SlideShare a Scribd company logo
The
Investigation
Labyrinth
Chris Sanders
Security Onion Con 2016
Chris Sanders (@chrissanders88)
 Find Evil @ FireEye
 Founder @ Rural Tech
Fund
 PhD Researcher
 GSE # 64
 BBQ Pit Master
 Author:
 Practical Packet Analysis
 Applied NSM
Agenda
 Era of Analysis
 DFIR Cognitive Revolution
 Researching the Investigation Process
 Data, Data, and more Data
The economics of NSM are not in our favor –
how can we study the investigation process to
make it more efficient?
Economics of Security
“If you want to understand the world of nature,
master physics. If you want to understand the
world of man, master economics.” - Taufiq
Rashid
High
Demand for
Security
Expertise
Low Supply
of Security
Practitioners
Expertise
Services
Software
Evolution of NSM
 “The profession
[security] is so
nascent that the how-
tos have not been
fully realized even by
the people who have
the knowledge.”
 Every thought-based
profession goes
through a cognitive
crisis and revolution.
Ours is coming.
Symptoms of a Cognitive Crisis
1. Demand for expertise greatly outweights
supply
2. Most information cannot be trusted or
validated
3. Inability to mobilize and tackle big systemic
issues
The Cognitive Revolution in
DFIR
1. Understand the processes
used to perform
investigations and draw
conclusions
2. Develop repeatable
methods and techniques
for performing
investigations
3. Build and advocate
training that teaches
analysts how to think
about investigations, not
just how to use tools.
Investigations as Mental
Labyrinths
 The investigation is
the core construct of
information security.
 At a high level, an
investigation is a
series of decisions
that begets other
decisions.
 Defenders don’t
always know if
they’ve taken the
correct path.
Navigating the Labyrinth
Alert
OSINT
Reputation
File Hash
Sandbox
Behaviors
AV Detections
(VT)
Imphash
More File
Hashes
Friendly Host
Network PCAP
Host
Windows
Logs
Security Log
System Log
App LogRegistry
File System
Hostile Host Network
PCAP
Flow
Studying the Investigation
Process
 Goal:
 Increase Accuracy
 Decrease Time
 How do you study
something human
thought?
 Challenges:
 Creating unique
investigation scenarios
takes time
 There is no universal
set of tooling
A Scenario-Based Approach to
Investigation Analysis
 Create a tool-agnostic investigation simulator
 Make it portable and self contained
 Seed it with investigation scenarios where one
variable can be addressed at a time
 Allow it to log investigator actions and output a
log of decisions being made
SOC2016 - The Investigation Labyrinth
Additional Data Sources
Case Study
Analyzing the Flow of
the Investigation
The Compromise
1. Victim visits friendly
website
2. Redirect to EK landing
page
3. Download flash exploit
4. Exploit is successful and
ransomware file
downloads
5. Ransomware installs and
executes
6. Ransomware begins C2
communication
What data did analysts look at
first?
72%
16%
12%
Observed
PCAP Flow OSINT
Data Suggests:
 Analysts prefer a higher context data set…
 …even if other data sets are available
 …even if lower context data sets can lead to a resolution.
 Analysts don’t fully understand their own techniques
49%
28%
23%
Reported
PCAP Flow OSINT
Did the first move affect analysis
speed?
Data Suggests:
 While PCAP provides richer context, it may slow down
the investigation if that’s where you start
 Starting with a lower context data source can increase
speed when working with higher context data
16
10
9
PCAP Flow OSINT
27
13 13
PCAP Flow OSINT
Avg Time to Close Weighted Time to Close
What happens when Bro data
replaces PCAP?
46%
25%
29%
Observed (Bro)
Bro Flow OSINT
72%
16%
12%
Observed (PCAP)
PCAP Flow OSINT
What happens when Bro data
replaces PCAP?
16
10
9
PCAP Flow OSINT
Avg Time to Close (PCAP)
10 10 11
Bro Flow OSINT
Avg Time to Close (Bro)
Data Suggests:
 Better organization of high context data sources
can yield improvements in analysts performance
What data sources were viewed
most and least frequently?
Data Suggests:
 Network data is used more frequently than host data…
 …even when host data can be used exclusively to resolve.
 …even when easy access is provided to host sources.
 Revisting data is more prevalent on higher context data
sources
Data Sources Viewed Data Sources Revisited
PCA
P
84%
Flow
11%
OSIN
T
5%
How many steps were taken to
make a disposition judgement?
Data Suggests:
 At some point, the number of data sources you
investigate impacts the speed of the investigation
 Understanding where data exists and when to use it
can impact analysis speed
6
12
9
3
0
5
10
15
6-10 11-15 16-20 21-25
Number of Steps
9
12
14
24
0
5
10
15
20
25
30
6-10 11-15 16-20 21-25
Avg Time to Close
Did analysts investigate friendly or
hostile systems first?
9%
91%
Observed
Friendly Hostile
Data Suggests:
 Analysts are more compelled to investigate unknown
external threats than internal systems
 Analysts don’t fully understand their own techniques
41%
59%
Friendly
Friendly Hostile
Do analysts seek to prove or
disprove the alert?
Data Suggests:
 Analysts are almost always seek to prove an
alert...
 ...despite the fact that disproving it is usually faster.
Prove vs. Disprove
Prove
88%
Dispr
ove
12% 19
8
0
5
10
15
20
Prove Disprove
Avg Time to Close
Case Study
What separates novice
and expert analysts?
Mapping the Investigation
 Sample:
 Novice and expert analysts
 Methodology:
 30 case studies
 Stimulated recall interviews
 Focus on individual investigations of varying
types
 Perform key phrase anlayis – analyze results
Key Phrase Mapping
 Dual Process Theory
 Intuition: Implicit, inconscious, fast
 Reflection: Explicit, controlled, slow
Intuition
Experimentation
Restructuring
Imagination
Incubation
Metacognition
Evaluation
Goal Setting
Making Plans
Reflection
Analytically Viewing
Data
Rule-Based
Reasoning
Considering
Alternatives
Results
Novices Experts
Intuition Metacognition Reflection
Thank You!
Mail: chris@chrissanders.org
Twitter: @chrissanders88
Blog: chrissanders.org

