Storytelling For SOC Analysts: Effective Investigation Notetaking And Report Writing

[Music] training new analysts which is where oh there we go thank you um that's better um which is where the idea for this talk has come from so why does sock analyst need to worry about storytelling um well put simply everybody loves a good story and um by allowing our readers to be able to get a greater ins into some of the threats that we face today uh we're able to get them to better understand some of the issues that we Face uh in terms of securing our estate and to be able to better protect their assets environments Etc um we come across some excellent stories in our field but unfortunately we could be a little bit better at

telling them sometimes I'm sure many of you probably have experienced as well if you already working within the industry that one of the greatest challenges we face is actually getting the Buy in from either our clients managers um also as well some the other professionals we have to work with but definitely definitely the end users um and I think sometimes we can use our reports and better leverage those to be able to go ahead and really help them to understand and prioritize why we need to do some of these things why we need to take some of these measures why we need to implement some of these controls um and indeed when they decide to go ahead and click

that link that they probably shouldn't have done why we have to go ahead and take some of those remediation steps as well but I think most importantly our reports when you all boils down to it that's our call to action that's our saying these are the steps that we need you to take these are the things that we need you to do and this is why we need you to do them and now sometimes so before we kick off I wanted to show you an example um of of a a report here that really just has some of the areas that could be improved that we see some of the time so um I don't want to draw too

much on this text but just take my word for it here we've got um missing timestamp it's one of my favorite things we see it a lot um and the reason for this is you're telling somebody you know we've got this really bad thing that potentially happened but when um obviously that's a really important detail that gets overlooked surprisingly often um and a little Pro tip for those of you who do work as sock analysts or would like to when you are working with um particularly some quite um involved uh incidents where you've got quite a lot of events it can be really useful and particularly if you're working across multiple time zones to use UTC

for your timings or at least to kind of create a uniform converted um timeline so you've got a cohesive timeline of events as well otherwise it can get a little bit um difficult to follow for your for your reader as well we've also got some assumptions here um it's great to say you know that we've got this likely expected activity for a user but for those of you who are socket analysts you'll probably know that we're probably the most likely group of people to go ahead and get our laptops infected with malware so saying something is likely expected it's always a little bit of a risk um and the other thing it's a little bit ambiguous and could be

clarified that little bit better so we want to move away from something like this to something that's just a little bit more detailed a little bit better contextualized and a little bit clearer how do we do that well hopefully I'm going to help you answer that question today so first of all the the biggest thing in my opinion before you do anything before you write any report is knowing your audience so who are you writing for and why what do we need them to know what do we need them to do and what do we need them to understand secondly context is your friend it's your absolute best friend actually when when you're writing any kind of report because it's like I

said with a Time stamps it makes such a difference to have all the relevant information ahead of you that's the thing that's going to stop someone coming back to you and say hey can you give us more information and it's going to be so much more efficient and it's going to save everybody so much more time and then finally this one's for you is to build your own knowledge base and that comes down to just moving away from that kind of copypaste approach or relying on things like the AI generative AI chat boot things like that and being able to really rely on your own Knowledge and Skills because let's be honest you you've got it you've got it

so make use of that and make sure that you can draw on that knowledge and those skills to be able to add that context and add that value in the reports you're writing so firstly knowing your audience what do that actually entail in practice um well you might be thinking well you know as me standing up here saying you know not all of your readers will be technical experts you might be one of the lucky few who is writing predominantly technical experts and that's great that's fine in that case the same logic applies you you can tailor your reports to that audience but if you're not writing for technical subject matter experts and you'll find

that's often the case and even if you may not realize cuz sometimes you you might not intend to write for someone that isn't but by the time it gets passed on to somebody else further down the line it maybe that particular person isn't someone who's worked in a sock or done a cyber security master's degree so it can often be better to assume that your reader has minimal to possibly even no subject matter knowledge so we don't want to patronize them at the end of the day I'm sure they're lovely perfectly competent people but they're not professionals with within our field so we ideally want to try and avoid any kind of un uh qualified jargon any un uh

unqualified abbreviations as well and to add in any descriptions of any complex technical um Concepts as well that we're discussing and it can always help to add some links to either uh documentation or any other reliable references and that's something even if you are writing for subject matter experts that can be really useful as well I know personally if someone does that I absolutely love it cuz it makes my job and the job of anyone else reading it so much easier now just a brief remind on this one to mind your language I'm sure nobody is out there thinking and writing in their reports oh mate it's completely shafted but just a quick reminder please

