analyst experience

Question 1

Expand on what an analyst does on a high level. Specifically, the process of gathering info, making inferences about info, then making a decision on that info

Answer 1

1. Gathering Information (Data Collection):Analysts collect data from various sources like:
   SIEM systems (e.g., Splunk, QRadar) that aggregate logs from firewalls, endpoints, servers, and applications.
   Network traffic data (using tools like Wireshark).
   Threat intelligence feeds (such as open-source threat intel platforms, commercial feeds, and industry reports).
   ** System and application logs** that provide insights into user activities, authentication attempts, and system events.The goal here is to** gather as much relevant information as possible to have a broad view of the environment**.
2. Processing and Filtering Data:After gathering raw data, analysts filter and normalize it to remove noise. This means:
   Eliminating irrelevant data.
   Correlating related events from different sources (for example, identifying that a login attempt and a malware alert came from the same machine at the same time).
   Analysts often rely on automated tools (SIEM platforms, IDS/IPS systems) to help correlate and prioritize alerts.
3. Analyzing Data and Making Inferences:Once the data is processed, analysts start making sense of it:
   Behavior analysis: Is this activity normal for the user or system? (e.g., is an employee logging in at 3 AM from another country suspicious?)
   Threat correlation: Does this activity match known attack patterns? (e.g., scanning multiple ports could indicate a reconnaissance attempt).
   Risk assessment: What is the potential impact of this activity? (e.g., is this a phishing attempt that could lead to data exfiltration?).Analysts use their knowledge, threat intelligence, and historical data to infer the intent behind the observed activity:
   Is this a false positive, a benign anomaly, or a legitimate security threat?
4. Decision-Making and Response:Based on the inferences made, the analyst makes decisions such as:
   Escalating incidents to senior analysts or incident response teams if it’s a high-risk threat.
   Containing the threat by isolating affected systems or blocking malicious IPs.
   Mitigating the risk by applying patches, updating firewall rules, or disabling compromised accounts.
   Documenting findings in reports or playbooks for future reference and improvement.Every decision is influenced by the severity of the threat, business impact, and organizational policies.

Example Scenario:

Imagine your SIEM alerts you to unusual outbound traffic from a server to an unknown IP address.

Gathering Info: You collect logs from the server, firewall, and endpoint protection.
Processing Data: You correlate timestamps and see that this traffic started after a new application was installed.
Analyzing Data: You recognize the IP as a known command-and-control server from a threat intelligence feed.
Decision: You isolate the server from the network, initiate a malware scan, and report the incident for further investigation.