Finding The Hidden InfoSec Story

The Ghostly Side of Bug-Hunting

Photo Credit: Grendl via Compfight cc

I have few vices in life but there is a TV programme called “Ghost Adventures” that has really caught me and yes, I’d go as far as saying I’m a little addicted. It’s a fun programme led by ‘Zak’, who “wants to capture on film what he once saw” – a ghost. So he and his team go to haunted locations all over the world, but mainly in America to suit the audience, in some hope of capturing evidence of ghosts. It’s all scientific despite the “for entertainment only” caption at the start of the showreel.

Each location they visit is similar in the way it plays out. The team goes to a highly active supernatural location with lots of ghostly sightings or spooky activity. They start by interviewing people who have seen the ghosts or supernatural activity. They also try to interview them on site if possible, asking as many questions interplayed with suitable sound effects to create an ambience.

If there is a potentially interesting room or location, they mark it with an X to come back to it later. As evening falls, the crew goes in to lock down. In other words, they are sealed off from the rest of the world to conduct their paranormal investigations. No-one else can interfere with their results. With no big camera crews following them around, Zak and his team, Aaron and Nick, set up a base camp where they store their equipment. They set up static night-vision cameras pointing at interesting places hoping to capture something in the event they get nothing themselves. The team then wander seemingly randomly, waving night vision cameras around in the pitch black, listening to random noises on simple electronic devices trying to catch voices from beyond the grave or trying to record video of a ghost. They occasionally will stay in the spookier rooms or areas and ask questions to the ghosts or spirits to try and establish that the ghosts they are talking to are indeed from this site and that they are speaking to ghosts. At the end they then review their evidence – cue spooky music and montages of the last 30 minutes of the show.

It’s great bit of fun but let me show you the two analogies this fun TV programme can show us about our work lives.

Firstly is the formula. When you are doing incident management, there are set procedures to follow. Seal off the site if possible, e.g. forensic cloning of hard drives. Gathering the verbal or written evidence from those who discovered the incident, to learn what is normal and what to look for with regards to abnormal points, maybe flagging interesting points that they raise. Then go through the environment, checking for evidence, traces of abnormalities, things that look wrong, recording results but not necessarily analysing it during this phase. If need be, re-visit areas for further investigation and if need be, leave one investigator sat investigating one area while the others carry on. Then upon completion of the investigation (with no spooky music for ambience required), a summary report of the findings is created and issued to the person who is responsible for the environment with clear indicators as to what was found explained.

Before the incident has happened, there is a process and procedure for the investigators that can be followed and is understood by the entire group. The plan creates a holistic view of the investigation of an incident and gives clear structure as to how the evidence is sealed off, tools to be used during the investigation, who is going to use them and then the summary plan upon investigation. Unfortunately, Zak and his team do not include how to remediate this happening in the future, but hey, Ghostbusters disbanded a while ago!

Secondly, the tools. In ‘Ghost Adventures’ almost all of the video is shot in night vision – outside the human range. They claim this is where the spirits reside. Maybe we need to think like this in our own environments. If we all just used our regular tools, would we miss the actual evidence? As Einstein is quoted as saying, “Insanity is doing the same thing over again and hoping for different results.”

Next, there are the REM pods, digital recorders, thermal cameras – the list of tools to go spook hunting seems vast. And yet, when you start looking at what these tools do, they are actually very simple. Isn’t that the beauty in these scenarios? Having a simple tool set which is uncomplicated, with fewer variables to go wrong? How often have we looked at Threat Intelligence software, the bewildering screens with flashing lights and all, but, when you come to try and advise the Board on the latest threats, you seemingly have no clue as to what is going on!

I’m not suggesting that any of us only use just one tool, but are Wireshark, Nessus etc the only tools we should be using? Shouldn’t we be gathering evidence using a variety of tools and comparing the results to create a much more complete view of what is going on, not just one facet? We also need to be cautious about the static, was that an ethereal voice calling out, or just some static? Is that really a foreign state trying to hack in to your systems or has a user gone on holiday and is trying to save their job on a rush question but can’t remember the login?

We love the spooks in our industry that lurk in the shadows, but now with my slightly tongue-in-cheek look at ‘Ghost Adventures’ maybe it will give you all some food for thought about other shows we watch and how we can learn from them – anyone for a Scooby Doo analogy?

Author: Stuart Coulson

Share This Post On