Information Collection in Cybersecurity
The NICE framework is designed by NIST to provide a common vocabulary and definitions for various cybersecurity jobs and skill sets. Within the framework, various different jobs are defined, and the associated tasks and skill sets are outlined.
An important task within cybersecurity is collecting and analyzing data. In this post, we’ll describe some of the job roles that perform this task within the cyber-domain, the necessary knowledge and skills to do so and how to obtain this knowledge and skill set.
Who Does Cyber-Information Collection?
Within the NICE framework, NIST defines three different job roles that perform cyber-information collection: exploitation analyst, target network analyst and cyber-operator. While these jobs can perform very different duties, they use many of the same tools, techniques and procedures in the data collection stage of their work.
An exploitation analyst is a cybersecurity practitioner that focuses on identifying weaknesses and potentially exploitable vulnerabilities in a target network. Their data collection is focused on gathering useful data about the target network, analyzing it with an eye for weaknesses and determining whether or not a potential attack vector exists.
A target network analyst takes advantage of technology to collect data about and track a human target. This type of analyst will use open-source data and anything that can be collected from the target’s devices to build a profile about an individual and determine their usual patterns, networks and more.
A cyber-operator is similar to an exploitation analyst but focuses on breadth rather than depth. The goal of a cyber-operator is to collect data from a variety of sources to find, track and exploit potential targets. The majority of this role is data collection and processing; however, they might perform exploitation actions if necessary.
What Do I Need to Know?
While these are three very different jobs, they operate in similar ways. All three will need some fundamental knowledge, the ability to perform data collection and processing and understanding of the legal implications of their role.
To effectively perform any of the job roles that perform information collection, it is necessary to know the fundamentals of computer science. Important data could be stored on a variety of different media, and an analyst needs to know how to collect it regardless of location.
The main sources of data for a cyber-information analyst are the endpoints and the network. An analyst should be familiar with the main operating systems (Windows, Linux, Mac, Android and iOS), where useful data could be stored on these devices (file system, RAM and so on) and how to navigate these devices and extract the data.
Analysts must also be competent with collection of network data. This could include setting up monitoring devices, analyzing the collected data and knowing what to look for (statistics, hidden data and so on).
Data Collection and Processing
A cyber-data analyst has the responsibility to effectively perform each step in the data analysis process. Each of these steps requires certain knowledge, skills and abilities.
1. Creation of Collection Requirements
The first step in the data collection process is identifying what data needs to be collected. Accomplishing this requires the ability to identify gaps in currently-collected data, determine what data needs to be collected and know where that data can be found.
An important skill for accomplishing this step is knowing possible sources of data. For example, knowing what data can be collected from endpoints, networks, open-source data, databases and so on is valuable for defining and scoping the collection effort.
2. Data Collection
Once the collection effort has been defined, the next step is performing the actual collection of the data. This stage of the process also requires knowledge of the sources of data but is focused on the methods and tools necessary to perform collection without introducing artifacts.
Collected data is rarely perfect. Before performing any analysis, it’s often necessary to perform preprocessing. This allows the analyst to remove any obvious errors or artifacts in the data, identify collection gaps that need to be filled and standardize or transform the data into a usable format. At this stage in the process, an analyst would benefit from a background in data analysis, since specific tools and techniques are necessary for completion.
The analysis stage of the process is where a background in data science is most valuable. At this stage, the analyst needs to be familiar with the statistical and data-mining tools and techniques necessary to turn raw data into usable intelligence that can prove or disprove the analyst’s hypotheses. The analyst should also have programming and scripting abilities in order to perform analysis efforts at scale and in an efficient manner.
A final and important stage in the process is reporting. At this stage, the analyst develops visualizations and reports that enable any stakeholders to understand the collection and analysis efforts and the results and conclusions drawn from the analysis.
An important consideration throughout the data collection process is the laws and regulations around data collection. A cybersecurity data collector must be familiar with any and all laws and regulations that limit what data can be collected, how it can be collected and how it can be used once it has been collected.
An example of this is the recent General Data Privacy Regulation (GDPR) that went into effect in the EU in May 2018. Under this law, organizations must explicitly inform European citizens of any uses of their personal data. The definition of personal data has been widened as well, making this a significant limitation to data collection.
Other significant regulations include HIPAA, PCI, SOX and CCPA in the United States. Other regulations may exist based on the jurisdictions involved in the data collection process, and it is the responsibility of the analyst to be compliant throughout the process.
How Do I Get Started?
As described above, all three job roles use similar tools and techniques to accomplish their goals. An applicant should have a broad base in the necessary techniques, with depth in certain areas determined by the specific role.
The general knowledge necessary for all roles is a background in computer science, data analysis and cybersecurity. Computer science teaches the fundamentals and potential sources of data, data science helps with the processing and analysis, and cybersecurity may be necessary for collection, understanding and acting upon the collected data. Many good resources exist for getting this background, and it may be a good idea to look into the Certified Ethical Hacker (CEH) exam, as it proves that an applicant has the computer science and cybersecurity knowledge for the role.
Beyond the general background, it may be wise to focus on certain areas based on the specific role that data collection will support. For example, an exploitation analyst should focus on understanding endpoint and network vulnerabilities, a target network analyst might focus on open-source intelligence and a cyber-operator may specialize in reconnaissance.