Category Archives: Analysis

Theory of Multiple Intelligences for Security Analysts – Initial Thoughts

Obrainicon_bluene of the more interesting concepts I’ve come to study recently is the theory of multiple intelligences, which was originally proposed in the 1980s by Dr. Howard Gardner, a developmental psychologist. The Theory of Multiple Intelligence (MI) simply states that rather than humans having a singular intelligence, we have a set of different intelligences that are independent and entirely unique. While his theory does have some detractors and competing schools of thought, it has generally been met with great intrigue and is a popular area of study for developmental, cognitive, and industrial psychology scholars alike. In this post I want to discuss the theory of MI and how I think it relates to security investigations. While you might be expecting concise post full of conclusions with a nice bow on it, this article is more about raising questions and getting some of my notes on paper for further research.

Multiple Intelligences

We often think of intelligence as a measure of how much someone knows about something, but that more accurately describes aptitude than intelligence. An intelligence is actually a computation capacity. This is why true intelligence tests that result in intelligence quotient (IQ) scores are much more about measuring someone’s ability to learn than what they have learned. Traditionally, intelligence was viewed as a single biological construct. The theory of MI pluralizes this concept of computational capacity such that more than one of them exists, and that they exist as independent intelligences.

There are several criteria surrounding what the core intelligences are. This includes the intelligence being universal to the entire human species, an identifiable set of core operations, and a susceptibility to encoding in a symbol system where meaning can be captured. I don’t want to delve too far into these criteria here, but if you are interested in this you can read more in Dr. Gardner’s books mentioned at the end of the post. The result of Gardner’s study into MI resulted in the formulation of seven intelligences, with the assertion that all humans have the full range of these intelligences. I’ll give a basic outline of those now.

  • Musical-Rhythmic: Has to do with sensitivity to sounds, rhythms, tones, and music. People with high musical intelligence can often recognize and match pitch well, and are able to sing, play instruments, and compose music. These people usually excel careers as musicians, composers, singers, or producers.
  • Bodily-Kinesthetic: Relates to control of one’s bodily motions and the capacity to handle objets skillfully, to include a sense of timing and muscle memory. People with high bodily-kinesthetic intelligence are generally good at physical activities like working out, sports, dancing, or craftsmen activities. These people usually excel in careers as athletes, dancers, and various types of builders.
  • Logical-Mathematical: Has to do with logic, reasoning, numbers, and critical thinking. People with high logical-mathematical intelligence excel at problem solving, thinking about abstract ideas, solving complex computations, and conducting scientific experiments. These people usually excel in careers as scientists, programmers, engineers, and accountants.
  • Verbal-Linguistic: Deals with the ability to process, interpret, and form words. People with high verbal-linguistic intelligence are good at reading, writing, telling stories, and memorizing words and dates. These people usually excel in careers as writers, lawyers, journalists, and teachers.
  • Visual-Spatial: Has to do with the ability to visualize things in the mind. People with high visual-spatial intelligence excel at navigating, doing jigsaw puzzles, reading maps, recognizing patterns, interpreting graphs and charts, and daydreaming. These people usually excel in careers as architects, artists, and engineers.
  • Interpersonal: Focused on interaction with others and the ability to recognize and be sensitive to others moods, feelings, temperaments, and motivations. People with high interpersonal intelligence communicate effectively and empathize well with others. They often enjoy debates and excel at verbal and nonverbal communication. These people usually excel in careers as psychologists, counselors, politicians, and sales.
  • Intrapersonal: Focused on introspective and self-reflective capacities. People with high intrapersonal intelligence have a strong ability to assess their own strengths and weaknesses and predict their own reactions and emotions. These people usually excel in careers as writers, scientists, and philosophers.

A key takeaway under MI theory is that every human is born with each of these intelligences, but no two people have the same level of every intelligence. Even identical twins will have varying levels of each intelligence because we know that intelligence is shaped by nature and nurture. Additionally, we know that just because someone has a high level of a particular intelligence doesn’t mean that they will use that intelligence in a smart manner. For instance, someone with high logical-mathematical intelligence might choose to use their intelligence to guess lottery numbers for a living instead of applying it to one of the sciences, accounting, etc.

