work and IT @ 30 Apr 2008 07:37 pm by ayoi
We had a lively discussion yesterday. Yeah quite lively. Topics ranging from issue on the application and tools that we use up to the macro things like the basic security knowledge/understanding etc. One of the issues is most of the SA found that the current tools that they use are not user friendly, too cumbersome, not too helpful and yeah, lack of guidelines on how to use those tools…
Regarding this guidelines, I have to admit that we are suppose to have some simple documented guideline on the usage of the application (besides the overall process of Detection and also perhaps IRH) but after a while then I realized that some of the SA actually did not want those kind of guidelines. What they wanted is how to perform the analysis or Identification process (based on the feedbacks that I’ve received from some of them) And yes, I do remember that during my time at The Client site, I was asked by The Client to prepare some SOPs on how to analyze security events (Fascinating huh). I told them what I could do is just to prepare some general guidelines and even I stated in those manuals or SOPs that by no means that those guidelines and SOPs will be a definite one. If I could produce what The Client wanted, I might as well should write a book on how to be a Security Analyst. Sigh
Anyway, one of my colleague point out one good point. He said that this is not a case of SA being overwhelmed or confused by the tools and application interface but merely they want some guidelines like the ones that I prepared for The Client (or sort of - But based on their spoon-fed attitude, no surprise). So my colleague did mention that the current application and tools allow the analyst to see or to perform their analysis from different angles and views. Meaning the Analysts should or must know what to find, when to start investigate, what kind of information needed, where to find that kind of information and also HOW to make use of the application or tools’ features in order to perform their identification process.
Like sguil, ethereal, wireshark, OSSIM etc only have guides on how to make use of the application’s features but none on HOW to perform your analysis (of cause). It seems like most of these SAs failed to grep the fundamental knowledge that these application merely assisting them to perform their analysis and not the other way around. Let me put this wireshark example..
Ok I purposely disable the coloring rule for this packet capture file. By default, for anyone who use this tool must know the features or capabilities that wireshark offers and also he or she knows what to find/look and plus understand on the information presented to them by the wireshark (where in this case protocols).
IF you dun have such knowledge then I believe:
a). You will say that this tool is too cumbersome, not user friendly etc
b). You might as well complaint to the seniors that this tool is not suitable for your usage.
c). IF this tool is mandatory for u to use, then you will crying for guidelines (in this case even the wireshark help file will be deemed not that helpful) because actually you want a guideline on how to digest or understand the information presented.
I think I have to stop now. Wait for part two…
very interesting article. Looking forward for part 2….
some people only need to know what they supposed to do and not how they supposed to improved themselves to do the jobs better. but yeah… people only looking for the easier way and as long as they got paid.. my 2 cents bro..