More Related Content

What's hot

Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident response
jeffmcjunkin
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
Cybereason
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
Austin Taylor
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
Splunk
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
Panda Security
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Tony Cook
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
ENOInstitute
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
Alex Pinto
 

What's hot (20)

Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident response
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
 

Viewers also liked

Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
chrissanders88
 
Finding Evil In DNS Traffic
Finding  Evil In DNS TrafficFinding  Evil In DNS Traffic
Finding Evil In DNS Traffic
real_slacker007
 
Security Onion Conference - 2016
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016
DefensiveDepth
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Workshop threat-hunting
Workshop threat-huntingWorkshop threat-hunting
Workshop threat-hunting
Tripwire
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
Michael Gough
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014
chrissanders88
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
chrissanders88
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Introducing... the UBA
Introducing... the UBAIntroducing... the UBA
Introducing... the UBA
Mariëtte van Selm
 
Splunk for Developers Breakout Session
Splunk for Developers Breakout SessionSplunk for Developers Breakout Session
Splunk for Developers Breakout Session
Splunk
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion Conference
DefensiveDepth
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
 
ciclo de refrigeracion por comprecion de vapor
ciclo de refrigeracion por comprecion de vaporciclo de refrigeracion por comprecion de vapor
ciclo de refrigeracion por comprecion de vapor
santiago71424
 
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox
 
10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express
Nguyen Thanh
 

Viewers also liked (20)

Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
 
Finding Evil In DNS Traffic
Finding  Evil In DNS TrafficFinding  Evil In DNS Traffic
Finding Evil In DNS Traffic
 
Security Onion Conference - 2016
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Workshop threat-hunting
Workshop threat-huntingWorkshop threat-hunting
Workshop threat-hunting
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Introducing... the UBA
Introducing... the UBAIntroducing... the UBA
Introducing... the UBA
 
Splunk for Developers Breakout Session
Splunk for Developers Breakout SessionSplunk for Developers Breakout Session
Splunk for Developers Breakout Session
 
2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion Conference
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
 
ciclo de refrigeracion por comprecion de vapor
ciclo de refrigeracion por comprecion de vaporciclo de refrigeracion por comprecion de vapor
ciclo de refrigeracion por comprecion de vapor
 
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
 
10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express
 

Similar to SOC2016 - The Investigation Labyrinth

Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
Priyanka Aash
 
AMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection PresentatiionAMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection Presentatiion
SohanGole1
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
Eric Johansen, CISSP
 
Data mining and privacy preserving in data mining
Data mining and privacy preserving in data miningData mining and privacy preserving in data mining
Data mining and privacy preserving in data mining
Needa Multani
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
Splunk
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 years
Shekh Md Mehedi Hasan
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvert
ISSA LA
 
Data Science at Intersection of Security and Privacy
Data Science at Intersection of Security and PrivacyData Science at Intersection of Security and Privacy
Data Science at Intersection of Security and Privacy
Tarun Chopra
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
TI Safe
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
Splunk
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
North Texas Chapter of the ISSA
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Cloudera, Inc.
 
