events. If you want to take the “luck” out of that situation, join me in the next post where I will take you through a couple of examples.

Until next time!

Skye

Disclaimer: All statements and comments are my own. They do not reflect the views of any past or present employers.

Discovery: piece together jigsaw puzzle without the full picture as a guide

Da Capo al Segno: Discovery in Government

July 29, 2019 by Skye Wu in Cyber Security, Discovery, Data analysis, Investigations

Where is Discovery from?

No one tells the Discovery origin story better than Andy France, OBE; one of the founding fathers of OG Discovery in Government. I shall attempt to give the story justice.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~many cups of hot chocolates later~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Imagine this:
Day One: A sunny afternoon down a quiet street where many cars were parked Person A walks up and down the street. Person A is observing the street, and it’s quiet this afternoon.
Day Two: Person A walks down the street at the same time as Day One, stops every once in a while to look at the cars, peering inside.
Day Three: Person A repeats the same activity, this time accidentally bumping into several cars; walking away quickly if any car alarm is set off.
Day Four: Person A walks down the same street, armed with a crowbar, smashes windows of the cars without car alarms and steals any valuables.

Now if you were a person watching this activity from your window, ask yourselves this, at which point would you pick up the phone and call the police? If you called the authorities, at what point would it be considered a crime? How likely is it that the authorities would arrive at the exact moment when Person A is attempting to break into the car; thereby preventing the actual crime from occurring?

If we looked at each day as separate events, they may seem strange, but we are unlikely to consider them malicious except the events on the fourth and final day. To determine someone or something is “malicious” we need to understand intent. What was Person A’s intention of walking up and down the street on the different days? Is Person A new to the area and was familiarising themselves a new surrounding? Is Person A going through a rough time and committing crimes as a way to obtain financial support for his or her family? Is Person A a career criminal who is seekly personal financial gain?

Until we are able to see patterns in events and understand the underlying context, we will always be reacting to crimes after the fact. There is no do-overs once an incident occurs.

OG Discovery in Government was developed to identify and prevent major crimes such as terrorist attacks by looking at seemingly disconnected events by individuals. Did it work? Hells yeah it did!

Sadly, I never got to experience OG Discovery in Government. I did however get a good feel of what that might have been by watching the “Operation Overt: The transatlantic Bomb Plot” episode of a Netflix documentary series entitled “Terrorism Close Calls” (I am not sponsored by Netflix. I wish…)! The episode begins with a series of anomalous activities and behaviours exhibited by a number of people. Their activities lead to them being monitored by the authorities. Through further investigation and surveillance the investigators slowly worked to understand the cause and context surrounding the anomalous behaviours. The investigators’ work not only prevented a potentially catastrophic event; it also changed the way we travel by air.

In my next post, I will share how Discovery can work in the corporate world. Before then think about a time where a security incident or an investigation could have been prevented if early indicators had been uncovered and scrutinised. The heart of Discovery is to find your truth.

Until next time…

Skye

Disclaimer: All statements and comments are my own. They do not reflect the views of any past or present employers.