April 1, 2019 By Rob Patey 3 min read

At 8:30 a.m. this morning, a level 3 security analyst, Mikey “The Jedi” Allbright of [COMPANY NAME REDACTED], announced he’ll be leaving for the next six months due to “seriously fatigued fingers” and “a wonky eye” resulting from viewing and traversing too many screens in the course of his daily activities to ensure data security and compliance at [COMPANY NAME REDACTED].

We sat down with Allbright after this grandiose proclamation for further details. “All security analysts have it tough,” Allbright mused as he gingerly held his Darth Vader mug with his three fully operational fingers. “We’re ingesting data all day, every day, from a multitude of sources so we can detect the events that seem to be anomalous in nature, analyze those events to see if they’re actual threats and, finally, stop the threat if it’s an actual attack.”

When asked if the problem is on equal footing for junior or level 1 and 2 analysts, Allbright had this to say: “Security information and event management (SIEM) offerings have grown leaps and bounds since I moved from Windows tech support to the security desk eight years ago. Back then, if we pulled data from the firewall, for instance, we might only get an IP address sent back, all the other DNA of the event was sitting in unstructured logs.

“Today, the new kids have it relatively easy. SIEM providers have really upped the game on integrations and the correlation engines to give a full picture view of brute-force attacks. I mean, they still have their own challenges as the business grows and our data leaves the building, trying to secure let’s say mobile devices, but it’s nothing to the level I deal with each day. No one will be getting seriously fatigued fingers or a wonky eye.”

Physician’s Diagnosis Points to ‘Extreme’ Repetitive Stress Disorder

For further context, we continued the conversation with Allbright and his physician, Moonstone Riverbeam.

“This is a case of repetitive stress disorder taken to the extreme,” Riverbeam chanted.

Allbright interjected, “I’m responsible for finding the truly unknown threats, the ones that are coordinated and complex, that need the SIEM and a host of other systems to fully identify and ferret out. In a low and slow attack, the hackers will start their intrusion with a spear phishing email to an unsuspecting user within our company. To simply see if spear phising is taking place, I’m sifting through data across packet capture, web proxy, email gateway, detonation chambers, SSL/TLS inspection, DNS records and mail servers. Just culling the information is a ludicrous amount of clicks that whittles away the marrow of my finger bones. Now, imagine I have to collate and analyze that information in a spreadsheet. Welp, that’s many, many more clicks.”

Riverbeam provided no further comment, but we could hear mild weeping in the background before he hung up the phone. We then received a notice that Allbright’s phone card minutes were almost depleted, so he concluded with the following:

“That example above assumes we can stop a possible attack at intrusion, which is rarely the case. When you look at this from the lens of the MITRE ATT&CK framework, there is a multitude of other steps that occur before your company makes the news about being breached. Each of those steps from hackers performing data discovery, to lateral moves across systems, to exfiltration of data requires a whole other set of IT systems we need data from to provide a thorough investigation and hopefully stop the bad guys. I’m lucky to still have three working fingers.”

Company Leans on Design Thinking Approach in Security Analyst’s Absence

To bring balance to the acting forces in this story, we reached out to Allbright’s direct superior, the chief information officer (CIO) of [COMPANY NAME REDACTED], who asked to remain nameless. They said:

“While of course we have concerns about Mikey’s ‘condition,’ what scares me more is the time it’s taking our analysts to find these threats. I believe in the fortitude of the human finger, but each click that has affected Mikey is extra time we’re allowing rogue agents to run amuck in our environment.”

When I asked what the plan was moving forward while Mikey was healing, she said, “We built our security tools like a castle, adding new bricks each time an outside force came up with a new weapon in their arsenal. With Mikey gone, we need to add the same design thinking to security we used to build the rest of our infrastructure. Begin with the security outcomes we hope to achieve and integrate or add technology from there. Start with new rules, then we’ll add the tools. Also, I think Mikey is faking it. I wanted that out there since I doubt my sarcasm will come through in text.”

When I asked Allbright his plans during his convalescence, his eyes brightened.

“While I may be a Jedi and master threat hunter in IT security, I’m still only a Padawan (as recognized by the official Jedi Council of America). I plan to spend the next six months honing my lightsaber skills.”

When asked if he plans to wield the Jedi weapon of choice given his “condition,” Allbright wryly smiled and said, “I believe the Force will be with me.”

More from Threat Hunting

Racing Round and Round: The Little Bug That Could

13 min read - The little bug that could: CVE-2024-30089 is a subtle kernel vulnerability I used to exploit a fully updated Windows 11 machine (with all Virtualization Based Security and hardware security mitigations enabled) and scored my first win at Pwn2Own this year. In this article, I outline my straightforward approach to bug hunting: picking a starting point and intuitively following a path until something catches my attention. This bug is interesting because it can be reliably triggered due to a logic error.…

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today