How to get the best out of your research
Long story short, I got contacted by a former colleague who had a question about an ongoing research he has been working on and what to do with it. Sometimes, doing research is a lot of fun, but one of the most common mistakes I’ve seen and I’ve committed so many times is not knowing when to share your results, move on, or simply get some help.
My friend had a few questions about what to do, he had invested a considerably good amount of time and as thing got bigger, some questions were still unanswered, should that stop you? I would say no.
In the age of APTs, State Sponsored Attacks, unprecedented scale of DDoS, as the one that just hit folks at Github, sharing what you know can be key in helping people to protect themselves or their business. On the other hand pointing the guns to who’s behind, what happened, and what do you know might be a arms race for businesses and in some examples just takes all the hype, for folks in the communications teams count the number of views, clicks or shares of the latest post/paper/video published (such a great metric no?).
One of the things I like about research is that you can share for peers to learn from what you did, use your insight to better protect their systems or get back to you with a part of the story you didn’t knew about, and collaborate to do something better. I’ll share some of the questions I asked my friend for him to answer and decide if he should publish or not.
Why are you investigating this?
I tend to be a curious person, and most of the investigations I ended up working on, at least back at ESET, were initiated by a question as simple as what is this malware family doing? When you start looking at a binary or piece of code you start asking yourself what are they doing with this, and by pulling the strings you can uncover hell of an operation behind it.
Talking about the usage of malware for stealing money, abusing systems or spying on people when you come across this operations you might ask yourself what to do with this. Some of the reasons could be:
- Detection/Identification: you want to ensure that you will not miss a new piece of malware associated to it. Keep track of the infrastructure bad actors are using, TTPs and build up a whole story. If you’re looking at crimeware, many bad actor might use the same families, so how do you identify them?
- Disruption: you want them to cease they operations or at least stop targeting your company or your customer.
- Monitoring: you silently watch and keep track of all their activities, learn their tactics, their working hours and evasion techniques (if you’re deploying some detection)
There are plenty more, but I’m trying to limit the scope to the story, you might figure out where this is coming from but I ain’t going to tell you.
Why do you want to publish your investigation?
It might seems like an obvious questions, but sometimes not publishing can be the better move if you’re after someone or something specific. If you’re aiming to generate awareness so people can look back at their data and figure out if they’ve been a victim or not just go for it. Once it’s out and starts getting pick by peers, media you’ll get some attention (good or bad) and hopefully more data can flow your way.
Publishing an investigation can lead to other people who were looking at the same things you did, to start sharing. If you’re doing is as part of a business being first it’s important, but sometimes being right is even better. Back in 2011, when looking into Dorkbot, I was not the only one looking at this botnet, but still sharing what you know was good, had some impact and lead me into more information about this worm.
A good reason not to publish something if you’re having and advantage from what you discovered, or doing so will alert whoever who is behind it that you’re looking at them, so they’ll start looking at you. This can lead to some troubles, depending on the scope and the activity that the bad actors are doing. Remember about gangs, state sponsored actors and that kind of stuff. In some of those cases a little heads up on we’re covering your tracks can be good to try to disrupt some operations, mostly related to some crimeware (at least in my opinion!).
When to publish what you have?
If you know why you’re doing it and decided to share with the community your work it’s time to decide what you’ll publish and when. If publishing first is your goal, and you’re going to move ahead with your activities, you can use this to your advantage and share little pieces of information as you go.
Publishing as you advance on your investigation will add some extra pressure to keep on track and also can have immediate impact. It’s good to tell a story, about your process, your findings, and the evolution of the investigations. The risk of doing this is people can catch up with you and you’ll have direct competition, but still I believe this is good for the community.
Other option is publishing at specific milestones of your research or investigation. Some good examples to follow are all the papers about APTs, and how they evolved over time. Bad actors know they’re being watched, and when you publish they know they’re being watched by you. APTs updates it’s at the order of the day for lot’s of companies, as they have a huge impact on the media and the community.
When to stop?
If there is an error that I’ve committed many times is not knowing when to stop. Personally I’m like a dog who is not ready to give up his bone, and just keeps it there for a later time.
One of the most important points about your investigation is the why that we talked about. There are many times when you can re assess your goals and scope, but having a clear objective is key not to loose track.
Every investigation has a turning point, at that stage the returns of continuing your work might not be as good as expected. Up to this stage you can decide if it’s possible to keep monitoring the information while allowing you to move to something new, or pass it along to a different team/researcher.
When passing your work to other teams is not an option, you’ll need to close the investigation out, rather by publishing all you have or simply stopping. I’ve tried a few times to keep it alive just because there is always more questions you might have, but that can transform in something not productive at all.
Take aways?
Research is fun. Most of the times is up to you when to stop and what to look for. Nevertheless questions and challenges will always be part of it. Data will not reflect your hypothesis, bad actors behavior will change depending on their goals not yours and way to many things.
It’s a process, and as such you’re in charge of figuring out what to do and how, but if your goal is to share to the community your findings keep in mind that you need a story to share, something that would help other investigators, companies or people to take something away. You’ll learn the process the more you do it, and I’m still learning what to do myself. If you have questions, happy to talk about them!
PD: my friends research will hopefully see the light in the next couple of months, and it’s really good content.
