Your wife is cooking dinner and burns the biscuits. The smoke alarm goes off. Do you throw it in the trash? Do you say, “There wasn’t any fire!” and stop using it? No. It did it’s job. It detected smoke. There just wasn’t any fire. That time.
Being an intrusion analyst is like that. It’s your job to escalate when you see smoke. There might not be any fire, or there might be. You do your best to validate the event, use all your resources to investigate, but there’s still a chance there might not be any fire. Don’t let that concern you. I’ve heard it referred to as the “boy who cried wolf syndrome”. Analysts who hesitate to escalate something because of fear they’ve made a mistake or because they’ve been wrong in the past. You can’t be that person.
You are a front line of defense. Your job is to alert when you see the enemy coming, not unlike a watchman in a medieval tower. If that watchman sees a big army coming over the hill far, far away, and waits until it gets closer so he can see whose army it is, he may have sentenced all the castle dwellers to death.
Fortunately the consequences of not escalating aren’t quite that dire (but could be if you work in ICS, but that’s another story entirely), but you might have seen the beginning of a compromise. It could be a malware outbreak or a data breach and you’ve not given your organization a chance to shut it down. Don’t worry about being wrong. Worry about not alerting and letting that attack continue. Like Geico says, it’s what you do.
This is a Security Bloggers Network syndicated blog post authored by JeffSoh. Read the original post at: JeffSoh on NetSec