The Discipline of Decision

Slides:



Advertisements
Similar presentations
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
Advertisements

Introduction to Research Methodology
We’ve got what it takes to take what you got! NETWORK FORENSICS.
MSF Testing Introduction Functional Testing Performance Testing.
Correlations, Alarms and Policies
TESTING STRATEGY Requires a focus because there are many possible test areas and different types of testing available for each one of those areas. Because.
Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.
© 2005 Pearson Education, Inc. publishing as Longman Publishers Chapter 2: Active Reading and Learning Efficient and Flexible Reading, 7/e Kathleen T.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
©2007 by The McGraw-Hill Companies, Inc. All rights reserved. Analyzing and Evaluating Inductive Arguments The aim of this tutorial is to help you learn.
Introduction Teaching without any reflection can lead to on the job. One way of identifying routine and of counteracting burnout is to engage in reflective.
Introduction Chapter 1 and 2 Slides From Research Methods for Business
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
1. Free Will and Determinism Determinism: given a specified way things are at a time t, the way things go thereafter is fixed as a matter of natural law.
The Scientific Method. Scientifically Solving a Problem Observe Define a Problem Review the Literature Observe some More Develop a Theoretical Framework.
Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.
Proactive Incident Response
Mathematical Practice Standards
Hurricanes, Earthquakes, and Threat Intelligence
AP Seminar: Statistics Primer
Coaching at a Tier 2 for Grownups
Bell Ringer Process: A series of actions or events
Unit 5 – Chapters 10 and 12 What happens if we don’t know the values of population parameters like and ? Can we estimate their values somehow?
March 13, 2014 RS and GISc Institute of Space Technology
AP CSP: Data Assumptions & Good and Bad Data Visualizations
“Introduction to Azure Security Center”
Purpose and Hypothesis
ENTERPRISE FACULTY What is Enterprise?.
How Do Scientists Think?
From “Groundhog Day” to “Independence Day”
AP Seminar: Statistics Primer
Intelligence Driven Defense, The Next Generation SOC
4.05 Time Management.
Bias, Persuasion, and Propaganda
False Association, False Causation, False Authority, & Faulty Premise
Thesis.
Entry Task #1 – Date Self-concept is a collection of facts and ideas about yourself. Describe yourself in your journal in a least three sentences. What.
Course name: Weekly Planning
Global Consumer Insights
More on Argument.
C/Maj Nicholas Schroder
Modeling Cyberspace Operations
The Philosophy of Cyber Security Operations
Logical Fallacy Notes Comp. & Rhet. ENG 1010.
Yup, another powerpoint about this…
Year 2: How to help your child
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Learning Styles: The Kolb Inventory
PROACTIVE SNOOPING ANALYSIS
Shifting from “Incident” to “Continuous” Response
ORGANIZATIONAL BEHAVIOR
Security And the Art of Argument
Non-Fiction Questioning Stance & Signposts
7th Grade Science State Assessment Review
Evolution Of Cybersecurity
Panda Adaptive Defense Platform and Services
More on Argument.
Chapter 4 Decision Making
Plan Predict Budget - Estimate or plan of expenditure in relation to income. Periodic (esp. annual)
Why do Research? Chapter 1.
Chapter 10 Errors of Procedure
Strategic threat assessment
Zimbabwe 2008 Critical Thinking.
Counter APT Counter APT HUNT operations combine best of breed endpoint detection response technology with an experienced cadre of cybersecurity experts.
I think the... came first because...
Using Phonemic Awareness &
Psychological Experimentation
Changing Role Tier 1 SOC Analysts Should You Stop Hiring?
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
What You Should Know About Driving Down MTTD and MTTR
Presentation transcript:

The Discipline of Decision The five “whys” who/what/why/when/how OODA OSCAR cum hoc ergo propter hoc post hoc ergo propter hoc time efficiency the rise and fall of routine Reference: The Age of Pericles (Philipp von Foltz)

The Discipline of Decision Right thinking provides confidence in our decisions. This leads to good arguments and better decision making.

