If archaeology floats your boat, in the UK there’s a TV series called “Time Team“. Each episode is fronted by the ever-enthusiastic Tony Robinson (best known for playing Baldrick in Blackadder), and documents a three-day excavation of interesting-site-du-jour.
Archaeology is a bit like tech forensics, in that it is the search for truth amidst a gigantic pile of stuff, some of which may be useful, some of which may not. Features (such as walls, ditches, post holes, etc) and finds (pottery, jewellery, medieval trash, etc) take the place of logs and NSM data, but the investigative methodologies have many parallels.
One astonishing episode was called “Celtic Spring”, which featured the team investigating a highly dubious site containing a hotch-potch of different things that really ought not be in such close proximity to one another. With open minds and their usual professionalism, they proceeded to expose what amounted to a hoax perpetrated by a nineteenth century cleric and twentieth century persons unknown. You can watch the episode here (have patience with the advertising, it soon passes!)
The point of this post concerns a spectacular find – an Iron Age sword, of which only two or three have ever been found in Wales. It wasn’t an ordinary iron age sword, either (if such a thing exists!), it was confirmed as a genuine La Tène sword from Switzerland – none of these have ever been found so far from home.
Dr Jones would have been ecstatic. He’d have rushed it back to Marcus and got it in the museum, probably after using it to escape from some dastardly trap.
However, the Time Team archaeologists weren’t so happy. They were cross. Some of them were absolutely livid. As they excavated the sword, they started to get the feeling that things weren’t quite right. It wasn’t buried very deep down. It was in an odd place to find such a thing. It was alone, with no other finds nearby. And most damning of all, it was above a buried strand of barbed wire, meaning it could only have got there after the wire did.
It turns out that barbed wire is a remarkably datable thing. The gauge and metal used, the nature of the twist and the pattern of the barbs all contribute to identification. This particular barbed wire was no more than twenty years old, meaning the sword had been in the ground for less time than this.
This was the cause of the archaeologists’ dismay. Yes, the sword in itself is a wonderful artefact, but, despite the antics of Dr Jones, archaeologists want to understand how people lived more than they want shiny trinkets for the museum. The sword had been removed from its original La Tène context and dumped unceremoniously in a Welsh ditch, presumably so the perpetrator could get his fifteen minutes of fame. Out of context, the sword is useless for understanding the La Tène culture. The archaeologists want to know who owned the sword, how they lived, how they died, and how they were prepared for their journey to the next world. Had the sword been found in context where it was left, these questions could have been answered. As it is, the sword is useless for these purposes.
Finally getting back to the NSM domain, the importance of establishing and investigating context is just as clear. Having Snort tell you it’s seen an instance of “Suspicious Inbound AlphaServer UserAgent” isn’t terribly useful on its own. It needs to be placed into context – when did it happen? What was the source? What was the destination? What exactly was the HTTP conversation all about? Did it have any impact? Only by taking the alert in the context of other indicators can answers be had. Even seemingly open-and-shut cases need to have their indicators put into context and investigated fully.
Indicators are hardly ever standalone entities – get out your trowel and brush, open a trench, and don’t stop digging until you have all the answers!
Alec Waters is responsible for all things security at Dataline Software, and can be emailed at firstname.lastname@example.org