mod2 C01_M02 Understanding Your Role in CND Analysis links ../C01_M02/assets/coursemap.swf courseMenuBtn Course menu Course menu. Select this button to access the course menu. MainMenuButtonClicked moduleMapBtn Lesson Map Lesson Map. Select this button to access the lesson map. CourseMapButtonClicked glossaryBtn Glossary Glossary. Select this button open the glossary. GlossaryButtonClicked resourcesBtn Resources Resources. Select this button open the resources. ResourcesButtonClicked exitBtn Exit Exit. Select this button to exit the course. ExitButtonClicked replayBtn Replay Replay. Select this button to replay the current screen. ReplayButtonClicked pauseBtn Pause Pause. Select this button to pause the course. PauseButtonClicked resumeBtn Resume Resume. Select this button to resume the course. ResumeButtonClicked previousPgBtn Previous Page Previous. Select this button to go to the previous screen. PreviousButtonClicked nextPgBtn Next Page Next. Select this button to go to the next screen. NextButtonClicked disacnd02_01 1 Welcome to the lesson on understanding your role in computer network defense, or CND, analysis. When you have completed this lesson, you will be able to identify key concerns that CND analysis seeks to address and identify characteristics of an effective CND analyst in the DoD. You will also be able to identify the value of employing an analysis methodology and identify the basic elements of a narrative. There are six topics in this lesson. After completing the introduction, you will review the concept of analysis and the role of the CND analyst. You will then learn about an analysis methodology that can be used to augment your existing analysis processes. And finally, you will learn what is involved in developing a narrative. Rich Media Text Description, Course: D O D Intrusion Detection System (I D S) Analysis, Part 3, Module 1: C N D Analysis: A Structured Approach to Intrusion Analysis, Lesson 2: Understanding Your Role in C N D Analysis, For each screen you will hear a description. The description is cued by an audio tone. Listen to the description, and then select the play audio narration button to continue. Screen 1 of 14. Lesson title: Understanding Your Role in C N D Analysis. Topic title: Introduction. Screen title: Topics and Objectives. Four learning objectives display in support of audio. Six topics display. The first topic is titled Introduction. The second topic is titled Overview of Analysis. The third topic is titled Role of the Analyst. The fourth topic is titled Introduction to Analysis Methodology. The fifth topic is titled Developing a Narrative. The sixth and final topic is the Conclusion. Text displays as follows: References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service, or agency for guidance on the use of these products. disacnd02_02 2 With the largest and most complex information network in the world, the DoD goes to great lengths to safeguard its information and information systems using many layers of protection. A key component of this layered approach is the Intrusion Detection System, or IDS, which detects suspicious activity on the network and alerts you to potential intrusions and potential intrusion attempts. Earlier, you met Pat, a novice CND analyst for the DoD. Pat failed to recognize incoming IDS alerts as suspicious. In your role as a CND analyst, not only must you be able to recognize when a system is being probed, is under attack, or has been compromised, but you must also know what to do with that alert data when you receive it. At its core, "analysis" is making sense of data. To be effective, analysis requires a dedicated, skilled, and trained person or team to make sense of the incoming alert data. As a CND analyst, this is where you come in. Effective analysis requires that analysts systematically investigate each alert to characterize the event as an anomalous event, an explained event, or a false positive. Anomalous events should be further analyzed to determine the source of the anomaly and may later be classified as incidents. Incidents should receive additional analysis to determine the methods used in the incident, to identify patterns of activity, to correlate information and trends, and to determine the root causes of the incident. Effective analysis also requires analysts to predict possible outcomes of the incident, develop hypotheses for possible causes, research methods of responding to or eradicating the threat, suggest security controls that could prevent future occurrences, and provide recommendations for resolution. Note that CND analysis is triggered by the identification of an incident that requires further examination. This course frames CND analysis in the context of responding to an incident identified by an IDS alert, but other events may also signal an incident and trigger an investigation and the resulting analysis. Select Other Events to learn more. disacnd02_02_01 2 Other EventsPopup 1 of 1. Popup title: Other Events. Text displays as follows: Other events that may signal an incident. Antivirus software alerts