When I was younger, and printed newspapers were a more common household purchase, I remember fondly watching my mother play a game called "Spot the Ball." For those of you not familiar with this, it consisted of a photograph of a recent football (soccer) match with the ball removed from the image, and the goal was to place a cross or series of crosses indicating where you thought the ball was. Inevitably, the paper would use pictures that included the athletes looking in various directions so as to throw the newspaper contestants off the scent, thus requiring incredible levels of accuracy to win a game that hundreds would play every day.
Why all this talk about an obscure game? Well, the game came to mind the other day as I was working my way through some security data trying to pinpoint a specific piece of information. The problem I had was that there are many signals (like the players looking the wrong way) that distracted from what I was looking for, and even when I started to zoom in on a general area, assessing the space was difficult. In the newspaper’s Spot the Ball game, regular participants would buy a small rubber stamp that had dozens of little crosses as a “fix” for this problem. This got me thinking about precision in cybersecurity.
Precision in Cybersecurity
When we talk about security hunting with File Integrity Monitoring (FIM), it’s easy to consider the best approach as being 100% accurate, but the reality is that with so many unknowns, chasing 100% accuracy is a fool’s errand. Instead, our coverage must be just wide enough to capture what’s important to give us a chance of winning. Ensuring we can spot the general pattern is important so that we don’t start hunting for the metaphorical “ball” somewhere it can’t possibly be. Once we’re there, it’s important to also have the surrounding information visible. This is one of the reasons why File Integrity Monitoring remains a vital tool for security. Although many will lament FIM’s lack of direct ties to security vulnerabilities, the problem with expecting any vulnerability tooling to pick out just one signal of a compromise is that you may quickly dismiss extra clues about a risk’s impact.
For example, ransomware doesn’t target specific file contents; it targets commonly used business file types, so protecting just the “crown jewels” is no longer enough. The same is true with email filtering as well as other focused defenses. A single malicious message or malware process that penetrates these protections can quickly spread, leading to a full-scale disaster. Instead of a laser-focused approach, we must paint our defenses with expansive strokes.
Listening to the Data
How can we work with wide-range rather than tightly focused detection methods? Machine intelligence is a start, but getting back to basics with human intelligence and detection is important, too. Presenting data and highlighting interesting elements makes it possible for human-machine collaboration. Therefore, broader user interfaces are important.
I’ve recently been building a lot of dashboards and reports with clients, showing how massive amounts of data can be simplified to summaries whilst providing ways to highlight new and interesting events on a network. Those techniques, combined with the ability to drill down into specifics, means that security researchers can go from a birds-eye view of multiple global networks all the way down to a single file hash on a single server with a couple of clicks before passing the information on to colleagues via collaboration tools or even offloading some of the data onto other tools for smart analysis.
This all got me thinking again about another “spotting” game but one I’ve been more recently playing. I’ve been blessed with spending time with some increasingly sharp young 4-5 year-olds who are enjoying spotting the differences in puzzles and Where’s Wally (or Where’s Waldo for those in other regions). It’s truly amazing to see how early we gain the ability to quickly assess big picture information and pick out relevant points of interest. In cybersecurity, it is specifically this skill that we need to start finely honing in many cases. Part of this is ensuring that more of our systems are well documented so that the interesting bits are easier to identify and evaluate as well as that security teams are “well rounded” with a good understanding of the big picture piece, including how all our modern, multi-component architectures work. Another aspect is just making sure that we have the ability to see the big picture as well as the details at all time, thus making it possible to easily move between the two with as little friction as possible.
For those of you who are interested in honing some of these skills, I’ll finish on a fun throw-back to the 2014 World Cup competition. The New York Times resurrected the Spot the Ball game. Thanks to modern technology, you can instantly see how well your predictions match with others. If you are curious about the processes behind the game and some analysis, you might also want to read how it was developed. Who knows, it might help inspire you in your threat hunting!