The information security industry and the vendors that support it have placed emphasis on the tools we use to investigate security breaches. However, we rarely win or lose battles in the trenches because of the tools we buy. Instead, our result is typically determined by the tools we are born with and nurture over time. While machines are ideal for collecting data and finding anomalies, there is no tool better for connecting the dots than the human mind. Of course, the human mind is not without its own limitations and challenges we must overcome. This presentation discusses metacognition and how it applies to the investigative process.
3. **Disclaimer**
I’m going to talk about matters of the brain, not
just the normal tech stuff.
My research for this presentation involved
consultation with psychologists.
I, however, am not one….yet.
5. Metacognition
• Thinking about thinking
• Research shows a relationship between
metacognitive awareness and cognitive
performance.
• Two Components:
– Knowledge of cognition (understand it)
– Regulation of cognition (apply it)
6. The Investigation
• Investigations are an attempt to determine
the ground truth of what really happened.
– Is there a bad guy?
– What did they do?
• Investigations introduce cognitive challenges
8. Perception vs. Reality
• Perception:
– “A way of regarding, understanding, or
interpreting something.”
• Reality:
– “The state of things as they actually exist.”
10. Mindsets and Blur
• Mindsets frame how
we see the world
• Quick to form and
resistant to change
• The initial picture we
see forms our first
mindset impression
• Biases applied here
carry forward
11. Diminishing Initial Blur
• Provide relevant information up front
• Real-istic time alerting
• Formalization of triage function
– Put your expertise here
– Gather info, make recommendations, pass on
– Smaller orgs can use partner analysis
12. Inattentional Blindness (IB)
• Attention – Focusing on something
– Overt or covert
– Attention is a limited resource
– Many things fight for analyst attention
• It is very easy to miss things right in front of us
13.
14. Diminishing IB
• Experienced analyst are usually less suceptible
• Mastery of your environment
– Mise en place
• Controlling attention
– Limit extraneous info
– Direct focus
– Gaze tracking
16. It’s a Hard SOC Life
• Investigative knowledge is tacit
– Senior analysts can’t explain their success
– Junior analysts can’t effectively learn
• Knowledge transfer is limited
– “Watch and learn”
Analysts rely on intuition!
17. Intuition
• in·tu·i·tion (noun)
– The ability to understand something immediately,
without the need for conscious reasoning.
• Previously not well understood, often dismissed
“It is an illusion to expect
anything from intuition.”
– Sigmund Freud
18. A Biological Basis for Intuition
Precuneus
2.1x Larger Response
TED Talk: The Rise of Augmented Intelligence: https://www.youtube.com/watch?v=mKZCa_ejbfg
20. Using the Visuo-Spatial Sketchpad (VSP)
• A primary component of working memory
• Allows for visual manipulation of objects
• Studies show that “intuition” is directly tied to
use of VSSP (via the precuneus)
22. Visually Investigating
• Draw a picture!
– It’s what your brain is doing anyway
– Whiteboards everywhere
• Visualize Data Appropriately
– Don’t use viz for the sake of viz (geo maps )
– Incident timelines
– Link graphs
– Identify relationships (nouns/verbs)
25. WM Capacity Limitations
• The capacity of WM is biologically limited
• WM capacity is set from birth
– Humans can remember 7 items, + or - 2.
– Complexity of items matters
Hard to Remember Easy to Remember
248.232.122.193 6.5.4.3
sub29203.domain3789.com sub.domain.com
domain.com/me/?id=29381913 domain.com/path/url.htm
a39e3d50ba4aeb134d95ae7aa4
d6c578
system32.dll
26. Diminishing WM Capacity Limitations
• Source Monitoring
– Which IP was $suspicious_activity associated with?
– Was this file downloaded by $dropper or $attacker?
– Which case was $domain
• Chunking
– Grouping similar information
– Mapping to an existing schema
28. Conclusion
• The biggest hurdle to overcome when
investigating security incidents is our own
cognitive limitations
• Metacognition can diminish these limitations