that a device is infected with some form of malicious code. A critical server crashes unexpectedly. Users complain of slow access to hosts on the Internet or mail servers. A system administrator notices a filename that contains unusual characters. A system logs multiple failed login attempts from an unfamiliar remote system. The e-mail administrator sees a large number of e-mails with suspicious content. The network administrator notices deviation from typical network traffic flows. The firewall administrator sees unauthorized outbound connections. Note that this list is not exhaustive and merely represents some possible events. Screen 2 of 14. Topic title: Overview of C N D Analysis. Screen title: What is Analysis? Large network displays containing several smaller subsidiary networks. Rings appear around each network and network component to represent layers of protection. I D S appears within each network. Reprised image of Pat displays near network. Alerts display on network. Text displays in support of audio. Text Other Events becomes selectable as popup. The acronym I D S becomes a rollover that reads intrusion detection system. disacnd02_03 3 Let's take a moment to examine how the concept of analysis applies specifically to the context of computer information systems and network security. Pat's first mistake was failing to recognize that the incoming IDS alerts required further investigation. But her problem was quickly compounded when she failed to provide context for the data that she reported. CND analysis takes the concept of analysis one step further by doing just that: providing a context for the analysis. Specifically, CND analysis frames analysis in the context of security issues. Like all types of analysis, CND analysis is conducted to make sense of data. However, in the case of CND, the analysis is conducted for the purpose of understanding an organization's security posture, mitigating threats in response to malicious events, and making recommendations for how to improve security in the future. To serve this purpose, CND analysis seeks to address several key concerns, but CND analysis also faces several challenges. Select Key Concerns and Challenges to learn more. disacnd02_03_01 3 As a CND analyst, you must determine whether attempts to compromise network resources are under way, and if so, by whom. Be careful about attributing a malicious event to a particular actor. Attribution in the cyber world is incredibly difficult and often controversial because malicious actors may be spoofing the source or using previously compromised systems as pivot points. Note that full attribution is beyond the scope of CND analysis and is better left to a fusion analyst or to law enforcement or counterintelligence agencies. Other key concerns addressed by CND analysis are listed here. Take a moment to review them. To address these key concerns, CND analysts must use their knowledge and judgment to make inferences. It is not enough to simply pass along the raw, objective data as you receive it. You must analyze this data to provide a focused response and recommendations. Key ConcernsPopup 1 of 2. Popup title: Key Concerns. C N D analyst and network display. Text displays in support of audio. Text displays as follows: Have systems been compromised? If so, which ones? Has data been stolen? Is data moving across the network when it shouldn't be? What is/could be the effect of the malicious event? How can we stop the ongoing malicious event? How can we prevent future malicious events? Words display Knowledge and Judgment. The term fusion analyst becomes a rollover that reads as follows: Also known as an all-source analyst, a fusion analyst compiles and evaluates data from multiple sources to include intelligence, technical, qualitative, and formulaic sources to identify, assess, and mitigate perceived threats. This type of analysis is typically a collaborative effort among many organizations and departments. disacnd02_03_02 3 The field of CND analysis is inherently challenging for several reasons. First of all, the data to analyze is exceptionally vast, which leads to difficulty in correlating the array of data sources. In addition, the situations surrounding IDS incidents are often complex, and conclusions are debatable. Finally, because analysts have varying levels of experience and training, results may vary. ChallengesPopup 2 of 2. Popup title: Challenges. C N D analyst and network display. Text displays in support of audio. Screen 3 of 14. Screen title: What is C N D Analysis? Network displays. Reprised image of Pat displays near network. Alerts display on I D esses in network. Image displays of C N D analyst. Text displays in support of audio. Key Concerns and Challenges display and become selectable as popups. disacnd02_04 4 The role of the CND analyst is broad and touches on several aspects of information technology and security. The specific role may vary depending on several factors, including the role of the employing organization within the DoD and what network tier that organization is operating at - be