As a security researcher, there are many things to keep in mind when conducting “daily routines,” if such a thing even exists. The computer science industry and related technologies are vast and nearly bottomless, there is just so much to learn that being able to cover everything wouldn’t really be realistic. Don’t get me wrong, strive to learn all that you can, but working on a team along with other folks helps ease some of that burden of learning everything. Plus, you get to bounce ideas off of each other and have actual conversations as opposed to consulting the inter-webs – hey, as much as I love technology and the Internet, I still like to physically interact with people as well.
When working on a team, one individual may focus on Internet of Things devices and corresponding hardware and software components. Another may focus on better understanding radio frequencies and wireless technologies, understanding various wireless protocols that allow the functionality that they do. There are many other tracks to follow. The more people you have, the more individuals you can have on the same team, but this is all in a balance with the business supporting these individuals; are these self-driven folks working out of their own volition but not part of their day jobs, a firm strictly focused on security research, etc.
One thing in all this that I’d say stands true regardless which track you’ve embarked upon is automation, and it helps – a lot.
Imagine this for a moment: you’re monitoring network traffic and need to ensure that there isn’t anything malicious entering your network.
How would you go about doing this? Do you manually check every packet as it comes in? If this were the case, how would you scale this action to N number of users? What method would allow such a use case to be feasible when conducting business real-time?
This is where automation comes into play.
Network gateway and perimeter devices offer this functionality, fully automated (for the most part) but with some manual working needing to be done (mainly creating network-specific firewall rules and ensuring proper routing). A previously written article highlights legacy security protections (signature- and hash-based), and another talks about advanced security protections (some utilizing virtualized sandboxing services); the services written about are WatchGuard-specific.
Okay, awesome, that’s cool to know that there are network security devices that offer automated network traffic analysis. But how do they offer such a feature?
Ah, well that’s the million dollar question (actually the $300B question come 2024). It’s simple, so to speak; a team of individuals worked together, more than likely a conglomeration of intelligent security researchers, some super smart networking folks, and certainly a range of others I’ve missed. They worked together to baseline expected network traffic, surely based on their understanding of many protocol specifications and RFCs, then further filtered and investigated non-normal traffic. Using their expertise, they were able to create some “template” that would help and at least offer some protection.
What’s great about having these templates is that they’re reusable, hence their name. Putting in a tremendous amount of hard work to first understand patterns and consistencies in network traffic samples, allowing through legitimate traffic to reduce latency, thus providing a better end-user experience, but allowing further actions and investigations to be performed on traffic that didn’t adhere to the norm.
To be clear, network traffic is automatically checked against rules set in place, defined by the above template, on gateway / perimeter network devices. Traffic that doesn’t strike any alarm is allowed through the template. Concerning traffic is further investigated by means of comparing it to other traffic patterns to known threats (this is where the legacy systems come into place), up to behavioral analytics in sandbox environments and even artificial intelligence / machine learning algorithms (more advanced detection methods).
Another example of the benefits of automation is finding trends, highlights, and virtually an endless amount of information you want to find out from a given dataset. You’re only limited to the creativity of your mind and what you want to understand from the given dataset.
To expound on that a bit… On a quarterly basis our team reports on the top malware hits and network attacks, amongst other things, and we highlight trends and note new occurrences. With the vast amount of data we have, individually going through each data set seems like quite the task. However, using automation simplifies this by quite a bit. We’re able to aggregate data based on our desired logic, which is derived from what we want to report upon. And yes, we, too, are only limited to our mind’s creativeness.
Adding in More Context, and a Personal Note
Okay, hopefully now you can see the benefits of automation. Once the template is defined, those involved folks can still monitor and improve functionality of that template but are not as tied into it as when it was being created. In other words, they have more time to focus on other things as well.
Let’s take a step back. I want to recognize that not everyone will be able to pick up where the above-mentioned folks left off. We must each start the journey somewhere and progressively grow and evolve. If you have the desire to get to the same point those folks were and maybe still are at, and are diligent, I am confident you can achieve that goal. You can start trying to automate things yourself!
If you’re thinking, “well I need to learn programming to automate” this is true, you do. How else would you automate anything? Don’t let this deter you or invoke fear, however, as the benefits of learning will greatly help you in many other aspects of life as well.
Having realized the benefits of programming myself, I actually started self-teaching myself more languages than just the one I learned in school. In fact, I learned Java in school but haven’t really done anything else programming-related since those classes in college. After some time has passed, maybe a year or so, I got into Python and fell in love with it. I spent about a year in that myself and now I find myself as part of WatchGuard’s Threat Team.
I wanted to help other folks who’re interested to start programming, so I opted to write out some things to keep in mind when starting to learn a new programming language and then I followed it up by actually setting out to learn another new language and write about my journey. In both articles I go more into detail, so I won’t do that here, but I encourage you check those out if you’re interested in automating some tasks or curious to know more about programming languages.
The main focus of this post is to raise awareness that automation is important, especially in the age we live in. Further, that learning to program can greatly help alleviate the need for performing repeated tasks that can easily be automated.
Malware analysis is a prime example, imagine having to manually go through each sample to further analyze it. Sure, in the beginning it’s important to do that. This allows you to know what patterns and consistencies the samples have. Once you have a rough template in place, keep adding to it.
There are a lot of tools already out there. If you’re more into learning the tools and just getting a report, read their documentation on usage. If you want to know more about how the tools do what they do, then this allows a way better understanding to exposure to programming logic. Both are fun to me, though I like the latter more; how the tools work and what they look for, as opposed to just reading and understanding the results.