Special thanks to mumblingsages for giving me the idea for this blog.
Let’s face it, we in the information security industry like conferences and talks. I’d wager it’s not because we like to hear ourselves speak, but because it’s a great way to set aside a short amount of time and learn something new. I find it ironic, then, that in my experience, most organizations don’t do this internally. I’m not even talking about a big to-do like Microsoft does with BlueHat. Very few organizations even have a weekly meeting where they go over the interesting and unusual cases they have worked.
Doing something like this isn’t a new concept—other industries have been doing it for ages. In the healthcare industry, doctors and medical students go on rounds to present their cases to their peers and the more experienced doctors. This happens in one of two ways: patient rounds where doctors discuss a patient and their line of care, and grand rounds where a patient’s case is presented in a more formal setting. Grand rounds are more analogous to an InfoSec person presenting at a conference, whereas patient rounds are more in line with what I’m talking about here.
A similar approach can be taken in Security Operations Centers (SOCs) everywhere. Setting aside an hour a week, analysts can do their own InfoSec Rounds to present an interesting case they worked on, how they proceeded through it, and what did and did not work. Everyone else in the group will benefit from this as they may not have seen this type of case before or may not have used the tools described by the presenter. This is also beneficial for the presenter, as others may have suggestions on different tools, sites, or techniques they could have used.
Interesting cases can also be turned into a mini capture-the-flag (CTF) contest. The presenter hands out the evidence and some questions to answer a day or two prior to the meeting. During the meeting, they walk through the case and answer the CTF questions along the way. I’ve found that gamifying incidents is one of the most effective ways to learn outside of a classroom.
So, what should you present during InfoSec Rounds? Anything that you’ve worked on. Obviously, the more unusual something is, the more interested your peers will be. However, even talking about the most mundane case will be beneficial to someone in the audience, especially if they are just starting out or if you used an unusual investigation method. And you never know, you might get asked a question or given a suggestion that takes your analysis in a direction you never thought it would.
Don’t just use InfoSec Rounds to present cases you solved successfully. Everyone has trouble at some point, and rounds are a good way to get suggestions on what steps to take next. Present as much as you can, describing what you have done, and end your round by asking for suggestions on how to proceed. More often than not, you’ll find that others have had, and have overcome, the same issues you’re facing.
While you are listening to someone present, think of how they went through their investigation. Did they do anything unusual? Could they have used a different tool or technique that would have gotten them faster or different results? Was a technique used that you never thought of? Keep all of these in mind and when the speaker is done, ask questions or make constructive comments related to what you thought of.
I’ve focused on relating InfoSec Rounds to Incident Response (well, because IR is awesome!!!), but they can be done for any area of information security. On a red team? Talk about your latest attack. In Threat Intel? Discuss how you tracked down and associated that IP address with an adversary. In Identity and Access Management? Share what happened when you got 40 access requests at the same time. Every part of Information Security has those little puzzles that others have, or will, come across. Talking about those puzzles does nothing but help others solve them before they run into them.
Utilizing InfoSec Rounds by spending an hour a week discussing the issues that members of your team have worked on is an exercise in fast knowledge transfer. Both sides of the round—presenter and audience—will benefit by learning how others handled a similar situation, or by providing suggestions on other ways it could have been handled. This will make your team, no matter what they focus on within information security, better at what they do and how they handle future situations.
Author: Tyler Hudak
Tyler has over 20 years of real-world experience in incident handling, malware analysis, computer forensics, and information security for multiple organizations. He has spoken and taught at a number of security conferences about topics ranging from incident response to penetration testing techniques.