What are analytics?
If you’re like me, you may have heard the term “analytics” thrown around a few times. Or many times. I find myself slipping deeper and deeper into the latter population. And I always had an idea for what it meant, but nobody had ever defined it. Worse, when I looked it up, it was always a vague concept that I couldn’t get a straight answer on (see Merriam-Webster’s definition of analytic, as a starting point for why this term as it’s commonly applied today can get confusing).
Let me start with this: it’s not overly complex.
Let me clarify: it doesn’t have to be overly complex.
An analytic, singular, is a tool or line(s) of code that enable the discovery of “something.” That’s pretty much it. So if that’s the case, analytics, plural, would be a series of these tools or line(s) of code that enable you to find one or more “somethings.”
To distill this a little bit, let’s say I go to google.com to find a restaurant for my wife and I to go to. We’re going on a date, so I’d like it to be fancy. We would also like to try something close by our zip code, 12345. Lastly, we’re both in the mood for Italian food. Given each of these requirements, I could separate each like they are individual analytics:
- Fancy restaurants
- Italian restaurants
- Restaurants near 12345
So there are my analytics. When strung together, these might read: “fancy Italian restaurants near 12345,” which will help me find (hopefully) one or more options that fit the desired type of restaurant for our date night. If I want to scope it down a little more, I can run some more analytics (i.e. restaurants that require formal attire, restaurants that only serve in the evening, restaurants requiring a reservation).
Let’s Find Evil!
In the world of cyber security, each of these analytics is a tool that allows us to find some form of vulnerability or malicious activity. Simply put, I may want to find a malicious program running on my computer. A way to do this would be to write a script that looks for whatever that malicious program might be (perhaps a .exe file, which is simply a file that is executable — it starts, it runs, it does something). So my analytic would look for meaningoflife.exe, and if it finds meaningoflife.exe then my analytic has served its purpose and (unfortunately) I have found what turns out to be something malicious on my computer.
Altering this slightly as we head deeper into the concept, maybe I know what meaningoflife.exe is, and it’s a perfectly good program that my computer needs to properly execute some important function. So that original analytic is a dud, then, right? Not exactly. Let’s say a vulnerability tied to meaningoflife.exe is discovered. That vulnerability may launch a process that does something like call out to a command and control system that enables Mr. Adams (arbitrary name selection) to do something malicious on your system. That said, if I know that meaningoflife.exe has this vulnerability and some process (we’ll call it process 42) might execute when I start meaningoflife.exe, I need to create an additional analytic that looks for the execution of meaningoflife.exe in conjunction with process 42 being initiated. If I find these two things together, I’ve found the vulnerability.
Jumping back to the specific use of these words, where I’ve most often been confused is when people say things like, “we do analytics.” Why? Because we don’t do lines of code. We run lines of code. We create lines of code. And usually our analytics are enabled by some sort of tool — like Powershell (Windows scripting), or BASH (Linux scripting) — through which they are able to detect something. We “run analytics,” perhaps. But saying things like “we do analytics” really just confuses the concept for semantic reasons. Unless you’re just trying to say that you specialize in building analytics. But even then, that’s not how I think most people are using it. So, to be clear, it can be confusing. But it doesn’t have to be.
A great resource for looking at some analytics is the MITRE Cyber Analytics Repository, which has a great name that describes exactly what it is. If you’re not familiar with MITRE, it is a not-for-profit organization that is focused heavily on research and development related to technical problem sets. As it relates to cyber security, MITRE is the organization responsible for developing the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) Matrix, which is a great resource for digging deeper into a variety of different adversary tactics. If you’re even remotely interested in digging into the world of cyber security, this is a great place to start looking at the massive variety of vulnerabilities that adversaries employ.
Until next time, cheers!
- “Analytic” defined: https://www.merriam-webster.com/dictionary/analytic
- MITRE ATT&CK Matrix: https://attack.mitre.org/
Original securitydistilled.com post, November 18, 2020