The Discipline of Decision The five “whys” who/what/why/when/how OODA OSCAR cum hoc ergo propter hoc post hoc ergo propter hoc time efficiency the rise and fall of routine Reference: The Age of Pericles (Philipp von Foltz)

The Discipline of Decision Right thinking provides confidence in our decisions. This leads to good arguments and better decision making.

The Discipline of Decision Reference: https://www.rhsmith.umd.edu/programs/executive-education/how-we-do-it/hot-topics/critical-thinking Reference 2: https://globaldigitalcitizen.org/critical-thinking-skills-cheatsheet-infographic

The Five “W”s This is an information gathering line of questions BTW, this guy   made that … or maybe Augustine. (Don’t get too picky) Joe Friday NOT an interrogative technique Reference: https://en.wikipedia.org/wiki/5_Whys

Mini Analysis Part 3 Would the 5 “W”s help you equate this bad email with a 2 year evolution in GravityRAT targeting a country? Reference: https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html

The Five “Whys” You say “why” 5 times in a chained line of questions. This is an INTERROGATIVE technique “'s cool that Toyota used this, but you can thank me for it. You should totally Google the Socratic method.” - Socrates Reference: https://en.wikipedia.org/wiki/5_Whys

OODA Fresh from the DoD, made to order for Cyber security Observe - Use security monitoring tools or techniques to identify suspicious actions that may require investigation. Orient - Evaluate actions against threats, vulnerabilities, and exploits. Make logical connections Contextualize Data Establish time-line Decide - Based on observations & context, choose the best tactic for quickest confirmation & fastest recovery. Nobody has time for your cool fringe way of finding something unless you can do it thousands of times a day Utilize the best indicators for confirmation (meaning, most immutable first) Act - Remediate & recover Improve incident response procedures to find this again, more efficiently Choose remediation actions that allow for the most minimal down-time while resolving the issue Own if you are unable to complete analysis or if there was incomplete data Reference: https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response/incident-response-process-and-procedures

OSCAR Obtain information – where are your logs, tools, and other investigative resources Information about the Incident Information about the environment (meaning, the business) Strategize Understand the goals and time frame of the investigation. Identify likely sources of evidence. For each source of evidence, estimate the value and cost of reviewing it. Reverse “Pyramid of Pain” helps here. Prioritize your evidence acquisition. Plan the initial acquisition/analysis. (What will you gain from each type of data) Collect evidence – For most of us, this is already done for us Analyze Look at the things that you found, see how they work together Identify/extrapolate full time-line (Lockheed Martin Cyber Kill Chain helps with this) Report Answer Who/What/Where/When/Why/How Attempt to catch any obvious questions that your data would pose Ensure that your data and conclusions can be self authenticating Reference: Network Forensics Investigative Methodology

Mini Analysis Part 4 Behavioral analysis at it’s best Reference: https://www.threatconnect.com/blog/diamond-dashboard-hunting-your-adversaries/

Mini Analysis Part 4 Behavioral analysis at it’s best Reference: https://www.threatconnect.com/blog/diamond-dashboard-hunting-your-adversaries/

Do all this, and you might still fail

Your ideas seem… flawed Here’s the most common analytical mistakes: cum hoc ergo propter hoc – correlation does NOT imply causation (a and b happened at the same time so they bad) Post hoc ergo propter hoc – a sequence of events is NOT evidence (A occurred, then B occurred. Therefore, A caused B.) Argumentum ad lapidem – I reject your reality and substitute my own! (Your argument is invalid because I say so) Continuum Fallacy – Requiring an unreasonable amount of evidence Survivorship bias – Well, it worked this ONE time; so it must be right every time! Never-mind all the data to the contrary. Complex Question bias (fallacy) – Why can’t you find that infected system (presupposes that the system IS infected)

Efficiency and Routine Remember that all of these things are subject to how quickly you get get stuff done. Analytics-Driven – Fast to alert the analyst, SLOW to investigate Situational-Awareness Driven – Requires Tools, People, AND processes to work in sync (always slow) Intelligence-Driven – IOC/IOA based analysis slow to alert and fast to investigate (depending on tool) Reference: https://en.wikipedia.org/wiki/Cyber_threat_hunting

Efficiency and Routine One last thought on this… building routines allows for efficient operations, but only when they lead to automation. Otherwise… work around move on or own the business need Reference: https://en.wikipedia.org/wiki/Cyber_threat_hunting

Mini Analysis Part 5 - Solomon Reference: http://malware-traffic-analysis.net/2018/05/02/index.html Reference 2: https://www.virustotal.com/#/file/c2097360c006fc3325914406e1b1f0d4857e9a550618ffedc1d0eb0fe8e64777/community

Mini Analysis Part 5 - Solomon Reference: http://malware-traffic-analysis.net/2018/05/02/index.html