“What Do You Guys ‘Actually’ Do?”
by Jose NazarioA question we’re asked by many an interested party. I’ll give you my perspective on what it’s like to be a part of the Arbor Security Engineering & Response Team (ASERT).
It’s Microsoft patch Tuesday, and that just adds to the workload. We’re busy here in Ann Arbor, people getting ready for our annual poker tournament during BlackHat (I won’t be there, but Sunil, Jeff, and Mark, among others, will be), customer visits, analyzing stuff, helping our field staff, and more. Here’s a brief, sanitized rundown of my day, a sort of typical one (interrupted by that darn MSFT!):
6:45 AM: Wake up. It’s summertime, I’d like to enjoy all the sunshine I can. And, if I’m to ride my bike in, I’d like to avoid traffic.
7:00 AM: Really get out of bed (I hit snooze too often), wander over and fire up my laptop. Check out Infosec Daily for what transpired overnight.
7:15 AM: Grab breakfast, go back to laptop. Read news and intelligence digests that built up overnight. Make some mental notes for later in the day.
7:30 AM: Shower, dress, etc.
8:00 AM: Kiss my wife and head out the door.
8:30 AM: Get in the office, grab a cup of coffee. Start working on our internal daily threat briefing (soon to be customer-facing!).
9:00 AM: Nearing the end of the morning’s briefing, check a few more things. Intersperse some casual reading (politics, friends, etc).
9:15 AM: File a report about an Alaska Credit Union phish, that’s odd…make a mental note to see if phishing attacks are indeed up over the past few days. Alaska site goes offline a few hours later, w00t.
9:45 AM: Send out daily threat briefing to the field.
10:00 AM: After a short break, look at some more intelligence reports a bit more closely. Drop in on the TdF on the TV in the breakroom to get a sense of who is going to do well before the mountains.
10:30 AM: Discuss recent botnet workshop stuff with Farnam in the office. Good notes coming out of that meeting).
11:00 AM: Code review of some proposed internal tool changes.
~12:00 PM: Head to lunch. I’m not eating much lately (and biking more), I’m especially hungry.
1:20 PM: Call with Dark Reading’s Kelly Jackson Higgins regarding Detnat malware. Arbor’s Active Threat Feed (ATF) service, as included in the Peakflow platform has been detecting this for about four week now.
2:00 PM: Call with a trial customer reviewing recent threats.
2:30 PM: ATF policy development, mostly enhancements to the language, thus bettering our alerting conditions.
3:15 PM: Note that some (external) folks are seeing UDP port 2 traffic spike up, they investigate and conclude it’s Windows popup spam. Must be a broken tool…
3:30 PM: Review the MSFT security bulletins. Only one looks nice and juicy for us. Prepare notes for tomorrow’s threat briefing.
4:30 PM: Look at how to use Google to find malware. Nothing special, but it’s received some attention lately (shoutz to the Websense guys!)
5:30 PM: Get inspired for a blog post after noting how crazy my days are, try and recall what I did all day. It’s been too long since I blogged.
Sadly, today doesn’t include malware analysis or any hardcore stuff, but it does cover what a majority of my day entails: consuming information and passing on what needs to be passed on. What have my co-workers been up to? Coding, developing, prototyping, and reviewing other teams’ work (which is great stuff, I might add; people are going to LOVE Peakflow X 3.6).
Lots of stuff in the works here in the ASERT; we hope to be showing more of it to everyone soon. Oh, and I wound up not riding my bike in. Rain, big heavy thunderstorms were predicted and were delivered (at least briefly).
It’s amazing! Don’t you read e-mail? Bugtraq, Mailing Lists? I am just curious, how much time do you waste on e-mail daily?