Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Discipline of Decision

Published byLinette Lee Modified over 6 years ago

Similar presentations

Presentation on theme: "The Discipline of Decision"— Presentation transcript:

1 The Discipline of Decision
The five “whys” who/what/why/when/how OODA OSCAR cum hoc ergo propter hoc post hoc ergo propter hoc time efficiency the rise and fall of routine Reference: The Age of Pericles (Philipp von Foltz)

2 The Discipline of Decision
Right thinking provides confidence in our decisions. This leads to good arguments and better decision making.

3 The Discipline of Decision
Reference: Reference 2:

4 The Five “W”s This is an information gathering line of questions
BTW, this guy   made that … or maybe Augustine. (Don’t get too picky) Joe Friday NOT an interrogative technique Reference:

5 Mini Analysis Part 3 Would the 5 “W”s help you equate this bad with a 2 year evolution in GravityRAT targeting a country? Reference:

6 The Five “Whys” You say “why” 5 times in a chained line of questions.
This is an INTERROGATIVE technique “'s cool that Toyota used this, but you can thank me for it. You should totally Google the Socratic method.” - Socrates Reference:

7 OODA Fresh from the DoD, made to order for Cyber security
Observe - Use security monitoring tools or techniques to identify suspicious actions that may require investigation. Orient - Evaluate actions against threats, vulnerabilities, and exploits. Make logical connections Contextualize Data Establish time-line Decide - Based on observations & context, choose the best tactic for quickest confirmation & fastest recovery. Nobody has time for your cool fringe way of finding something unless you can do it thousands of times a day Utilize the best indicators for confirmation (meaning, most immutable first) Act - Remediate & recover Improve incident response procedures to find this again, more efficiently Choose remediation actions that allow for the most minimal down-time while resolving the issue Own if you are unable to complete analysis or if there was incomplete data Reference:

8 OSCAR Obtain information – where are your logs, tools, and other investigative resources Information about the Incident Information about the environment (meaning, the business) Strategize Understand the goals and time frame of the investigation. Identify likely sources of evidence. For each source of evidence, estimate the value and cost of reviewing it. Reverse “Pyramid of Pain” helps here. Prioritize your evidence acquisition. Plan the initial acquisition/analysis. (What will you gain from each type of data) Collect evidence – For most of us, this is already done for us Analyze Look at the things that you found, see how they work together Identify/extrapolate full time-line (Lockheed Martin Cyber Kill Chain helps with this) Report Answer Who/What/Where/When/Why/How Attempt to catch any obvious questions that your data would pose Ensure that your data and conclusions can be self authenticating Reference: Network Forensics Investigative Methodology

9 Mini Analysis Part 4 Behavioral analysis at it’s best
Reference:

10 Mini Analysis Part 4 Behavioral analysis at it’s best
Reference:

11 Do all this, and you might still fail

12 Your ideas seem… flawed
Here’s the most common analytical mistakes: cum hoc ergo propter hoc – correlation does NOT imply causation (a and b happened at the same time so they bad) Post hoc ergo propter hoc – a sequence of events is NOT evidence (A occurred, then B occurred. Therefore, A caused B.) Argumentum ad lapidem – I reject your reality and substitute my own! (Your argument is invalid because I say so) Continuum Fallacy – Requiring an unreasonable amount of evidence Survivorship bias – Well, it worked this ONE time; so it must be right every time! Never-mind all the data to the contrary. Complex Question bias (fallacy) – Why can’t you find that infected system (presupposes that the system IS infected)

13 Efficiency and Routine
Remember that all of these things are subject to how quickly you get get stuff done. Analytics-Driven – Fast to alert the analyst, SLOW to investigate Situational-Awareness Driven – Requires Tools, People, AND processes to work in sync (always slow) Intelligence-Driven – IOC/IOA based analysis slow to alert and fast to investigate (depending on tool) Reference:

14 Efficiency and Routine
One last thought on this… building routines allows for efficient operations, but only when they lead to automation. Otherwise… work around move on or own the business need Reference:

15 Mini Analysis Part 5 - Solomon
Reference: Reference 2:

16 Mini Analysis Part 5 - Solomon
Reference:

Download ppt "The Discipline of Decision"

Similar presentations

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
Introduction to Research Methodology

Introduction to Research Methodology
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
MSF Testing Introduction Functional Testing Performance Testing.

MSF Testing Introduction Functional Testing Performance Testing.
Correlations, Alarms and Policies

Correlations, Alarms and Policies
TESTING STRATEGY Requires a focus because there are many possible test areas and different types of testing available for each one of those areas. Because.

TESTING STRATEGY Requires a focus because there are many possible test areas and different types of testing available for each one of those areas. Because.
Operations Security (OPSEC) 301-371-1050. Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.

Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.
© 2005 Pearson Education, Inc. publishing as Longman Publishers Chapter 2: Active Reading and Learning Efficient and Flexible Reading, 7/e Kathleen T.

© 2005 Pearson Education, Inc. publishing as Longman Publishers Chapter 2: Active Reading and Learning Efficient and Flexible Reading, 7/e Kathleen T.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
©2007 by The McGraw-Hill Companies, Inc. All rights reserved. Analyzing and Evaluating Inductive Arguments The aim of this tutorial is to help you learn.

©2007 by The McGraw-Hill Companies, Inc. All rights reserved. Analyzing and Evaluating Inductive Arguments The aim of this tutorial is to help you learn.
Introduction Teaching without any reflection can lead to on the job. One way of identifying routine and of counteracting burnout is to engage in reflective.

Introduction Teaching without any reflection can lead to on the job. One way of identifying routine and of counteracting burnout is to engage in reflective.
Introduction Chapter 1 and 2 Slides From Research Methods for Business

Introduction Chapter 1 and 2 Slides From Research Methods for Business
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
1. Free Will and Determinism Determinism: given a specified way things are at a time t, the way things go thereafter is fixed as a matter of natural law.

1. Free Will and Determinism Determinism: given a specified way things are at a time t, the way things go thereafter is fixed as a matter of natural law.
The Scientific Method. Scientifically Solving a Problem Observe Define a Problem Review the Literature Observe some More Develop a Theoretical Framework.

The Scientific Method. Scientifically Solving a Problem Observe Define a Problem Review the Literature Observe some More Develop a Theoretical Framework.
Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.

Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.
Proactive Incident Response

Proactive Incident Response
Mathematical Practice Standards

Mathematical Practice Standards
Hurricanes, Earthquakes, and Threat Intelligence

Hurricanes, Earthquakes, and Threat Intelligence
AP Seminar: Statistics Primer

AP Seminar: Statistics Primer

Similar presentations

Ads by Google