it Tier 1, Tier 2, or Tier 3 - the role of the CND unit within that organization, the organization's specific CND processes, and the analyst's knowledge and experience. However, regardless of the specific requirements of the organization, every CND analyst must meet certain minimum requirements defined by the DoD in DoD 8570.01-M, the Information Assurance Workforce Improvement Program. To effectively meet these minimum requirements, CND analysts should possess a range of specialized knowledge, skills, and abilities, or KSAs. An effective analyst should also have an analysis methodology that is simple, realistic, and adaptable, and the analyst should be able to tell the story. And finally, an effective CND analyst must have the judgment and experience to bring these requirements, KSAs, and tools together to correctly interpret data and provide actionable intelligence to his or her superiors. Screen 4 of 14. Topic title: Role of the Analyst. Screen title: What is the Role of the Analyst? Reprised image of C N D analyst displays with question text What is the role of the analyst? Image displays to represent hierarchy that affects the analyst's role. Highest level is labeled D O D. Next level is labeled Organization. Next level is labeled C N D Unit. Next level is labeled C N D Processes. Lowest level is labeled C N D Analyst. Image displays of D O D eighty-five seventy dot oh one dash M with label D O D requirements. Image displays of K S A icon. Image displays of methodology icon. Image displays of newspaper icon with label Tell the story. Words display reading Judgment and Experience. disacnd02_05 5 When you met Pat earlier, you could see that she was struggling in the role of CND analyst. But what was holding her back? And why do some analysts, like Pat, fall short of the DoD requirements? For some, it may be that their command, service, or agency, or C/S/A, does not clearly inform them of the requirements and what is expected. Others may be fully aware of these requirements but not have an approach to ensure that they consistently address these requirements. So what exactly does the DoD require of you as a CND analyst? And how will you meet those requirements? DoD 8570.01-M, the Information Assurance Workforce Improvement Program, identifies nine minimum requirements that CND analysts must meet. It is important that you are aware of these requirements, as these are what the DoD has identified as the official role of a CND analyst. Take a moment to review these requirements. Screen 5 of 14. Screen title: D O D Minimum Requirements. Reprised image of Pat displays with question text Why do some analysts fall short of D O D requirements? Text displays Analyst doesn't know what's required. Text displays Analyst doesn't have an approach to analysis. Reprised image of C N D analyst displays with question text What does the D O D require? Reprised image of D O D eighty-five seventy dot oh one dash M displays with full title Information Assurance Workforce Improvement Program. Text displays as follows: Functions of a CND Analyst (C N D dash A). C N D dash A dot 1. Mastery of I A T Level I and I A T Level II knowledge and skills. C N D dash A dot 2. Receive and analyze network alerts from various sources and determine possible causes of such alerts. C N D dash A dot 3. Coordinate with enclave C N D staff to validate network alerts. C N D dash A dot 4. Perform analysis of log files from a variety of sources, to include host logs, network traffic logs, firewall logs, and intrusion detection system logs. C N D dash A dot 5. Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources. C N D dash A dot 6. Monitor external data sources to maintain currency of CND threat condition and determine which security issues may have an impact. C N D dash A dot 7. Assist in the construction of signatures which can be implemented on C N D network tools in response to new or observed threats. C N D dash A dot 8. Perform event correlation using information gathered to gain situational awareness and determine the effectiveness of an observed attack. C N D dash A dot 9. Notify C N D managers, incident responders, and other C N D S P team members of suspected C N D incidents and articulate the event's history, status, and potential impact for further action. The acronym I A T becomes a rollover that reads information assurance technical. disacnd02_06 6 In addition to the DoD's minimum requirements, a CND analyst must have a firm foundation of knowledge, skills, and abilities, or KSAs, to effectively perform the functions of CND analysis and meet the requirements identified by the DoD. CND analysis is not an entry-level job; thus it requires more than just an entry-level skill set. In fact, CND analysis requires a broad range of specialized experience in security, cryptography, network security, host-based security, networking protocols, operating system configuration, common methods of network and computer exploitation, and research and data mining. A wide variety of knowledge, skills, and abilities are required to effectively perform the