Intelligence and Security Investigations

Whether or not you subscribe to MI theory, it does provide an interesting approach towards viewing how and why certain people excel in different types of security investigations. There are multiple types of security investigation domains, including event-driven (triage) analysis, NSM hunting, malware analysis, and forensic response. I hold that each of these domains requires a specific balance and emphasis of abilities and computational capacity. With that in mind, it brings about an interesting question of which intelligences are most suited to particular types of security investigations.

The first thing that must be considered is whether each investigative domains is more suited to a laser or search light intellectual profile. These terms define the manner in which people typically excel in certain intelligences. A laser is a person who generally has a high elevation in one or two intelligences. A search light is a person who has an equal level of moderately elevated intelligence in three to four intelligences, but does not have a very high elevation in any one intelligence. Lasers tend to focus on one specific focus area or task, where as search lights tend to work in areas that require a constant surveying of multiple elements to form a bigger picture. Once each investigative domain is tied to a laser or search light profile, the individual intelligences that are most applicable can be determined.

I don’t have a lot of concrete thoughts yet related to which intellectual profiles and intelligences are suited to each investigative domain, and I certainly don’t have a thorough accounting for every relevant domain for information security. However, I do have some initial thoughts that warrant more research. I could postulate on this for quite some time, but a few things that initially come to mind including the following:

  • Most traditional computer scientists would probably think that security investigations are almost exclusively related to logical-mathematical intelligence. I’d challenge this for some investigative domains. In a  lot of cases I believe visual-spatial intelligence is much more important.
  • Malware analysis tends to lean more towards a laser profile. It also requires a great deal of logical-mathematical intelligence due to the need to interpret and reverse engineer source code during static analysis.
  • Triage analysis and forensic response requires visual-spatial intelligence because of all the moving parts that must be assimilated into a bigger picture. These are a product of the reliance on divergent thinking during these processes, and the need to rapidly shift to convergent thinking one a critical mass of ideas and knowledge has been reached.
  • Forensic response requires a greater deal of interpersonal intelligence due to the reliance on communication with various new and unfamiliar stakeholders. The ability to empathize and gauge moods is critical. I would guess that a search light profile would be most desired here.
  • Intelligence analysis requires an elevated interpersonal intelligence due to the need to assess motivations.
  • Analysis across most domains in a team setting requires some level of intrapersonal intelligence so that practitioners can identify their own deficiencies along the lines of alternative analysis methods.

If we can identify investigative domains and determine which intelligences are most suited to those, we can be a lot more successful in identifying the right people for those roles and educating them appropriately so that they are successful.  This is another step along the way towards converting tacit knowledge to explicit knowledge and gaining a better advantage in security analysis scenarios.


Multiple Intelligences: New Horizons (2008), Howard Gardner

Frames of Mind: The Theory of Multiple Intelligences (1983), Howard Gardner

Perception, Cognition, and the Notion of “Real Time” Detection and Analysis


brainicon_blueAs a lot of folks who know me are aware, one of the areas of security that I spend the majority of my time researching is the analytic process and how the human component of an investigation works. I’ve written and spoken on this topic quite a bit, and I’ve dedicated myself to it enough that I’ve actually elected to go back to school to work in a second masters degree focused on cognitive psychology. My hope is that I can learn more about cognitive functions of the brain and psychological research so that I can work towards taking a lot of the tacit knowledge that is security investigation (NSM, IR, Malware RE, etc), and turning it into codified information that can help shape how we as an industry look at the analysis of security compromises. This article (and hopefully many more to come) is related to that study.

————- Post Starts Here ————-

I’ve never been a fan of declaring concepts, theories, or ideas to be “dead”. We all know how that went when Gartner declared IDS to be dead several years ago. Last I checked, intrusion detection is still widely used and relatively successful at catching intruders when done right. Even more, the numbers don’t lie as Cisco bought Sourcefire, makers of the world’s most popular IDS technology Snort, for 2.7 BILLION dollars last year. However, I do think it’s worth closely examining ideas that may have never really had a lot of life from inception. The concept I want to discuss here is the notion of “real time detection” as it relates to detecting the activity of structured threat actors.

