Asking Questions and Writing Effectively

next session we've got uh chris lopez here who's going to be walking us through asking questions and writing effectively i want to thank you for being our second speaker hopefully we've worked out any of the kinks that we've had without further ado thank you very much all right thanks for having me okay so as stated um we're going to be talking about asking questions and writing effectively let's just dive right in so first uh who am i right we all have these slides when we introduce you know our presentation so uh i'm a father first and uh i've been a stock analyst for some years now i'm a blue team investigator right and if i were to say

i had any superpower it would be the ability to keep asking a lot of questions uh the good thing about that skill or that ability is it can be taught and is something that we're going to discuss throughout this presentation all right so our agenda we're going to focus heavily on investigative questions what they mean where they come from why they matter and how they drive an investigation and then we're going to talk a little bit at the end about how to utilize the answers from these questions to create great write-ups um again i'm going to say this several times throughout the presentation uh just to make sure that it's emphasized enough write-ups are a reflection of the value

and the efforts that analysts put into their work so it's very important to communicate that effectively so here we go tools to be an awesome investigator the great thing about this is there's not that much needed uh you need your mind and i mean everything from your mind your questions your biases perspectives how you feel everything we need all of that uh somewhere to take notes i still use paper and pencil uh to write things down uh any text editor works well too you know we do a lot of copy pasting so might as well use that as well um in a loosely defined process the reason i put that here is because i believe that there's a lot of

creativity in investigations and analysis by by analyst and uh if the structure or the process is way too structured i feel like it may limit creativity so just have some sort of process in mind for investigating and uh the last point team members i've been very lucky in my career to have amazing team members throughout to lean on and to you know gauge my understanding of an investigation and it's always important to have that you know while you're working on these skills let's pivot over to the investigation engine this is basically what drives an engine right i mean an investigation and that is the questions that you ask and how you collect artifacts based on

those questions uh the rabbit holes that you go down uh these are inevitable uh i put them here because i find myself done rabbit holes a lot and it's just good to be aware of the fact that that's going to happen um of course once you have analyzed and you've collected artifacts you compile your findings and you form a conclusion right an analyst and the reason why analysts are effective and we're going to be here for a long time is because we make a decision based on what we collect and the last point here is documentation incredibly important uh one of the ways to improve or you know basically state what happens in an investigation

have to be able to document what happens in an investigation so what does that look like uh well that looks just like the scientific method right this is not recreating the wheel this is something that's tested and true and it's what we use as humans to determine that something is reality right something to prove something so observations questions for my hypothesis which we're going to touch on experimentation which is basically collecting artifacts in our case and analyzing things and forming a conclusion which is what we do you know false positive false negative what is it what happened uh this all ties back to the concept of the investigative i mean the scientific method so what questions are we gonna focus on

well the what the why the when the where the who and the how the same questions that we were taught very young we're still asking them in our investigations so let's start with the what to me the what is the input this is a sim detection this is an alert or this is a threat hunt idea you saw something really cool on twitter you saw something on a blog that you want to look for in your environment that is an input a recent breach report we've been seeing a lot of these recently unfortunately but that can be an input to look into your investigation to spark an investigation you know to try to find evidence of that

and of course a new organizational process you know in our field things change rapidly moving to the cloud all of these different things that we adopt in our companies it's really important to understand that that can be an input to an investigation to gauge you know our visibility or detection capabilities for bad so in this presentation we're going to focus on the what being more of an alert since this is from the perspective of a sock analyst but i wanted to provide other examples of inputs here that may um you know facilitate the what question now this is something that i find to be incredibly important uh as an analyst and you know in the

sock i spent a lot of time going down investigations and forgetting to answer this simple question which is does this alert make sense so i try to always put in my mind to question the alert first and there's a couple questions you can ask yourself about that which is is the alert logic correct does this make sense uh did it find what it was intended to find uh and of course documentation is there anything that i can read about this alert and what is intending to find that can help me answer whether or not this question or this alert makes sense and sometimes that means leaning on team members that have created this rule logic or whatever it is you

need to do to figure that out but it's always really important to question the alert first always remember that your why this is the second question your hypothesis and building that out it's incredibly important to build out a good hypothesis and good can be subjective but we're going to talk about some ways of making a good hypothesis it drives your investigation right something i still do uh especially when i'm working on something that i haven't investigated before a new detection or something that i haven't seen i write it down i still write down how i feel about it uh something happened this file did something in this machine i will write down uh i think that this

