What makes a Security Researcher/Analyst better?

Dec. 17, 2022 // echel0n

Introduction

Hello everyone! It has been a rough year for me and this will be likely my last blog in 2022. This blog's topic is "How to be better security analyst/researcher?" psychologically. There will be no technical advice but more about psychological training and approaching the tasks more logically. This blog heavily inspired by "Psychology of Intelligence Analysis by Richard J. Heuer, Jr.". You may say "What the hell echel0n, wth you are talking about?". This book advised to me by my ex-college Halit, and I was also suprised why he was advising such a book like that. After finished the book, I really understood why he recommended it. I found a lot of psychological challenge similarities while conducting cyber security research and analysis.

Self-Consciousness

Every analyst should consider their reasoning process. We need to think about how we make judgements and reach conclusions, not just about the conclusions. It applies to a lot of examples. Such as, finding a problem/mechanism/whatever that "may" cause security issues while you're conducting a black-box penetration testing. Another example is analyzing alarms and evidence while doing IR tasks. Did you ever think about how you do root-cause analysis or how you do approach the tasks instinctively? Yeah probably you and your team have legitimate and reasonable rules and steps to do these tasks but I really mean is how your instincts want to handle the incidents or these tasks. If you started to recall some feelings or situations, yeah these steps are how your cognitive process works.

Cognitive Domain and Bloom's Taxonomy

I want to try to apply Bloom's taxonomy here. For a quick explanation what the original taxonomy is about;

In 1956, Benjamin Bloom with collaborators Max Englehart, Edward Furst, Walter Hill, and David Krathwohl published a framework for categorizing educational goals: Taxonomy of Educational Objectives. Familiarly known as Bloom’s Taxonomy, this framework has been applied by generations of K-12 teachers and college instructors in their teaching.

So how it is applicable for us while the original taxonomy is being all about learning? The relation is simple. If you think about it, when we are assigned to our tasks, we also are following less or most of these steps. Let's apply this taxonomy with examples;

Blue Team Case: You are assigned to do an suspicious e-mail analysis

Remember

You recall your knowledge about how SMTP works (somehow), how you can analyze the suspected e-mail clearly, what are the red flags in an e-mail, patterns and structures of malicious e-mails and the list goes.

Understand

This step can be felt pushed but we simply can say that we understand the connections of recalled information.

Application

You apply the information through your thought process of connections. You collect the related necessary information to review from the suspected e-mail.

Analysis

You do your magic!

Evaluate

You compare your results, do open/closed INT, check available reports for your findings such as IP, DNS, sender, mail gateway etc. The aforementioned "judgements" play a critical role in this step.

Create

You create a report to whom it may concern, you show and express your findings and judgements clearly.

The End

All parts are crucial to form a successful plan.

Do not know enough about how e-mail works? Most likely you will not be able to make the right deductions.

(Understand)
Do not have efficient tools to RE related files? Most likely you will miss important details.

(Analysis)
(Missed opportunity for paid RE Tool advertisement LOL! NVM! Go Cutter go!)
Is the type of the attached file something you are not very good at reverse engineering? Most likely you will miss the obscured malicious parts of that file.

(Evaluate)
...
...

It can be applied for also red teaming tasks but you got the idea, I will leave for you guys.

Tendency, Biases and The RUSH

Yeah yeah echel0n we get it, cognitive process hurr durr. Where we were at? Yeah judgements. Presumedly, those who read this blog are already aware of the mentioned steps so far and already implemented them in a technical way. However it does not mean that all of them will be always followed in the most systematic way, in my opinion, it just remains as goodwill.

So what is the problem? Why sometimes we are failing to recognize even most obvious evidence/findings? The problem is we cannot fill all of details most of the time. Sometimes, we cannot properly recall related knowledge or sometimes we do not even know the technology completely, we miss one function that evaluates the input in previous steps, sometimes we are overwhelmed with our personal life, sometimes we just want to get quick results (yeah said it)! With these reasons, the mental challenges are starting to appear...