I’m not going to get into the semantics of what constitutes “real time” versus “near real time” as that isn’t really the point of this article. I’ll suffice to say that when we talk about real time detection we are referring to the act of investigating alerts (typically generated from some type of IDS or other detection mechanism), and making a decision whether or not something bad has occurred and if escalation to incident response is necessary. This concept relies on event-driven inputs from detection mechanisms to mark the start of the analysis process, and quick decision-making immediately following the receipt of that input and a brief investigation.

With a real time detection and analysis approach there is a tremendous amount of pressure to make decisions rapidly near the beginning of the analysis process. Many security operation centers (SOCs) even track metrics related to the duration of time between an alert being generated and that alert being closed or escalated (often called “dwell time”). It isn’t uncommon for these SOCs to judge the performance of analysts or groups of analysts as a whole based on these types of metrics. The problem with this approach exists in that there are fundamental psychological barriers that are working against the analyst in this model. In order to understand these barriers, we need to examine how the mind works and is influenced.

Limitations of the Mind

The investigation or analysis process is based around cognition, which is the term used to refer to the rate at which humans can bridge the gap between perception and reality. In this sense, perception is a situation as we individually interpret it, and reality is a situation as it actually exists. Cognition can be nearly instant, such as looking at a shirt and recognizing that it is blue. In other situations, like security analysis, cognition can take quite some time. Furthermore, even after a lengthy cognition process an analyst may never fully arrive at a complete version of reality.

The thing that makes everyone different in terms of cognitive psychology is the mindset. A mindset is, essentially, the lens we view the world through. A mindset is something we are born with, and something that is constantly evolving. Any time we perceive something new, it is assimilated into our mindset and affects the next thing we will perceive. While we do have control over certain aspects of our mindset, it is impossible to be aware or in control of every portion of it. This is especially true of the subconscious portions of that mindset that are formed early on in our development. Ultimately, the mindset is a combination of nature and nurture. It takes it account where we were born, where we grew up, the values of our parents, the influence of our friends, life experiences, work experiences, relationships, and even our health.


Figure 1: Our Mindset and Perception are Related

A mindset is a good thing because it is that mindset that allows us to all think differently and be creative in unique ways. In information security, this is what allows some analysts to exceed in very unique areas of our craft. However, the limitation imposed on us because of our mindset results in a few scenarios that negatively affect our perception and ability for rapid cognition.

Humans Perceive What they Expect to Perceive

The expectancy theory states that an individual will decide to behave or act in a certain way because they are motivated to select a specific behavior over other behaviors. While we often think of motivation as something overt and identifiable, that isn’t the case in most situations. Instead, these expectations and patterns of expectations are a product of our mindset, both the conscious and subconscious part of it. As an example, read the text in Figure 2.


Figure 2: An Example of Expected Perception

Now, read the text in Figure 2 again. Did you notice that the article in each of the triangles was repeated? In this example, you probably didn’t because these phrases are common vernacular that you’ve come to expect to be presented a specific way. Beyond that, additional ambiguity was introduced by forming the words in a triangle such that they are interpreted in a manner that is not conducive to spotting the anomaly (but more on that later). The key takeaway here is that we are rarely in control of how we initially perceive something.

Mindsets are Quick to Form but Resistant to Change

If we are not in full control of our mindset, then it is fair to say that we cannot be in full control of our perception. This becomes a problem because aspects of our mindset are quick to form, but resistant to change. Cognitive psychology tells us that we don’t learn by creating a large number of multiple independent concepts, but rather, we form a few base concepts or images, and assimilate new information to those things.

This is why we rarely notice gradual changes such as weight gain in friends and family that we see often. You are very unlikely to notice if a coworker you see every day gains twenty pounds over six months. However, if you see a friend you haven’t seen in six months, you are much more likely to notice the added weight. Even if it isn’t very obvious, you are likely to think “Something looks different about Frank.”

