, 14 tweets, 4 min read Read on Twitter
#threatintel thread! The other week, I rendered a high confidence assessment related to malicious activity that I judged was targeting my organization's customers with intent to gain access to our proprietary content. Turns out I was TOTALLY WRONG (1/x)
The activity I THOUGHT was malicious was actually benign and completely expected. Reflecting on the analysis, I realized I fell victim to CONFIRMATION BIAS and FAULTY ASSUMPTIONS. I thought I was immune to these #threatintel phenomena, but I'm not (2/x)
First, I didn't fully understand what I was looking at: what normal customer-to-org interactions look like (authentication). This led to FAULTY ASSUMPTIONS about the nature of the activity I was examining. Boy did it look phishy! There was no way it was legitimate! (3/x)
The activity also looked highly consistent with known bad activity we previously looked at and which, without a doubt, demonstrated intent to harm us and our customers. This is where the CONFIRMATION BIAS crept it. There was no alternative, it had to be this known threat! (4/x)
By this point, we had initiated action and engaged the business to share our findings and devise a plan to reduce the risk. After that, my colleague and I poked around the data we rounded up - and that's when the sinking feeling hit. Uh oh - could this actually be NOT BAD? (5/x)
My whole view of the activity and data we were looking at shifted. We did more research and learned that the activity that seemed super phishy was in fact totally normal (if not somewhat weird and un-security-hygienic). (6/x)
The next day I told my team and reversed my judgement, effectively nuking a days+ worth of analysis. I was WRONG! I felt silly and somewhat bummed out. But after reflecting more, I realized it was OKAY (7/x)
In #threatintel, we are in the business of ANALYSIS. We have to make judgements, usually with serious information gaps and incomplete knowledge. I went back and read the insights from CIA's "15 Axioms for Intelligence Analysts" for consolation (8/x) > cia.gov/library/center…
One principal that resonated with me: don't fear being wrong. If you are right all of the time, then as #threatintel analysts, we probably aren't doing our jobs. (9/x)
Another great principal: new facts WILL change your assessment. Own the analysis and admit you were wrong. (10/x)
My team and I discussed this outcome. What can we do differently in our #threatintel process to prevent CONFIRMATION BIAS and FAULTY ASSUMPTIONS from creeping in again? Or at least, how can we catch them when they do creep in? (11/x)
First, if possible, get another analyst who is unfamiliar with the topic/problem/threat to examine and probe the analysis. Find someone to be the contrarian who will ask questions, ask how and why you reached your conclusions, and to present fresh alternatives (12/x)
And second, CHECK ASSUMPTIONS. Why do you think X is the way it is? What thinking underlies that? (13/x)
All told, this was a great #threatintel learning experience. I'm no longer a junior analyst but I'm no less susceptible to analytical pitfalls like CONFIRMATION BIAS and BAD ASSUMPTIONS. It's really interesting to feel like you are TOTALLY RIGHT. And then suddenly, you're not.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to CYINT_dude
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!