Navy security contest-bigdataforsecurity
Navy security contest-bigdataforsecurityNavy security contest-bigdataforsecurity
Navy security contest-bigdataforsecurity
stelligence
 
Digital Forensics: The next 10 years
Digital Forensics: The next 10 yearsDigital Forensics: The next 10 years
Digital Forensics: The next 10 years
Al Imran, CISA
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its NetworkWhy the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Novetta
 
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...
VMworld
 

Similar to SOC2016 - The Investigation Labyrinth (20)

Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 
AMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection PresentatiionAMP_Security_ Malware Protection Presentatiion
AMP_Security_ Malware Protection Presentatiion
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Security Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM GapSecurity Analytics for Data Discovery - Closing the SIEM Gap
Security Analytics for Data Discovery - Closing the SIEM Gap
 
Data mining and privacy preserving in data mining
Data mining and privacy preserving in data miningData mining and privacy preserving in data mining
Data mining and privacy preserving in data mining
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 years
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvert
 
Data Science at Intersection of Security and Privacy
Data Science at Intersection of Security and PrivacyData Science at Intersection of Security and Privacy
Data Science at Intersection of Security and Privacy
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
 
Navy security contest-bigdataforsecurity
Navy security contest-bigdataforsecurityNavy security contest-bigdataforsecurity
Navy security contest-bigdataforsecurity
 
Digital Forensics: The next 10 years
Digital Forensics: The next 10 yearsDigital Forensics: The next 10 years
Digital Forensics: The next 10 years
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its NetworkWhy the DoD Uses Advanced Network-traffic Analytics to Secure its Network
Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network
 
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...
 

More from chrissanders88

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
chrissanders88
 
Hacking Food - BSides Augusta 2017
Hacking Food - BSides Augusta 2017Hacking Food - BSides Augusta 2017
Hacking Food - BSides Augusta 2017
chrissanders88
 
Minding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLAMinding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLA
chrissanders88
 
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive PsychologyBSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
chrissanders88
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
chrissanders88
 
Developing Analytic Technique and Defeating Cognitive Bias in Security
Developing Analytic Technique and Defeating Cognitive Bias in SecurityDeveloping Analytic Technique and Defeating Cognitive Bias in Security
Developing Analytic Technique and Defeating Cognitive Bias in Security
chrissanders88
 

More from chrissanders88 (6)

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
 
Hacking Food - BSides Augusta 2017
Hacking Food - BSides Augusta 2017Hacking Food - BSides Augusta 2017
Hacking Food - BSides Augusta 2017
 
Minding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLAMinding the Metacognitive Gap - BSides NOLA
Minding the Metacognitive Gap - BSides NOLA
 
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive PsychologyBSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychology
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
 
Developing Analytic Technique and Defeating Cognitive Bias in Security
Developing Analytic Technique and Defeating Cognitive Bias in SecurityDeveloping Analytic Technique and Defeating Cognitive Bias in Security
Developing Analytic Technique and Defeating Cognitive Bias in Security
 

Recently uploaded

RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
SynapseIndia
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
Shiv Technolabs
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
Management Institute of Skills Development
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
rajancomputerfbd
 

Recently uploaded (20)

RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
 

SOC2016 - The Investigation Labyrinth

  • 2. Chris Sanders (@chrissanders88)  Find Evil @ FireEye  Founder @ Rural Tech Fund  PhD Researcher  GSE # 64  BBQ Pit Master  Author:  Practical Packet Analysis  Applied NSM
  • 3. Agenda  Era of Analysis  DFIR Cognitive Revolution  Researching the Investigation Process  Data, Data, and more Data The economics of NSM are not in our favor – how can we study the investigation process to make it more efficient?
  • 4. Economics of Security “If you want to understand the world of nature, master physics. If you want to understand the world of man, master economics.” - Taufiq Rashid High Demand for Security Expertise Low Supply of Security Practitioners Expertise Services Software
  • 5. Evolution of NSM  “The profession [security] is so nascent that the how- tos have not been fully realized even by the people who have the knowledge.”  Every thought-based profession goes through a cognitive crisis and revolution. Ours is coming.
  • 6. Symptoms of a Cognitive Crisis 1. Demand for expertise greatly outweights supply 2. Most information cannot be trusted or validated 3. Inability to mobilize and tackle big systemic issues
  • 7. The Cognitive Revolution in DFIR 1. Understand the processes used to perform investigations and draw conclusions 2. Develop repeatable methods and techniques for performing investigations 3. Build and advocate training that teaches analysts how to think about investigations, not just how to use tools.
  • 8. Investigations as Mental Labyrinths  The investigation is the core construct of information security.  At a high level, an investigation is a series of decisions that begets other decisions.  Defenders don’t always know if they’ve taken the correct path.
  • 9. Navigating the Labyrinth Alert OSINT Reputation File Hash Sandbox Behaviors AV Detections (VT) Imphash More File Hashes Friendly Host Network PCAP Host Windows Logs Security Log System Log App LogRegistry File System Hostile Host Network PCAP Flow
  • 10. Studying the Investigation Process  Goal:  Increase Accuracy  Decrease Time  How do you study something human thought?  Challenges:  Creating unique investigation scenarios takes time  There is no universal set of tooling
  • 11. A Scenario-Based Approach to Investigation Analysis  Create a tool-agnostic investigation simulator  Make it portable and self contained  Seed it with investigation scenarios where one variable can be addressed at a time  Allow it to log investigator actions and output a log of decisions being made
  • 14. Case Study Analyzing the Flow of the Investigation
  • 15. The Compromise 1. Victim visits friendly website 2. Redirect to EK landing page 3. Download flash exploit 4. Exploit is successful and ransomware file downloads 5. Ransomware installs and executes 6. Ransomware begins C2 communication
  • 16. What data did analysts look at first? 72% 16% 12% Observed PCAP Flow OSINT Data Suggests:  Analysts prefer a higher context data set…  …even if other data sets are available  …even if lower context data sets can lead to a resolution.  Analysts don’t fully understand their own techniques 49% 28% 23% Reported PCAP Flow OSINT
  • 17. Did the first move affect analysis speed? Data Suggests:  While PCAP provides richer context, it may slow down the investigation if that’s where you start  Starting with a lower context data source can increase speed when working with higher context data 16 10 9 PCAP Flow OSINT 27 13 13 PCAP Flow OSINT Avg Time to Close Weighted Time to Close
  • 18. What happens when Bro data replaces PCAP? 46% 25% 29% Observed (Bro) Bro Flow OSINT 72% 16% 12% Observed (PCAP) PCAP Flow OSINT
  • 19. What happens when Bro data replaces PCAP? 16 10 9 PCAP Flow OSINT Avg Time to Close (PCAP) 10 10 11 Bro Flow OSINT Avg Time to Close (Bro) Data Suggests:  Better organization of high context data sources can yield improvements in analysts performance
  • 20. What data sources were viewed most and least frequently? Data Suggests:  Network data is used more frequently than host data…  …even when host data can be used exclusively to resolve.  …even when easy access is provided to host sources.  Revisting data is more prevalent on higher context data sources Data Sources Viewed Data Sources Revisited PCA P 84% Flow 11% OSIN T 5%
  • 21. How many steps were taken to make a disposition judgement? Data Suggests:  At some point, the number of data sources you investigate impacts the speed of the investigation  Understanding where data exists and when to use it can impact analysis speed 6 12 9 3 0 5 10 15 6-10 11-15 16-20 21-25 Number of Steps 9 12 14 24 0 5 10 15 20 25 30 6-10 11-15 16-20 21-25 Avg Time to Close
  • 22. Did analysts investigate friendly or hostile systems first? 9% 91% Observed Friendly Hostile Data Suggests:  Analysts are more compelled to investigate unknown external threats than internal systems  Analysts don’t fully understand their own techniques 41% 59% Friendly Friendly Hostile
  • 23. Do analysts seek to prove or disprove the alert? Data Suggests:  Analysts are almost always seek to prove an alert...  ...despite the fact that disproving it is usually faster. Prove vs. Disprove Prove 88% Dispr ove 12% 19 8 0 5 10 15 20 Prove Disprove Avg Time to Close
  • 24. Case Study What separates novice and expert analysts?
  • 25. Mapping the Investigation  Sample:  Novice and expert analysts  Methodology:  30 case studies  Stimulated recall interviews  Focus on individual investigations of varying types  Perform key phrase anlayis – analyze results
  • 26. Key Phrase Mapping  Dual Process Theory  Intuition: Implicit, inconscious, fast  Reflection: Explicit, controlled, slow Intuition Experimentation Restructuring Imagination Incubation Metacognition Evaluation Goal Setting Making Plans Reflection Analytically Viewing Data Rule-Based Reasoning Considering Alternatives
  • 28. Thank You! Mail: chris@chrissanders.org Twitter: @chrissanders88 Blog: chrissanders.org

Editor's Notes

  1. Every town had one doctor and they were also your vet Many home remedies spawn from this time – milk as a treatment for stomach ulcers is an example Major health crises were frequent and impossible to control
  2. How do we research a process that is intrinsically human?
  3. We ended up with an investigation game
  4. TIMECHECK – 15 MINUTES
  5. Sidebar: Analysts looked at the PCAP 100% of the time, even if it wasn’t necessary.
  6. This points to tendencies gained from training. Most shops don’t have easy access to host data.
  7. Anecdotal – Experts I knew took less than 10 steps. Anecdotal – Novices I knew took > 15.
  8. Different scenario where result was benign.
  9. TIME CHECK: 40 MINUTES