Highly Ambiguous Scenarios are Difficult to Overcome

A scenario that is highly ambiguous is one that is open to multiple interpretations. This is the product of a large number of potential outcomes, but a limited amount of data for which to form a hypothesis of which outcome is most likely. A common experiment that is referenced to prove this relationship is related to interference in visual recognition, or something occasionally referred to as the “blur test.” In this experiment, a subject is exposed to a blurry image that slowly comes into focus until the image becomes clear enough to be identified. The independent variable in this experiment was the initial amount of blur in the image, and the dependent variable was the amount of blur remaining in the image when the subject was able to determine what was being visually represented. The psychologists conducting the experiment presented a set of images to subjects with varying degrees of initial blur, and measured the amount of blur remaining when the was able to identify what the image was.

The results were really interesting, because they showed with statistical significance that when an image with a higher initial amount of blur was presented to a subject, the image had to get much clearer in order for them to identify what it actually was. Conversely, when an image was presented with a lower initial amount of blur, subjects could identify what the image represented much sooner and well before the image had come fully into focus.

The amount of initial blur in this experiment represents a simple example of varying the level of ambiguity in a scenario, which can lead us to infer that higher initial ambiguity can lengthen the amount of time required to bridge the gap between perception and reality.

Applications to Security Investigation

When we consider the nature of the investigative process, we know that it is based on being presented with a varying amount of initial data in a scenario where there are hundreds or thousands of possible outcomes. This yields a situation where a dozen analysts could come up with a dozen initial hypotheses regarding what is actually happening on a network given a single input. Each analyst forms their initial perception, and as they continue to collect more data they assimilate that data to the initial perception.

In a real world scenario where analysts often handle investigations “cradle to grave” or “alert to escalation”, this presents a scenario where the evidence that has been gathered over time is never viewed from a clear perspective that is free from initial perception (and bias). Given that network traffic, malicious binaries, and log data can be incredibly deceiving, this is a limiting factor in the success of an investigation as our initial perception in an investigation is increasingly likely to be wrong. This speaks to the limitation I previously discussed regarding how mindsets are quick to form but resistant to change, and how a large initial amount of ambiguity, which is very common in security investigations, can lead to flawed investigations.

Ultimately, the scenarios in which security investigations are conducted contain many of the characteristics in which the mind is limited in its ability to bridge the gap between perception and reality.

Alternative Approaches

Identifying problems with the approaches we often take with security analysis is quite a bit easier than figuring out how to overcome those challenges. While I don’t think that there is a fix-all nor do I offer to present any panacea-like solutions, I think that we are entering an era where analysis is become an incredibly important part of the security landscape that justifies rethinking some of the ways we approach how we perform security investigations. Focusing on cognitive problems of analysis, I think there are three themes that we, as an industry, can do to improve how we get from alert to resolution. While I don’t think these three things encompass a complete paradigm shift in how alerts are investigated, I do believe that they will be part of it.

Separation of Triage vs. Investigation

While multiple definitions may exist, triage in terms of event-driven security analysis typically refers to the process of initially reviewing an alert to determine if more investigation is required, and what priority that investigation should have relative to other investigations. In the past, the triage process has been treated as a part of the broader investigative process; however they are fundamentally different activities requiring different skill sets. They are also subject to varying types and degrees of biases and cognitive limitations I discussed earlier. Those biases and limitation are often a lesser concern during an initial triage, and of much more concern to investigations that require a larger amount of time to complete.

Faster and less ambiguous analysis scenarios are still subject to bias and other limitation of the human mind to some extent, but real world application tells that there are many scenarios where a quick triage of an event to determine if more investigation is required can often be done on an individual basis. This is as long as that individual is of adequate experience and is using a structured and repeatable technique. That means that it is acceptable for a single human to handle the investigation of things like unstructured threats and relatively simply malware infections. After all, these things are often very clear-cut, and can usually be validated or invalidated by simply comparing network or host data to the signature which generated the alert.

On the other hand, investigations associated with structured threats, complex malware, or that are generally more initially ambiguous require a different and more lengthy approach, which is the scenario I will focus on exclusively in the next two items I will discuss. The key takeaway here is that we should treat triage and investigation as two separate but related processes.