is a false positive or i think that this did not execute um you know and this is how you ask questions to find these answers to test against your hypothesis so some examples uh this detective file does not appear malicious or this phishing email was not clicked if you're experiencing some type of phishing campaign that you're aware of now building this hypothesis uh leslie said it perfectly in a recent presentation she gave at wild west hacking fest which is three main components of building your hypothesis and these are questions you ask yourself while asking questions there's a there's a lot of that in this presentation so is it falsifiable is it testable and what is the scope just three main

things to really think about when you're building out your hypothesis which will drive everything that you're doing and how you pull artifacts so an example alert and hypothesis this happened june 5th 2020 av right antivirus detected a potentially malicious file in a user directory uh your hypothesis file do not execute the reason that i put the do did not execute instead of execute is because i like to go about this process of proving it wrong right looking for evidence against my hypothesis right so trying to make sure that it did actually execute and getting information from that investigation that can answer that question so we're going to talk about the when this is another question that can cause

many rabbit holes and i'm going to explain one that's happened to me a few times and this is why i put it so close to the top this question the when timestamps are incredibly important a lot of us work in companies that are worldwide and it's really important to understand the difference between the time stamps on an event that happens on the machine or the timestamps of your sim for example i've spent countless time looking at a location for some type of file related activity in the wrong time zone in the wrong time stamp and then realizing afterwards that i was looking in the wrong place so it's really important to understand when something happens

i put utc here uh of course because i think that's the best conversion or the best way to standardize uh your timestamps so you always know you know how to convert it and what it is with all lines when you're looking at you know artifacts from different log sources but just something to really keep in mind ask yourself when this actually occurred now we're gonna go and we're gonna focus on the where so this can be answered with the when sometimes so especially when it comes to time zones you may get this answer right especially if it has to do with the asset location now location has been pretty interesting recently because a lot of us have been more

remote than we ever have been so that's just another part of understanding the where here but it's just really important to understand where something is in case there's any limitations in your ability to investigate uh a specific asset you know that brings up like gdpr considerations or anything like that so just pay attention to the where again this can be answered with the when now we're gonna move towards the who this is a little bit about attribution uh if this activity you know leans more heavily towards you know something that has to do with threat intelligence this is a good place to understand the who and understand the capabilities behind this activity uh this is also a good place to try to

answer this question is this insider or outsider like behavior uh sometimes this can be difficult to answer uh in our investigations but it's really important to have this question in your mind when you're trying to understand activity especially if it's user based activity and i want to touch on the user aspect of investigations as well user accounts are user accounts um they are a level of abstraction that you need to really keep in mind a user account does not necessarily mean that that is that user so it's very important to always keep that in mind when you're writing up you know this user account uh perform this activity versus this user because we're not really behind the person that did this

to to say a hundred percent you know without a doubt unless they you know tell you that that they perform this activity so just another layer here to the who question to ask yourself how this is to me one of the best questions right so this causes most of the ragged holes but you know in our jobs it's very important to understand how things work right so one of those questions you ask yourself if this is a file related investigation is how did this get here i'm more interested in an investigation that has to do with antivirus even if it's quarantined i want to know why that file is there in the first place even if the threat is gone or

potentially no longer there why is this file here how did it get here uh trying to answer that question can definitely lead to some very interesting observations so another question right as stock analysts we want to really build our detection capabilities so i want to understand how did we detect this and the reason you want to ask yourself that is because there's always room for improvement in your detection what if this was not something you detected what if this was the input was a user reported something right they are the front lines they make us aware of a lot of things that are happening in the environment can we build a detection around this specific investigation

so ask yourself how do we detect this and how does this work right how does this file do what it does or the wrong things that it may do to a machine that can also help you build out detections and of course when it comes to severity and whether or not you need to engage more ir component in your you know security team how impactful is this investigation another big consideration okay so you have all of your questions answered it's on some notepad or it's written down now you need to write it up and i'm going to say this again and analyst efforts is reflected through their documentation it's incredibly important to write down what actions you took

when did you take these actions what answers did you obtained was you know escalation required and of course one of the most important things is your conclusion what did you conclude based on your analysis of this evidence that can be a false positive true positive false negative what what do you do from there like what does that mean right so try to answer that in your write up as much as you can and you know from my experience of writing up i i've had i've had a lot of write-ups where they weren't very good and one of the things over time that i started realizing with write-ups is you have to really include a bluff

