The information security industry and the vendors that support it have placed emphasis on the tools we use to investigate security breaches. However, we rarely win or lose battles in the trenches because of the tools we buy. Instead, our result is typically determined by the tools we are born with and nurture over time. While machines are ideal for collecting data and finding anomalies, there is no tool better for connecting the dots than the human mind. Of course, the human mind is not without its own limitations and challenges we must overcome. This presentation discusses metacognition and how it applies to the investigative process.

1. Building a Better Analyst
Using Cognitive Psychology
Chris Sanders
Bsides Augusta 2015

2. Chris Sanders
• Christian
• Southerner
• PhD Researcher
• FireEye
• GSE
• BBQ Pit Master

3. **Disclaimer**
I’m going to talk about matters of the brain, not
just the normal tech stuff.
My research for this presentation involved
consultation with psychologists.
I, however, am not one….yet.

4. Outline
Objectives:
 Metacognition
 Perception
 Intuition
 Working Memory
“How metacognitive awareness can help you make
better technical decisions during security
investigations.“

5. Metacognition
• Thinking about thinking
• Research shows a relationship between
metacognitive awareness and cognitive
performance.
• Two Components:
– Knowledge of cognition (understand it)
– Regulation of cognition (apply it)

6. The Investigation
• Investigations are an attempt to determine
the ground truth of what really happened.
– Is there a bad guy?
– What did they do?
• Investigations introduce cognitive challenges

7. Perception, Reality, and Bias

8. Perception vs. Reality
• Perception:
– “A way of regarding, understanding, or
interpreting something.”
• Reality:
– “The state of things as they actually exist.”

9. Our investigative path depends on mindset and biases

10. Mindsets and Blur
• Mindsets frame how
we see the world
• Quick to form and
resistant to change
• The initial picture we
see forms our first
mindset impression
• Biases applied here
carry forward

11. Diminishing Initial Blur
• Provide relevant information up front
• Real-istic time alerting
• Formalization of triage function
– Put your expertise here
– Gather info, make recommendations, pass on
– Smaller orgs can use partner analysis

12. Inattentional Blindness (IB)
• Attention – Focusing on something
– Overt or covert
– Attention is a limited resource
– Many things fight for analyst attention
• It is very easy to miss things right in front of us

14. Diminishing IB
• Experienced analyst are usually less suceptible
• Mastery of your environment
– Mise en place
• Controlling attention
– Limit extraneous info
– Direct focus
– Gaze tracking

15. Intuition and Memory

16. It’s a Hard SOC Life
• Investigative knowledge is tacit
– Senior analysts can’t explain their success
– Junior analysts can’t effectively learn
• Knowledge transfer is limited
– “Watch and learn”
Analysts rely on intuition!

17. Intuition
• in·tu·i·tion (noun)
– The ability to understand something immediately,
without the need for conscious reasoning.
• Previously not well understood, often dismissed
“It is an illusion to expect
anything from intuition.”
– Sigmund Freud

18. A Biological Basis for Intuition
Precuneus
2.1x Larger Response
TED Talk: The Rise of Augmented Intelligence: https://www.youtube.com/watch?v=mKZCa_ejbfg

19. Modeling Memory

20. Using the Visuo-Spatial Sketchpad (VSP)
• A primary component of working memory
• Allows for visual manipulation of objects
• Studies show that “intuition” is directly tied to
use of VSSP (via the precuneus)

21. Related VSSP Usage
“If you look deep enough you will see music” – Thomas Carlyle

22. Visually Investigating
• Draw a picture!
– It’s what your brain is doing anyway
– Whiteboards everywhere
• Visualize Data Appropriately
– Don’t use viz for the sake of viz (geo maps )
– Incident timelines
– Link graphs
– Identify relationships (nouns/verbs)

23. Thinking Visually - Breakfast

24. Thinking Visually - Breach

25. WM Capacity Limitations
• The capacity of WM is biologically limited
• WM capacity is set from birth
– Humans can remember 7 items, + or - 2.
– Complexity of items matters
Hard to Remember Easy to Remember
248.232.122.193 6.5.4.3
sub29203.domain3789.com sub.domain.com
domain.com/me/?id=29381913 domain.com/path/url.htm
a39e3d50ba4aeb134d95ae7aa4
d6c578
system32.dll

26. Diminishing WM Capacity Limitations
• Source Monitoring
– Which IP was $suspicious_activity associated with?
– Was this file downloaded by $dropper or $attacker?
– Which case was $domain
• Chunking
– Grouping similar information
– Mapping to an existing schema

27. Schemas
Picture These Items
Stapler
Buffalo
Book
Foot
Flag
Eggs
Bacon
Grits
Sausage
Coffee
Unrelated to
Schema
Related to
Breakfast Schema

28. Conclusion
• The biggest hurdle to overcome when
investigating security incidents is our own
cognitive limitations
• Metacognition can diminish these limitations

29. Thank You!
E-Mail: chris@chrissanders.org
Twitter: @chrissanders88
Blog: http://www.chrissanders.org
Foundation: http://www.ruraltechfund.org