do keep it clear professional and unbiased as well so it's just a couple of best practice points is here the other one is to keep it concise and to keep it relevant because at the end of the day you don't want to lose your reader because of the length of of of text they're having to plow through to get to the important bits so secondly we've got this this arguably I would say most important point when it comes to the actual production of your report and that's that context is your friend but what what does that actually mean in practice well it's really quite simply that the the simple detail tails are often the ones that matter the most but they're

often the ones that are very easy to leave out so you what actually happened at the end of the day and the other one that said that's often left out is when so those time stamps that we see they actually really do matter and that can help us to put together and piece together a cohesive timeline of events that really can make the difference between determining whether something may be malicious or perfectly expected so these time stamps really do make a difference again something very important to consider is who is involved but that might also mean what other entities and assets were involved so um again really important context we want to make sure that we're including in our

reports where did it happen the events um and the other thing that to keep in mind is it might not necessarily be the same as where things actually [Music] originated and how do we make sure that we actually include all of these relevant details well it can be really helpful to work with a structure I know that some of you may be dict that did not work very well in practice on here did it well I'm sorry about that um cuz on yeah that did not work I'm sorry about the slides I don't know how that happened we'll blame the the lovely Linux machine sorry guys anyway what I'll do for anyone who wants a copy of

the slides just my details are going to be the end and please feel free to get in touch and I'll send over a clean copy with everything on the actual graphic there um so we've got a potential structure here that would have been up on the screen that has the investigation process and that can actually be a really good place to start when it comes to structuring your um your investigation notes or your reports so first of all I like to start with the um sort of a valid of the alert if you like so what actually happened we've got why did the alert trigger in the first place for example um again brief overview of

those really key contextual points that can be a really good place to make sure you've got those in nice and early doors and just really go over the real essential details what actually happened why involving who and what and when then move into the kind of meteor Parts the investigation itself if you're looking at a more formal report then maybe looking a little bit at the methodology the investigation steps for example then following that we'd go on to looking a little bit of the findings and I like to personally include the evidence within that because I think for the end reader that makes it a lot easier to follow um and it's just so much easier if you can look at it we

found this here's the evidence uh rather than having that kind of in different sections or or something but if obviously if you're dictated to a different structure that's absolutely fine too that the most important thing is to consider screenshots over URLs every day because I don't know if you've ever seen on virus total the report it changeed from a lovely wall of green to a sea of red overnight you've been warned generally then we would consider the scope so this is meant to be that lovely purple one at the bottom there so the scope is where we would consider the pit of our investigation so is there any evidence of lateral movement privilege escalation and also really is there any kind of

unidentified earlier events that hadn't been picked up by alerting or any subsequent events that may be relevant to our investigation as well just to get give an indication of the scope of the incident potentially or any sort of related activity that may be relevant um and this is also where we might look at if we were doing a formal incident report we could then also go ahead and do some of our impact assessment at this sort of stage then I C we would move on to a brief conclusion just kind of really highlight what matters um most about our findings with the beauty of the uh findings we have from our investigation and the knowledge we have

from that but also we could probably then put in a nice clear useful statement about the classification is this actually a true positive to be concerned about false positive that needs addressing or is it benign activity then if it is true positive I would include a nice clear statement about any remediation steps taken um with evidence if possible just to show what's been done up to this point so everyone knows what actions have been taken and then finally a next steps and a call to action for your reader with any immediate actions that need to be performed but also any sort of future actions for the reader as well finally we have our build your own knowledge

base this one is for yourself if you have your analysts that you're already working in that role this one is very much for you so really instead of relying on other tools or copy and pasting from previous reports the idea is just to put in the work use the your own research use your own knowledge and experience here draw on that and make sure that you're actually able to provide that context that only we can really use to add that value because at the end of the day what's stopping the client from going ahead and checking it into chat gbt and writing their own reports wouldn't that be horrible um we're the ones that can add that

value so top tips know your audience context is your friend and again build your own knowledge base that's what's going to make you a better analyst in the longer term so we've got a brief example here just to finish off of a much more contextualized investigation summary don't worry about reading the details again I'll get you the slides if you want it the key take-home point is that there's much greater contextual detail there's also much more evidence including confirmation of the activity and as well we have a brief conclusion with a very clear classification statement stating that again no further action is required because the activity is benign so we've reached the end of our talk

today sorry again and thank you so much for your patience uh at the beginning but if there's time for any questions I'll be happy to answer them if not please do go ahead and look me up on LinkedIn I don't have a nice QR code because the temptation to Rick Roll you would just be too great um thank you so much for choosing to spend your time with me this afternoon you've been absolutely fantastic I really appreciate it and I hope you enjoy the rest of your day and thank you so much to the team at bsides and to my mentor Javad as well I really appreciate it