statement or bottom line up front make it clear what you're trying to communicate to your leadership if this is of course you know being submitted to your leadership for you know for them to be aware of an investigation and provide contextual data this is how you enrich your write-up you provide timestamps user endpoint uh information so for example if this file executed at this time on this machine i want to know which file what time and which machine and of course any oscent related data sometimes the people that are reading your write-ups they want to do their own research right provide the research that you've done links or whatever it is that you've gathered articles so they can go down the rabbit

hole too this is all learning experience for everybody so some considerations with bottom line upfront means uh so you want to summarize your key information right uh you want this to be the first paragraph of your write-up and you should try to adhere to the three c's to be concise clear and correct as much as you possibly can i emphasize uh summarize key information on purpose because you need to make sure that everything that you want communicated up front is available in the first paragraph understand your audience a lot of people are busy they need to really really digest what it is that you're trying to communicate as quickly as possible especially if they have to make a

decision based on your investigation the write-up importance your write-ups can invoke change in a process really keep that in mind if this is bad enough or this investigation led to something that needs to alter something in the environment you should write it with that expectation in mind that you know your senior leadership can just forward it along and make the changes that they need to make and another thing with you know stock analysts and building out a sock and really you know training people that want to be stock analysts can someone else replicate the actions you took can they use your write-up to understand what they should do if they were investigating this themselves right and i always like to add this this

investigation lead to a potential improvement right did you create a detection based on this did you improve an existing detection based on this and of course we always need to emphasize this is there a wiki is there somewhere that you will put this so that other people can you know let's say they're investigating something similar they can look at your analysis of this and determine if that helps them with their investigation you know document this as much as you can in summary always good to add a summary uh questions drive an investigation really try to build out an effective hypothesis that will help you as you answer your questions that will help you pull artifacts that you need

for your analysis answer to your questions form the foundation of a write-up you use them i mean i've done things where i'll even put my questions as headings i'll erase them later but i'll it'll help me be able to formulate you know what it is that i actually want to communicate effectively an analyst reflects their efforts to the write-ups third time it's here it's really important this is what they see from your work always include a bluff statement and just keep asking questions they will help you throughout your investigations put some resources here uh at the end uh if you're interested in this type of you know um thinking uh thinking about thinking uh chris sanders does an incredible job

with his investigation theory course if you want a deep you know deep dive into the thought process of analysis and of course lenny has amazing writing tips that he shares there's another link there of generating hypothesis sans robert emily amazing really good for formulating hypothesis and i love the thinking fast and slow book and communicating with intelligence and thank you that's it awesome great job um awesome people really appreciated that there's a lot of nodding in the audience um not so many questions as of yet but uh but personally the thing that stuck out to me um having done sock analysis work when i first started to get into infosec was uh they question the alert first not

enough people do that yeah yeah uh i mean i can't tell you how many hours and it was not good logic it's probably something i wrote too right i i got interested in something and i was like you know this makes sense and you end up going down a rabbit hole uh a really bad one uh because you didn't question does this alert even makes it did it find what it intended to find uh so really really good to really keep that in mind and i learned that the hard way so yeah no it's just him here definitely going down the wrong track uh there is one question that came in it's uh when helping

to point new analysts in the right direction and investigating an alert how do you balance giving them enough information to get started but also without biasing the overall analysis that's really difficult um let me take a moment to think about that the right direction uh and you could get back to the people in the chat room as well just um just if you had a quick uh thought on that one i i was very lucky uh i spent a lot of time just watching the way that people investigate when i first started being in a sock and that helped me see that everyone investigates really differently and that helped me build out my own way

of doing it um but it does create a bias you start learning the way that you know someone does something and you start leaning towards that so i would say awareness of the bias is probably the best way of doing it if i was communicating you know with someone that's new i would point them to the thinking fast and slow book because it's literally a book all about understanding your bias and how your bias gets in the way of the way that you think uh right that would help me uh be able to communicate that because that's something i feel like that's just learned through experience i don't i would have to really think about

the best way uh to help with that balance sure um so i want to thank you very much for giving our second talk in this virtual method um we're gonna end the the stream here and um let you take on some of the questions that are happening there's people asking for references and we'll make the slides available afterwards awesome thank you so much for having me