When we fail at some points, our brain tries to fill these gaps with assumptions, expectations, experiences and emotions. All of them will impact our decision making process for the better or worse. Moreover, you probably will not be working on your tasks with an empty mind. Most likely you also will be influenced/ by your team/media/public research/even yourself with a set of assumptions/previous works and results about your task. So our minds combat with this uncertainity, try to get out of this misery.

I can directly give an example from myself. Last FlareOn, I was hard stuck at level 8. I was not much familiar with how C# calls methods dynamically before the challenge. To close this gap, my mind was trying to figure out the way that does not include learning dynamic methods and stuff. IT WAS SO STUPID that I would have spent less time if I focused only on this topic. I was trying to assume things without analyzing the challenge properly and hoping that I will go with it. In the end, I gave up and started to analyze the challenge for real and solved it. However, my bizare behaviour stuck in my mind. I knew the successful and elegant way to solve the challenge since the beginning then why I insisted not to go that way?

This is explained by built mind-set. This was a generic reaction from my CTF mental model. While you are playing CTFs, you expect less time consuming tasks or expect more suitable samples for the format. Especially, when you stuck at some challenge that dozens of people already solved. Our brains play games with us, tries to fill the gaps with assumptions, (nahh the challenge must not be that hard, look at that scoreboard, even there is a guy who solved this in minutes! **looking at you retr0id lol!**) expectations, (hmmmm... there was a similiar challenge at another blabla CTF, are they related or not?) experiences, (I already solved a challenge like this before!) emotions. (frustration-aggression hypothesis)

So, having a mental model is a bad thing then?

Building mind-sets for specific kinds of tasks are unavoidable. The complexity of the challenges that we face and the ambiguous data that we have to analyze do not allow us to cope with the stimuli in a reasonable way. So our brain is being very selective and takes relevant subsets of the mass of data to overcome this high stimuli. So assumptions and expectations help us to cooldown and reduce this process load. It helps to make a decision proactively to some degree because you can process the data more faster with suitable mind-set. On the other hand, it will make things harder when the task is more related specific domain. Your mind-set will mislead you to erroneous conclusions due to lack of details and overlooked parts. Also, mind-sets tend to be quick to form but resistant to change. So, it can be stated as mind-sets are neither good nor bad.

Now, you may think about "How we can get more fail-safe mind-sets?" question. In my honest opinion, there will be no true way to train our brains for ultimate analytical thought process. However, there is one possible solution that is good enough. The solution is experience, practical contact with and observation of facts or events. More you have the experience, more you will have fail-safe (not 100%) mind-sets. This resistancy to change can be broken, if and only if more you do your thing. For example, for RE tasks, I oftenly amazed that some of my friends can recognize things while navigating functions so fast and being reasonably accurate at the same time. Then I realize that how much time they spent on other binaries and projects. At the end, hardwork pays off. Practice makes perfect.

Recommendations for Development

I do not think that there can be only a "standart" that everybody that can follow to combat these problems but still changing your perception from "looks good to me" to "show me your evidence" will help to increase your standards indeed.

The Conclusion

Security Analysts/Researchers should be aware of their reasoning process. While making judgements and reaching conclusions, we should think also how we get there because judgement is what we use to fill gaps in uncertain cases. Also, it helps to cope with that ambiguity. This cope mechanism will inevitably evolve to mind-sets. To have more accurate mind-sets, we need more practices!

Memories are stored as patterns of connections between neurons. When two neurons are activated, the connections or "synapses" between them are strengthened. As you are finishing this blog, the experience actually causes physical changes in your brain. "In a matter of seconds, new circuits are formed that can change forever the way you think about the world."

I hope that you enjoyed this different themed blog. If you have recommendations, please send a reply/direct message, I would like to discuss more. Cheers to a new year! Have a nice day absolute legends!