Graduated Analysis

Although a single person can often perform triage-based analysis, this is not the case for more involved investigations. As evidence suggests, the analyst who performs the initial triage of an event is at a disadvantage when it comes to forming an accurate perception of what has really occurred once new data becomes available. Just as the subjects in the “blur test” were less successful in identifying an image when a larger amount of initial blur was present, analysts who are investigating a security event are less likely to identify the full chain of events if they start at a point where only minimal context details are available.

Because cognitive limitations prevent us from efficiently reforming our perceptions when new data becomes available, it makes a case to perform hand-offs to other analysts at specific points during the investigation. Thus, we are shifting the primary investigator of the investigation such that the investigation gradually receives more clarity and narrows the cognition gap that may be present. Determining when these hand-offs should occur is hard to predict since organizational structures can vary. However, at baseline it is reasonable to estimate that a handoff should occur at least after the initial triage. Beyond this, it may make sense for hand-offs to occur at points in time when there is a dramatic influx of new and relevant information, or when the scope of the investigation broadens widely.

This approach creates an interesting byproduct. If all significant investigations are handed off after triage, this essentially creates an analyst who is exclusively focused on alert triage. Considering this is its own workflow requiring a unique set of skills, this can be looked on as a benefit to a graduated approach. While a graduated approach doesn’t necessarily require a graduated skill level in analysts (such as level 1, 2, and 3 analysts), logic would suggest that this might be beneficial from a resource staffing perspective. In this model, only more skilled analysts are examining “higher tier” investigations encompassing a great deal more data. On the other hand, some might suggest that the triage analyst should be one of the more skilled analysts, as they will be defining additional data points for collection over time that will shape the course of the investigation. There does not yet exist enough data to determine which approach yields the greatest benefit.

“Realistic Time Detection” in Favor of “Real Time Detection”

The nature of traditional analysis dictates that an analysts is presented with some input data and is asked to make a rapid decision whether or not a breach has occurred, and to what extent. I believe that the immense pressure to make a quick and final decision is not based on the needs of the situation at hand, but rather, the unrealistic expectation we have placed on the role of the analyst. It is logically unreasonable to expect to detect and ascertain all of the pertinent details of a potential compromise in any kind of manner that resembles real time or near real time. Even if you are able to determine that malware has been installed and C2 communication is present, you still don’t know how the attacker got in, what other machines they are interacting with, the nature of the attacker (structured or unstructured), or if an attack if ongoing.

Research has shown that the average attacker spends 244 days on a network. With that large time range working against us, it is not entirely reasonable to shoot for detecting and explaining the presence of an attacker in anything resembling real time. Most individuals who have researched structured attackers or have pretended to be them will tell you that these information campaigns are focused on objectives that require quite a bit of effort to find the data that is desired and also require a long-term persistent campaign in order to continually collect data and achieve the campaign goals. Thus, detecting, containing, and extricating an attacker from your network at day 15 isn’t horribly ineffective. It isn’t as ideal, but we are dealing with circumstances that sometimes call for less than ideal solutions. Ultimately, I would rather focus on strategic “realistic time” detection and catch an adversary on day +12 rather than focus on “real time” detection and miss an adversary on day 0 due to a flawed investigative approach, only to be notified by a third party that the attacker has been in my network for quite some time on day +200.

Focusing on a slower more methodical approach to analysis isn’t easy, and to be honest, I don’t clam to know what that whole picture looks like. I can deduce that it does contain some of the following characteristics, in addition to the notions of segregated triage and graduated analysis mentioned above:

  • Case Emphasis – The investigative process should be treated not unlike a medical case. First, symptoms are evaluated. Next, data is gathered and tests are performed. Finally, observations are made over time that are driven by desired data points. These things build until a conclusion can be made, and may take quite some time. A lack of data doesn’t warrant ignoring symptoms, but rather, a deeper focus on collecting new data.
  • Analytic Technique – Analysts should be able to identify with multiple types of analytic techniques that are well suited to their strengths and weaknesses, and also to different scenarios. There has been little study into this area, but we have a lot to learn from other fields here with techniques like relation investigation and differential diagnosis.
  • Analysis as a Study of Change – While traditional investigations focus almost exclusively on attempting to correlate multiple static data points, this needs to also include a focus on changes in anticipated behavior. This involves taking a baseline followed by multiple additional measurements at later points in time, and then comparing those measurements. This is a foundational approach that is practiced frequently in many types of scientific analysis. While some may confuse this with “anomaly-based detection”, this is a different concept more closely associated with “anomaly-based analysis”. Currently, the industry has a lack of technology that supports this and other aspects of friendly intelligence collection.
  • Post-Exploitation Focus – The industry tends to focus dramatically on the initial exploitation and command and control function of an attack life cycle. We do this because it supports a real time detection model, but if we are truly to focus on realistic time detection and the study of change, we must focus on things that can more easily be measured when compared to normal behavior and communication sequences. This lends itself more towards focusing on post-exploitation activities more closely tied to attackers actions on objectives.


The thoughts presented here are hardly conclusive, but they are founded in scientific study that I think warrants some time of change. While I’ve suggested some major shifts that I think need to take place in order to shore up some of the deficiencies in cognition, these are merely some broad ideas that I’ll be the first to admit haven’t been fully and completely thought out or tested. My hope is that this article will serve to raise more questions, as these are concepts I’ll continue to be pursuing in my own research of investigative techniques and cognitive psychology.


Evolving Towards an Era of Analysis

I’ve spent the majority of my career thinking about how to build a better mousetrap. More to the point, better methods to catch bad guys. This includes everything from writing simple IDS signatures, to developing detection systems for the US Department of Defense, to helping build commercial security software. In these roles I mostly focused on network security monitoring, but there are quite a few other facets of computer network defense. This includes malware reversing, incident response, web application analysis, and more. While these subspecialties are diverse and require highly disparate skill sets, they all rely on analysis.

Analysis is, more or less, the process of interpreting information in order to make a decision. For network defenders, these decisions usually revolve around whether or not something represents malicious activity, how impactful and widespread the malicious activity is, and what action should be taken to contain and remediate it. These are decisions that can literally cost companies millions of dollars as we saw in the 2013 Target breach, or even eventually result in a loss of human life, which something like Stuxnet in 2010 could have yielded. Clearly, analysis is of incredible importance as it is a determinate phase of the decision making process. If that is the case, then why do we spend so little time thinking about analysis? Before we dive into that, let’s take a look at how we got here.

Evolutions Past

My experience is mostly grounded in network security monitoring, so while this article appeals to many areas of computer network defense, I’m going to frame it through what I know. Network security monitoring can be broken into three distinct phases: collection, detection, and analysis. These take form a something I refer to as the NSM Cycle.


Figure 1: The NSM Cycle

Collection is a function of hardware and software used to generate, organize, and store data to be used for detection and analysis. Detection is the process by which collected data is examined and alerts are generated based on observed events and data that are unexpected. This is typically accomplished through some form of signature, anomaly, or statistically based detection. Analysis occurs when a human interprets and investigates alert data to make a determination if malicious activity has occurred. Each of these processes feed into each other, with analysis feeding back into a collection strategy at the end of the cycle, which constantly repeats. This is what makes it a cycle. If that last part didn’t happen, it would simply be a linear process.

While the NSM cycle flows from collection to detection and then analysis, this is not how the emphasis we as an industry has placed on these items has evolved. Looking back, the industry began its foray into what is now known as network security monitoring with a focus on detection. In this era came the rise of intrusion detection systems such as Snort that are still in use today. Organizations began to recognize that the ability to detect the presence of intruders on their network, and to quickly respond to the intrusions, was just as important as trying to prevent the intruder from breaching the network perimeter in the first place. These organizations believed that you should attempt to collect all of the data you can so that you could perform robust detection across the network. Thus, detection went forth and prospered, for a while.


Figure 2: The Evolution of NSM Emphasis

As the size, speed, and function of computer networks grew, organizations on the leading edge began to recognize that it was no longer feasible to collect 100% of network data. Rather, effective detection relies on selectively gathering data relevant to your detection mission. This ushered in the era of collection, where organizations began to really assess the value received from ingesting certain types of data. For instance, while organizations had previously attempted to perform detection against full packet capture data for every network egress point, now these same organizations begin to selectively filter out traffic to and from specific protocols, ports, and services. In addition, these organizations are now assessing the value of data types that come with a decreased resource requirement, such as network flow data. This all worked towards performing more efficient detection through smarter collection. This brings us up to speed on where we stand in the modern day.