functions of a CND analyst. Keep in mind that only the most experienced CND analysts will possess all of these KSAs, but they should be considered a goal to strive for in your professional development. If you feel that you are missing specific expertise, you may wish to pursue further training in such topics as network security, vulnerabilities in operating systems, and application development. Take a moment to review these KSAs. Screen 6 of 14. Screen title: What Makes an Effective Analyst? Reprised image displays of C N D analyst. Pedestal displays beneath analyst to represent foundation of knowledge, skills, and abilities. Segments of pedestal are labeled in sync with audio as knowledge, skills, and abilities. Text displays in support of audio. Text displays as follows: K S Ays of Effective C N D Analysts. Deep knowledge of each protected O S. Significant understanding of networking protocols. Understanding of common methods of exploitation. Appreciation for evasive tactics employed. Significant familiarity with the organization being protected. Basic understanding of cryptography. Ability to think critically while under pressure. Ability to intelligibly and persuasively present findings to technical and nontechnical resources. Ability to keep up with a constantly changing threat and vulnerability landscape. The acronym K S Ays becomes a rollover that reads knowledge, skills, and abilities. The acronym O S becomes a rollover that reads operating system. disacnd02_07 7 Chances are, your organization already follows some type of established process for conducting CND analysis, so why do you need yet another methodology? The fact is that even when analysts have the KSAs to meet the DoD requirements and effectively analyze IDS alert data, analysis can still be incomplete or not updated with newer technologies. Why? In many cases, this is due to the lack of a structured approach and the lack of process maintenance. Some existing methodologies come from vendors and are limited in applicability to the vendor's specific product. It is important to have a methodology that can be adapted to your unique working environment and can help you to achieve fact-based, understandable, and sound conclusions. Screen 7 of 14. Topic title: Introduction to Analysis Methodology. Screen title: Purpose of a Methodology. Images display in support of audio. Image displays of basic methodology diagram. Methodology diagram has three phases, each of which includes a label, a one-word descriptor, and one or more steps. Phase 1, Data Gathering, is described as input and has one step: Gather Data. Phase 2, Knowledge Development, is described as analysis and has four steps: Analyze and Correlate data, Develop Timelines, Develop Narratives, and Develop Hypotheses. Phase 3, Reporting, is described as output and contains one step: Report. Text displays in support of audio. disacnd02_08 8 So how can a methodology support your existing analysis processes? The methodology that we will discuss in this course is simple, realistic, thorough, and adaptable. It does not require any specialized systems or technical knowledge and may be incorporated into any organization's existing CND analysis processes. At its most fundamental level, this methodology simply demands that you tell the story. That's it! Like any story that you tell, you will first gather information about the incident. You will then analyze this information to develop your knowledge of the incident. And finally, you will report your findings about the incident. When you approach analysis with the overarching goal of telling a story, then the mere act of telling the story provides you with a context for your analysis. It is important to note that this methodology is not intended to replace existing processes and procedures that are in place within your organization. Instead, this methodology is offered as a means to enhance your organizational methodology. It is offered as an approach that you can adapt to meet the unique needs of your organization. And it is designed to help you achieve fact-based, understandable, and sound conclusions. Screen 8 of 14. Screen title: A Narrative Approach. Analysis methodology displays. Reprised image displays of methodology diagram showing only the phases. Text displays in support of audio. Image displays of newspaper with headline reading “Incident detected!” Each phase of the methodology is highlighted in sync to the associated audio. Image displays of clipboard icon for Phase 1, Data Gathering. Image displays of magnifying glass icon for Phase 2, Knowledge Development. Image displays of report icon for Phase 3, Reporting. Words display over methodology diagram, stating “Tells a story.” Text displays in support of audio. disacnd02_09 9 So, how exactly will you tell the story? What does this narrative approach to analysis require? You may think of analysts as technical people who don't often think in stories. However, the mere process of telling the story of an incident often helps analysts to develop a better understanding of the incident, because they have