When it comes to incident response analysis, diversity of thought can lead to better problem solving. Great minds may think alike, but if you cannot tap team members with different backgrounds and experience, your investigation may go to the dogs.
Keith Chapman, Cybersecurity Specialist for Infoscitex Corporation, believes coming from different backgrounds and job experience is critical to building successful incident response teams.
"The big thing about analysis is we all bring some sort of bias into our analysis, and this is something that I would caution you about. These are steps that I've taken to guard myself against having biases that can overshadow my analysis," Chapman says.
Chapman also illustrated this during his presentation at SecureWorld Rockies virtual conference with the help of his pet dogs.
Who breached kitchen security: Lovely Labrador or Calculating Corgi?
Chapman shared his investigation into his two dogs that were responsible for a kitchen breach, which disrupted the home network and took valuable time to restore order.
"In this case, the dogs' names have been changed, protecting the parties involved. We have Lovely Labrador and we have Calculating Corgi. These are our own personal fur babies at home, and this is a scenario where I come home and I find garbage strewn all across the floor."
At first glance, Calculating Corgi, with a mischievous demeanor, seems like he could be the culprit. Nobody would ever suspect Lovely Labrador. If you ever owned a pet Corgi, you might believe the stereotypes—a Corgi's spunky personality and spirited ways makes one suspect that breed might be capable of great genius, for better or worse.
Upon further inspection, it turns out the most probable offender is the sweet-dispositioned Lovely Labrador. As cunning as Calculating Corgi is, he's also much lower to the ground, whereas Lovely Labrador is the perfect height and strength to knock the trash receptacle over. Lovely also has a history; she is a verified trash infiltrator and has committed these atrocities before, making her the most probable suspect at the time.
But Chapman says just because this is the most probable, there are other hypotheses to examine, as seen in the chart below.
"We're looking to prove which one [hypothesis] is the most wrong rather than which one is the most right. We can assign levels or credibility to each one in this case. It's high credibility that Lovely Labrador has done this, [since she has displayed this] behavior before, and is likely to do it again. It's low probability that the food that we just had for lunch [was stolen].... And, in this case, the most wrong [scenario] will be determined by evidence that we have.
Ultimately, what you find out is the most probable answer is generally the one with the least evidence against it."
Chapman spends a lot of time thinking about troubleshooting, and this method can steer analysts away from "predictable bias" through looking at every possible channel for disruption.
Assessment methodology for unbiased incident response
Using the Analysis of Competing Hypotheses (ACH) methodology, Chapman's simple demonstration shows how to conduct incident response analysis, which could be carried over to any organization.
"One method that I've used was assessment pass. That helps me to limit bias, especially working with groups of people. And to get to better outcomes, [I use] the analysis of competing hypothesis. For purposes of this talk, I've modified the structure that I'm using to five steps. I've seen as many as seven or eight."
The ACH method could be used as a baseline example for investigating an incident with a more open mind.
The steps go in order as follows:
1. Hypothesis
2. Evidence
3. Matrix
4. Refinement
5. Evaluation
Avoiding bias when investigating cybersecurity incidents
In an effort to encourage sourcing wisdom from different areas, Chapman created the Cybersecurity Diversity Analyst Framework.
"Diversity of analysis can be accomplished the best by having diverse groups of people, diverse types of people, diverse backgrounds. If that is not something that can be done overnight, this is a set of steps that can help guide you in that direction. We need diversity if we are to change and grow. And this is a method that I've adopted that has helped me to see things from different perspectives and solve problems."
Chapman's framework goes as follows:
• Empathize and imagine
• Align your focus
• Ideate and design solutions
• Model and assess together
• Deploy the best model
More tips for successful incident response
Chapman, who has an art and design background, recommended writing your thoughts down first before documenting.
"I use a lot of business cards, index cards, and I draw lines and try to document things analog."
If you like working digitally, there is a lot of software out there, but sticking to what your organization uses can be the best.
"There are some really great tools out there for people who prefer to keep documentation digitally. And some of the tools I have used in the past, we were able to attach artifacts or screenshots.
I would just suggest whatever method works the best, but also what your team is currently using. I wouldn't try to push this too far in a different direction. Use what's already there. Just be sure that you're documenting carefully."
If you're new to investigating cyber incidents, then working as a group, finding a mentor, and staying on top of learning new trends can be helpful.
"I really like jobs and corporations where they tend to allow people to shadow one another when they encourage interdisciplinary interactions. Besides that, I would advise that you attend security conferences so you might know what other people are doing, and you keep learning."
Check out SecureWorld's library of on-demand webinars for many learning opportunities.
SecureWorld's final conference of the year is slated for December 2nd. Be sure to register for the West Coast virtual conference to get access to some of the best and brightest in cybersecurity.
