Information Collection in Cybersecurity
The NICE framework is designed by NIST to provide a common vocabulary and definitions for various cybersecurity jobs and skill sets. Within the framework, various different jobs are defined, and the associated tasks and skill sets are outlined.
An important task within cybersecurity is collecting and analyzing data. In this post, we’ll describe some of the job roles that perform this task within the cyber-domain, the necessary knowledge and skills to do so and how to obtain this knowledge and skill set.
What should you learn next?
Who Does Cyber-Information Collection?
Within the NICE framework, NIST defines three different job roles that perform cyber-information collection: exploitation analyst, target network analyst and cyber-operator. While these jobs can perform very different duties, they use many of the same tools, techniques and procedures in the data collection stage of their work.
An exploitation analyst is a cybersecurity practitioner that focuses on identifying weaknesses and potentially exploitable vulnerabilities in a target network. Their data collection is focused on gathering useful data about the target network, analyzing it with an eye for weaknesses and determining whether or not a potential attack vector exists.
A target network analyst takes advantage of technology to collect data about and track a human target. This type of analyst will use open-source data and anything that can be collected from the target’s devices to build a profile about an individual and determine their usual patterns, networks and more.
A cyber-operator is similar to an exploitation analyst but focuses on breadth rather than depth. The goal of a cyber-operator is to collect data from a variety of sources to find, track and exploit potential targets. The majority of this role is data collection and processing; however, they might perform exploitation actions if necessary.
What Do I Need to Know?
While these are three very different jobs, they operate in similar ways. All three will need some fundamental knowledge, the ability to perform data collection and processing and understanding of the legal implications of their role.
Fundamentals
To effectively perform any of the job roles that perform information collection, it is necessary to know the fundamentals of computer science. Important data could be stored on a variety of different media, and an analyst needs to know how to collect it regardless of location.
The main sources of data for a cyber-information analyst are the endpoints and the network. An analyst should be familiar with the main operating systems (Windows, Linux, Mac, Android and iOS), where useful data could be stored on these devices (file system, RAM and so on) and how to navigate these devices and extract the data.
Analysts must also be competent with collection of network data. This could include setting up monitoring devices, analyzing the collected data and knowing what to look for (statistics, hidden data and so on).
Data Collection and Processing
A cyber-data analyst has the responsibility to effectively perform each step in the data analysis process. Each of these steps requires certain knowledge, skills and abilities.
1. Creation of Collection Requirements
The first step in the data collection process is identifying what data needs to be collected. Accomplishing this requires the ability to identify gaps in currently-collected data, determine what data needs to be collected and know where that data can be found.
An important skill for accomplishing this step is knowing possible sources of data. For example, knowing what data can be collected from endpoints, networks, open-source data, databases and so on is valuable for defining and scoping the collection effort.
2. Data Collection
Once the collection effort has been defined, the next step is performing the actual collection of the data. This stage of the process also requires knowledge of the sources of data but is focused on the methods and tools necessary to perform collection without introducing artifacts.
3. Preprocessing
Collected data is rarely perfect. Before performing any analysis, it’s often necessary to perform preprocessing. This allows the analyst to remove any obvious errors or artifacts in the data, identify collection gaps that need to be filled and standardize or transform the data into a usable format. At this stage in the process, an analyst would benefit from a background in data analysis, since specific tools and techniques are necessary for completion.
4. Analysis
The analysis stage of the process is where a background in data science is most valuable. At this stage, the analyst needs to be familiar with the statistical and data-mining tools and techniques necessary to turn raw data into usable intelligence that can prove or disprove the analyst’s hypotheses. The analyst should also have programming and scripting abilities in order to perform analysis efforts at scale and in an efficient manner.
5. Reporting
A final and important stage in the process is reporting. At this stage, the analyst develops visualizations and reports that enable any stakeholders to understand the collection and analysis efforts and the results and conclusions drawn from the analysis.
Laws
An important consideration throughout the data collection process is the laws and regulations around data collection. A cybersecurity data collector must be familiar with any and all laws and regulations that limit what data can be collected, how it can be collected and how it can be used once it has been collected.
An example of this is the recent General Data Privacy Regulation (GDPR) that went into effect in the EU in May 2018. Under this law, organizations must explicitly inform European citizens of any uses of their personal data. The definition of personal data has been widened as well, making this a significant limitation to data collection.
Other significant regulations include HIPAA, PCI, SOX and CCPA in the United States. Other regulations may exist based on the jurisdictions involved in the data collection process, and it is the responsibility of the analyst to be compliant throughout the process.
How Do I Get Started?
As described above, all three job roles use similar tools and techniques to accomplish their goals. An applicant should have a broad base in the necessary techniques, with depth in certain areas determined by the specific role.
The general knowledge necessary for all roles is a background in computer science, data analysis and cybersecurity. Computer science teaches the fundamentals and potential sources of data, data science helps with the processing and analysis, and cybersecurity may be necessary for collection, understanding and acting upon the collected data. Many good resources exist for getting this background, and it may be a good idea to look into the Certified Ethical Hacker (CEH) exam, as it proves that an applicant has the computer science and cybersecurity knowledge for the role.
Beyond the general background, it may be wise to focus on certain areas based on the specific role that data collection will support. For example, an exploitation analyst should focus on understanding endpoint and network vulnerabilities, a target network analyst might focus on open-source intelligence and a cyber-operator may specialize in reconnaissance.
What should you learn next?
Sources
- NICE Cybersecurity Workforce Framework, NIST
- Certified Ethical Hacker Certification, EC-Council
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Information Collection in Cybersecurity
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security