to think more critically about the incident and address questions as they arise. As you develop your narrative, be sure to keep your audience in mind. The people who receive your analysis reports rely on the information that you provide, but they may not have the breadth of technical knowledge that you do. To ensure that your communication is clear, tell your story using plain language. It is easy to get sidetracked by technical details and for language to quickly become overrun with jargon, but you can avoid this if you approach your analysis as if you are telling the story to a nontechnical person, such as a spouse or a friend. In the next lesson, we will discuss how a narrative can be used to produce both operational reports for the layman and technical reports for those requiring the technical details. Let's take a look at what's involved in developing a narrative. Screen 9 of 14. Topic title: Developing a Narrative. Screen title: Overview of a Narrative. Reprised image of newspaper displays along with question text How will you tell the story? Text displays in support of audio. disacnd02_10 10 When you develop a narrative, you must answer six essential questions. First, ask who was involved. Who were the key players? That is, who were the actors, who were the victims, and who were the pawns? Next, ask what happened. And what was the result of the threat event? Next, ask when the incident occurred and begin to develop a timeline of related events. Next, ask where the incident occurred. This question may elicit both physical locations and virtual locations. Next, ask why the incident occurred. Since you won't be able to question the threat actor directly, you'll have to make inferences based on other information that you gather. Finally, ask how the incident occurred. How was the asset exploited? And why was it vulnerable to start with? Using these questions will help to ensure that your analyses are as thorough and complete as possible. Screen 10 of 14. Screen title: Elements of a Narrative. Reprised image of newspaper displays. Image displays of five double-ewes icon. Text displays in support of audio. disacnd02_11 11 Knowledge Check 1 580 425 One reason that Pat was not successful in conducting CND analysis is that she failed to consider the overall purpose of CND analysis. Which of the following is a purpose of CND analysis? Making sense of data Understanding an organization's security posture Mitigating threats in response to malicious events Making recommendations for improvement to information security Correct. All of these are key concerns of CND analysis. Incorrect. All of these are key concerns of CND analysis. Now take a moment to check your knowledge. Screen 11 of 14. Topic title: Knowledge Check. Screen title: Knowledge Check. Knowledge check is a multiple-response question with four possible answers. Select all answers that apply, and select Done. Use the keyboard to cycle through the answers. disacnd02_12 12 Knowledge Check 1 500 578 Correlate information and trends Analyst Role for Statement: Correlate information and trends Not Analyst Role for Statement: Correlate information and trends Correct. Correlating information and trends is a role of the CND analyst. Incorrect. Correlating information and trends is a role of the CND analyst. Propose methods of responding to the threat Analyst Role for Statement: Propose methods of responding to the threat Not Analyst Role for Statement: Propose methods of responding to the threat Correct. Proposing methods of responding to the threat is a role of the CND analyst. Incorrect. Proposing methods of responding to the threat is a role of the CND analyst. Attribute responsibility for a CND incident Analyst Role for Statement: Attribute responsibility for a CND incident Not Analyst Role for Statement: Attribute responsibility for a CND incident Correct. Attributing responsibility for a CND incident is not a role of the CND analyst. It is a role reserved for a fusion analyst. Incorrect. Attributing responsibility for a CND incident is not a role of the CND analyst. It is a role reserved for a fusion analyst. Recognize when a system has been compromised Analyst Role for Statement: Recognize when a system has been compromised Not Analyst Role for Statement: Recognize when a system has been compromised Correct. Recognizing when a system has been compromised is a role of the CND analyst. Incorrect. Recognizing when a system has been compromised is a role of the CND analyst. Ensure that IDS signature sets are up to date Analyst Role for Statement: Ensure that IDS signature sets are up to date Not Analyst Role for Statement: Ensure that IDS signature sets are up to date Correct. Ensuring that IDS signature sets are up to date is not a role of the CND analyst. It is a responsibility of CND Infrastructure Support. Incorrect. Ensuring that IDS signature sets are up to date is not a role of the CND analyst. It is a responsibility of CND Infrastructure Support. Determine methods used in the event Analyst Role for Statement: Correct vulnerabilities to exploited IT assets