Era of Analysis

While some organizations are still stuck in the detection era (or worse yet, in the ancient period with a sole focus on prevention), I believe most organizations currently exist somewhere in the collection era. In my experience, the majority of organizations are just entering that era, while more mature organizations are in a more advanced stage where they’ve really developed a strong collection strategy. That begs the question, what’s next? Welcome to the analysis era.

Graduate anthropology students at the Kansas State University recently began a study surrounding the ethnography of a typical security operation center (SOC). Ethnography refers to a systematic study of people and culture from the viewpoint of the subject of the study. In this case, the people are the SOC analysts and the culture is how they interact with each other and the various other constituents of the SOC. This study had some really unique findings, but one of the most important to me was centered on the prevalence of tacit knowledge.

Tacit knowledge, by definition, is knowledge that cannot easily be translated into words. The KSU researches were able to quickly identify that SOC analysts, while very skilled at finding and remediating malicious activity, were very rarely able to describe exactly how they went about conducting those actions.

“The tasks performed in a CSIRT job are sophisticated but there is no manual or textbook to explain them. Even an experienced analyst may find it hard to explain exactly how he discovers connections in an investigation. The fact that new analysts get little help in training is not surprising. The profession is so nascent that the how-tos have not been fully realized even by the people who have the knowledge.”

If you’ve ever worked in a SOC then you can likely related to this. Most formal “training” that occurs for a new analyst is focused on how to use specific tools and access specific resources. For example, this might include how to make queries in a SIEM or how to interface with an incident tracking system. When it becomes time to actually train people to perform analysis, they are often relegated to shoulder surfing while watching a more experienced analysts perform their duties.

While this “on the job training” can be valuable, it is not sufficient in and of itself. By relying solely on this technique we are not properly considering how analysis works, what analytic techniques work best, and how to educate people to those things. Ultimately, we are doing an injustice to new analysts and to the constituents that the SOC serves.

Thinking about Thinking

One of the positive things about this analysis problem is that we are by no means the first industry to face it. As a matter of fact, many professions have gone through paradigm shifts where they were forced to look inward at their own thought processes to better the profession.

In the early-to-mid 1900s, the medical field transitioned from an era where a single physician could practice all facets of medicine to an era where specialization in areas such as internal medicine, neurology, and gastroenterology were required in order to keep up with the knowledge needed to treat more advanced afflictions.

Around the same time, the military intelligence profession underwent a revamp as well. Intelligence analysts realized that policy and battlefield disasters of the past could have been avoided with better intel-based decision making and began to identify more structured analytic techniques and working towards their implementation. This was required in order to keep up with a changing battle space and an evolving threat.

Similar examples can be found in physics, chemistry, law, and so on. All around us, there are examples of professions who had to, as a whole, turn inwards and really think about how they think. As we enter the era of analysis, it is time that we do the same. In order to do this, I think there are a few critical things we need to begin to identify.

Developing Structured Analytic Techniques

The opposite of tacit knowledge is explicit knowledge. That is knowledge that has been articulated, codified, and stored. In order for the knowledge possessed by SOC analysts to transition from tacit to explicit we must take a hard look at the way in which analysis is performed and derive analysis techniques. An analysis technique is a structured manner in which analysis is conducted. This centers on a structured way of thinking about an investigation from the initial triage of an alert all the way to the point where a decision is made regarding malicious activity having occurred.

I’ve written about a few such techniques already that are derived from other professions. One such method is relational investigation, which is a technique taken from law enforcement. The relational method is based upon defining linear relationships between entities. If you’ve ever seen an episode of “CSI” or “NYPD Blue” where detectives stick pieces of paper to a corkboard and then connect those items with pieces of yarn, then you’ve seen an example of a relational investigation. This type of investigation relies on the relationships that exist between clues and individuals associated with the crime. A network of computers is not unlike a network of people. Everything is connected, and every action that is taken can result in another action occurring. This means that if we as analysts can identify the relationships between entities well enough, we should be able to create a web that allows us to see the full picture of what is occurring during the investigation of a potential incident.