The Discipline of Decision Reference: https://www.rhsmith.umd.edu/programs/executive-education/how-we-do-it/hot-topics/critical-thinking Reference 2: https://globaldigitalcitizen.org/critical-thinking-skills-cheatsheet-infographic

The Five “W”s This is an information gathering line of questions BTW, this guy   made that … or maybe Augustine. (Don’t get too picky) Joe Friday NOT an interrogative technique Reference: https://en.wikipedia.org/wiki/5_Whys

Mini Analysis Part 3 Would the 5 “W”s help you equate this bad email with a 2 year evolution in GravityRAT targeting a country? Reference: https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html

The Five “Whys” You say “why” 5 times in a chained line of questions. This is an INTERROGATIVE technique “'s cool that Toyota used this, but you can thank me for it. You should totally Google the Socratic method.” - Socrates Reference: https://en.wikipedia.org/wiki/5_Whys

OODA Fresh from the DoD, made to order for Cyber security Observe - Use security monitoring tools or techniques to identify suspicious actions that may require investigation. Orient - Evaluate actions against threats, vulnerabilities, and exploits. Make logical connections Contextualize Data Establish time-line Decide - Based on observations & context, choose the best tactic for quickest confirmation & fastest recovery. Nobody has time for your cool fringe way of finding something unless you can do it thousands of times a day Utilize the best indicators for confirmation (meaning, most immutable first) Act - Remediate & recover Improve incident response procedures to find this again, more efficiently Choose remediation actions that allow for the most minimal down-time while resolving the issue Own if you are unable to complete analysis or if there was incomplete data Reference: https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response/incident-response-process-and-procedures

OSCAR Obtain information – where are your logs, tools, and other investigative resources Information about the Incident Information about the environment (meaning, the business) Strategize Understand the goals and time frame of the investigation. Identify likely sources of evidence. For each source of evidence, estimate the value and cost of reviewing it. Reverse “Pyramid of Pain” helps here. Prioritize your evidence acquisition. Plan the initial acquisition/analysis. (What will you gain from each type of data) Collect evidence – For most of us, this is already done for us Analyze Look at the things that you found, see how they work together Identify/extrapolate full time-line (Lockheed Martin Cyber Kill Chain helps with this) Report Answer Who/What/Where/When/Why/How Attempt to catch any obvious questions that your data would pose Ensure that your data and conclusions can be self authenticating Reference: Network Forensics Investigative Methodology

Mini Analysis Part 4 Behavioral analysis at it’s best Reference: https://www.threatconnect.com/blog/diamond-dashboard-hunting-your-adversaries/

Mini Analysis Part 4 Behavioral analysis at it’s best Reference: https://www.threatconnect.com/blog/diamond-dashboard-hunting-your-adversaries/

Do all this, and you might still fail

Your ideas seem… flawed Here’s the most common analytical mistakes: cum hoc ergo propter hoc – correlation does NOT imply causation (a and b happened at the same time so they bad) Post hoc ergo propter hoc – a sequence of events is NOT evidence (A occurred, then B occurred. Therefore, A caused B.) Argumentum ad lapidem – I reject your reality and substitute my own! (Your argument is invalid because I say so) Continuum Fallacy – Requiring an unreasonable amount of evidence Survivorship bias – Well, it worked this ONE time; so it must be right every time! Never-mind all the data to the contrary. Complex Question bias (fallacy) – Why can’t you find that infected system (presupposes that the system IS infected)

Efficiency and Routine Remember that all of these things are subject to how quickly you get get stuff done. Analytics-Driven – Fast to alert the analyst, SLOW to investigate Situational-Awareness Driven – Requires Tools, People, AND processes to work in sync (always slow) Intelligence-Driven – IOC/IOA based analysis slow to alert and fast to investigate (depending on tool) Reference: https://en.wikipedia.org/wiki/Cyber_threat_hunting

Efficiency and Routine One last thought on this… building routines allows for efficient operations, but only when they lead to automation. Otherwise… work around move on or own the business need Reference: https://en.wikipedia.org/wiki/Cyber_threat_hunting

Mini Analysis Part 5 - Solomon Reference: http://malware-traffic-analysis.net/2018/05/02/index.html Reference 2: https://www.virustotal.com/#/file/c2097360c006fc3325914406e1b1f0d4857e9a550618ffedc1d0eb0fe8e64777/community

Mini Analysis Part 5 - Solomon Reference: http://malware-traffic-analysis.net/2018/05/02/index.html