Not Analyst Role for Statement: Correct vulnerabilities to exploited IT assets Correct. Determining methods used in the threat event is a role of the CND analyst. Incorrect. Determining methods used in the threat event is a role of the CND analyst. Correct vulnerabilities to exploited IT assets Analyst Role for Statement: Correct vulnerabilities to exploited IT assets Not Analyst Role for Statement: Correct vulnerabilities to exploited IT assets Correct. Correcting vulnerabilities is not a role of the CND analyst. It is a role of Network Infrastructure Support and System Administrators. Incorrect. Correcting vulnerabilities is not a role of the CND analyst. It is a role of Network Infrastructure Support and System Administrators. Characterize the incident Analyst Role for Statement: Characterize the incident Not Analyst Role for Statement: Characterize the incident Correct. Characterizing the incident is a role of the CND analyst. Incorrect. Characterizing the incident is a role of the CND analyst. Now try these. Screen 12 of 14. Screen title: Knowledge Check. Knowledge check is a survey-style activity with eight questions and two answer columns labeled Analyst Role and Not Analyst Role. Select the best answer for each question, and then select Done. Use the keyboard to cycle through the answers. disacnd02_13 13 Knowledge Check 1 260 425 Question 1 of 3. This just in: A DoD database system was successfully compromised. Known terrorist organization X successfully gained access to a DoD network that housed sensitive information about CENTCOM troop movement. It is not yet known how much data was stolen, but organization X is known for its interest in such information. Who? What? When? Where? Why? How? Correct. This story gives the Who (organization X vs. the DoD), the What (a successful compromise), and a theory for the Why (because of known interest in the exfiltrated data), but it does not identify the When, the Where, or the How. Incorrect. This story gives the Who (organization X vs. the DoD), the What (a successful compromise), and a theory for the Why (because of known interest in the exfiltrated data), but it does not identify the When, the Where, or the How. Question 2 of 3. In the CNDSP Network Monitoring Center: An IDS alert timestamped 1315 indicates unauthorized access to an internal server via a Windows command shell by an external actor from a South American netblock. Further investigation shows the potentially compromised server surfing out to an external IP in a European netblock and downloading a PDF file immediately before the unauthorized connection was established. Who? What? When? Where? Why? How? Correct. This story gives part of the Who (compromised server and two potentially malicious foreign IP addresses), the What (unauthorized access), the When (timestamp of 1315), and the How (the presumed poison PDF file), but it does not identify the Where or the Why. Incorrect. This story gives part of the Who (compromised server and two potentially malicious foreign IP addresses), the What (unauthorized access), the When (timestamp of 1315), and the How (the presumed poison PDF file), but it does not identify the Where or the Why. Question 3 of 3. Memo to employees: Yesterday, an employee violated policy by using peer-to-peer software to download music and videos. The employee mistakenly configured the software to share out all directories on the hard drive and thus providing access to sensitive data containing blueprints and avionics packages for an experimental technology. Use of unauthorized software is strictly prohibited! Who? What? When? Where? Why? How? Correct. This story gives the Who (the employee), the What (spillage of experimental data), the When (yesterday), the Where (the employee's hard drive), the Why (policy violation in use of unauthorized software), and the How (misconfiguration of peer-to-peer software). Incorrect. This story gives the Who (the employee), the What (spillage of experimental data), the When (yesterday), the Where (the employee's hard drive), the Why (policy violation in use of unauthorized software), and the How (misconfiguration of peer-to-peer software). Now try these questions about the elements of a narrative. Screen 13 of 14. Screen title: Knowledge Check. Knowledge check is a series of three multiple-response questions, each with the same six possible answers. For each question, select all answers that apply, and select Done. Use the keyboard to cycle through the answers. disacnd02_14 14 Congratulations! You have completed the lesson on understanding your role in CND analysis. You should now be able to identify key concerns that CND analysis seeks to address and identify characteristics of an effective CND analyst in the DoD. You should also be able to identify the value of employing an analysis methodology and identify the basic elements of a narrative. Screen 14 of 14. Topic title: Conclusion. Screen title: Summary and Conclusion. Congratulations text displays. Text displays in support of audio. Objectives bullets change to checkmarks in sync with audio.