 Figure 15-1

Figure 3: Relational Investigation

Another technique is borrowed from the medical profession, and is called differential diagnosis. If you’ve ever seen an episode of “House” then chances are you’ve seen this process in action. The group of doctors will be presented with a set of symptoms and they will create a list of potential diagnoses on a whiteboard. The remainder of the show is spent doing research and performing various tests to eliminate each of these potential conclusions until only one is left. Although the methods used in the show are often a bit unconventional, they still fit the bill of the differential diagnosis process.

The goal of an analyst is to digest the alerts generated by various detection mechanisms and investigate multiple data sources to perform relevant tests and research to see if a network security breach has happened. This is very similar to the goals of a physician, which is to digest the symptoms a patient presents with and investigate multiple data sources and perform relevant tests and research to see if their findings represent a breach in the person’s immune system.  Both practitioners share a similar of goal of connecting the dots to find out if something bad has happened and/or is still happening.

Figure 15-6

Figure 4: Differential Diagnosis

I think that as we enter the era of analysis it will be crucial to continue to develop new analytic techniques, and for analysts to determine which techniques fit their strengths and are most appropriate in different scenarios.

Recognizing and Defeating Cognitive Biases

Even if we develop structured analytic techniques, we still have to deal with the human element in the analysis process. Unfortunately, humans are fallible due to the nature of the human mindset. A mindset is, more or less, how someone approaches something or his or her attitude towards it. A mindset is neither a good thing nor a bad thing. It’s just a thing that we all have to deal with. It’s a thing we all have that is shaped by our past, our upbringing, our friends, our family, our economic status, or geographic location, and many other factors that may or may not be within our control.

When dealing with our mindset, we have to consider the difference between perception and reality. Reality is grounded in a situation that truly exists, and perception is based on our own interpretation of a situation. Often times, especially in analysis, a gap exists between perception and reality. The ability to move from perception to reality is a function of cognition, and cognition is subject to bias.

Cognitive bias is a pattern or deviation in judgment that results in analysts drawing inferences or conclusions in a manner that isn’t entirely logical. Where as a concrete reality exists, an analyst may never discover it do to a flawed cognition process based on his or her own flawed subjective perception. Those are a lot of fancy psychology words, but the bottom line is that humans are flawed, and we have to recognize those flaws in our thought process in order to perform better analysis. In regards to cognitive bias, I believe this is accomplished through identifying the assumptions made during analysis, and conducting strategic questioning exercise with other analysts in order to identify biases that may have affected the analysts.

One manner in which to conduct this type of strategic questioning is through “Incident Morbidity and Mortality.” The concept of an M&M conference comes from the medical field, and is used by practitioners to discuss the analytic and diagnostic process that occurred during a case in which there was a bad outcome for the patient. This can be applied security analysis in the same manner, but doesn’t necessarily have to be associated with an investigation where discrete failure occurred. This gives analysts an opportunity to present their findings and be positively and constructively questioned by their peers in order to identify and overcome biases.

The flawed nature of human thinking will ensure that we never overcome bias, but we can minimize its negative impact through some of the techniques mentioned here. As we enter the era of analysis, I think it will become crucial for analysts to begin looking inward at their own mindset so that they can identify how they might be biased in an investigation.


As an industry we have been pretty successful at automating many things, but analysis is something that will never be fully automated because it is dependent upon humans to provide the critical thinking that can’t be replicated by programming logic. While there is no computer that can match the power of the human brain, it is not without flaw. As we inevitably enter the era of analysis, we have to refine our processes and techniques and convert tacit knowledge into explicit knowledge so that the complex problems we will continue to face can be solved in faster and more efficient manner. Ultimately, the collection and detection era are something that we own, but it is entirely likely that a lot of the analysis era will be owned by our children, so the groundwork we lay now will have dramatic impact on the shape of network security analysis moving forward.

I talk in much more detail about several of the things discussed herein Applied Network Security Monitoring, but I also have several blog posts and a recent presentation video on these topics as well: