Trust Nothing and Document the 5W’s and H to Improve the Value of your Intel

“Objectivity is central to establishing context and attribution in the world of cyber threat research and response.”

This Friday I graduated from physical therapy, working it like a beast for months now.  I celebrated by participating in a community event involving kickball.  Upon kicking a home run ball I kicked it into high gear between 1st and 2nd and immediately tore my hamstring.  I knew at that very moment that my wife was right about my pushing too hard, hurting myself, and well…she would remind me of that later (love you!).  Being a manly man I naturally ran the rest of the bases barely making the home run before I limped off the field.  I continued to play, making a double out as the pitcher, catching a ball and catching someone between bases, to help stop the other team from a comeback in the final round.  We won that game, the team was happy, and I was hurting.  I took the shoulder of my wife and we walked to find ice, elevation, and rest before watching the team play a game and going home.

While at home I performed the RICE method but was determined to attend the rodeo that night with  my wife.  We had a great time that night but sitting in the stands for hours resulted in a lot of discomfort and pain.  We had a very long walk back to the car.  We repeated the same walk we had done earlier in the day, with my shoulder over her as she helped me get along.  The responses I got were much different at this event than earlier in the day, with everyone assuming I was drunk and needed to walk.  While I enjoy social drinking I’m not a fan of being drunk.  It didn’t matter what I did or what I said, people had a predetermined expectation of individuals at the rodeo, which wasn’t far off for many in attendance if you were anywhere near the beer garden I must say!

Same injury, same person, two different CONTEXTs from which one may interpret the situation.  If you look at it objectively, in both cases I was limping and getting help.  If you put assumptions of historical experience to the side, you’d probably take more notice of HOW I was walking noticing a clear limp on one side and a grimaced look on my face.  However, that’s not what people do – in our human nature we all have rose colored glasses where we make immediate assumptions.  Take road rage for example, where you’re mad at the driver that just cut you off assuming they are a jerk that is too hasty to follow the rules of the road when in fact they may be rushing to the hospital to see their father before he passes away.  Context does change things, so how can you be objective?

My first rule in being objective is to trust nothing, especially yourself!  As an incident responder and investigator I’m constantly documenting findings and then rechecking the facts, how I learned certain things, etc.  Even if a highly trusted colleague gives me their findings I will want to know HOW they obtained that data and WHY they had the findings that they had.  Take for example this simple statement:

“The exploit server was down at the time of research.”

What’s wrong with that statement?  It’s very declarative and clear, right?  It contains nothing about how you evaluated the online presence of the server (qualifications/methods).  For example, did you use an nMap scanner, or visit the site in a browser, or use wGET?  If the site does have an exploit server it may be tracking your IP and if you have visited such sites before you may be blacklisted by the bad guys, resulting in a 404 redirection when your IP is found – so did you vary your IP?  It gets complicated quick, from a technical perspective, so details in what you did and how you came up with various findings is key to accuracy in findings and interpretations.  How about this as an improvement?

“Using a randomized IP in the same country as the server a 404 error resulted after attempting to browse the website using default Safari settings.”

As an expert who understands TTPs of the bad guys I can now thing, “hmmm, perhaps there is a user-agent check, or it’s up at certain times of the day, or perhaps it only hosted exploit code for a short period of time and/or is shut down now?”  Without the additional qualified technical details I would still be wondering about the browser, possibly the OS, and other variables that may impact the results of an EK check.  Of course it could also just be down as stated, but we don’t want to assume or lead the reader astray unintentionally.

In the end a good researcher is always being very specific and detailed, taking notes throughout an investigation, for the best accuracy possible.  I make a habit of writing my reports AS I research them, saving raw data to a file for later review and accuracy checks.  I try to answer the five W’s and H and always qualify what I found.  I largely try to avoid interpretive findings as that can get you into trouble when we don’t really know the answer.  This is, of course, what works for a somewhat boolean technical world of cyber threat research which can be, at times, directly in opposition to actor and attribution type research.  To improve your intel put your rose colored glasses to the side and stop trying to be the guy or gal with all the answers – present the facts and let them speak for themselves.