Writings from the intersection of law enforcement and the Internet

Know Normal

A current buzz term within the computer and network forensics world is the term “Know Normal”. This means that you must know what your computer system should look like in normal situations so you will be able to quickly recognize when something isn't normal. This concept has been popularized by the computer security training organization SANS institute and is taught in several of their courses. The concept is not hard to grasp and is based in simple common sense. How can you know if an attacker is working and making changes in your computer network if you don't know what your computer network should look like. Is that an authorized user? Is that file part of the system and why is it here? Is that a normal application running inside of windows? Do we as a business use this software? If you don't know what should be going on within your network you will never now when something bad is going on within your network.

This concept is nothing new within the science of policing an has been passed down from one generation of officers to the next. It's an early lesson taught during the field training program. Maybe not in such a formalized way as FANS instructs it but a lesson that quickly becomes reinforced by real world application. I suspect that someone within the SANS organization adapted it, rightly so, to fit the computer network security field.

In general, police patrol officers are assigned areas of concern. This may be called a beat, zone, or sector, based on the agency but some geographic area that an officer is primarily responsible for patrolling and answering calls for service. An officer will spend a lot of time in that area. Usually eight and sometimes 12 hours per-day depending on the schedule the department works. That is a lot of time to watch the normal happenings of that small piece of the world. Officers get know how the area works as a functioning micro community set aside from the larger society as a whole. When the UPS driver comes everyday. What time do the businesses open and close. What businesses get early or late deliveries. Who are the vagrants, beggars, and bums and where they like to be during the day and sleep at night.

It gets even more granular in the residential neighborhoods. Drive through the a neighborhood with a good cop and they can tell you who lives where, who is having marital problems, who stays up late and who leaves early for work. They know what cars people drive and likewise when a vehicle is parked on a street that shouldn't be there.

Good patrol officers know what their beat looks like under normal conditions and quickly recognize when something is out of space. When a vehicle is parked behind a business that shouldn't be. When a person is walking down an alley who is not from the area. When a light is one inside a business that normally is dark at 1am.

Know normal... so you can recognize when it isn't.