Profile picture
CYINT_dude
@CYINT_dude
, 14 tweets, 4 min read Read on Twitter
#threatintel thread! The other week, I rendered a high confidence assessment related to malicious activity that I judged was targeting my organization's customers with intent to gain access to our proprietary content. Turns out I was TOTALLY WRONG (1/x)
The activity I THOUGHT was malicious was actually benign and completely expected. Reflecting on the analysis, I realized I fell victim to CONFIRMATION BIAS and FAULTY ASSUMPTIONS. I thought I was immune to these #threatintel phenomena, but I'm not (2/x)
First, I didn't fully understand what I was looking at: what normal customer-to-org interactions look like (authentication). This led to FAULTY ASSUMPTIONS about the nature of the activity I was examining. Boy did it look phishy! There was no way it was legitimate! (3/x)
The activity also looked highly consistent with known bad activity we previously looked at and which, without a doubt, demonstrated intent to harm us and our customers. This is where the CONFIRMATION BIAS crept it. There was no alternative, it had to be this known threat! (4/x)
By this point, we had initiated action and engaged the business to share our findings and devise a plan to reduce the risk. After that, my colleague and I poked around the data we rounded up - and that's when the sinking feeling hit. Uh oh - could this actually be NOT BAD? (5/x)
My whole view of the activity and data we were looking at shifted. We did more research and learned that the activity that seemed super phishy was in fact totally normal (if not somewhat weird and un-security-hygienic). (6/x)
The next day I told my team and reversed my judgement, effectively nuking a days+ worth of analysis. I was WRONG! I felt silly and somewhat bummed out. But after reflecting more, I realized it was OKAY (7/x)
In #threatintel, we are in the business of ANALYSIS. We have to make judgements, usually with serious information gaps and incomplete knowledge. I went back and read the insights from CIA's "15 Axioms for Intelligence Analysts" for consolation (8/x) > cia.gov/library/center…
One principal that resonated with me: don't fear being wrong. If you are right all of the time, then as #threatintel analysts, we probably aren't doing our jobs. (9/x)
Another great principal: new facts WILL change your assessment. Own the analysis and admit you were wrong. (10/x)
My team and I discussed this outcome. What can we do differently in our #threatintel process to prevent CONFIRMATION BIAS and FAULTY ASSUMPTIONS from creeping in again? Or at least, how can we catch them when they do creep in? (11/x)
First, if possible, get another analyst who is unfamiliar with the topic/problem/threat to examine and probe the analysis. Find someone to be the contrarian who will ask questions, ask how and why you reached your conclusions, and to present fresh alternatives (12/x)
And second, CHECK ASSUMPTIONS. Why do you think X is the way it is? What thinking underlies that? (13/x)
All told, this was a great #threatintel learning experience. I'm no longer a junior analyst but I'm no less susceptible to analytical pitfalls like CONFIRMATION BIAS and BAD ASSUMPTIONS. It's really interesting to feel like you are TOTALLY RIGHT. And then suddenly, you're not.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to CYINT_dude
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#threatintel

More from @CYINT_dude see all

Profile picture
CYINT_dude
@CYINT_dude
I’m a proponent of writing things down. As #threatintel analysts, a big part of our job is recognizing patterns and making connections. But sometimes, we don’t see the connections. Our brains can’t recall as much information as we think they can (1/x).
This is why it’s imperative to document and memorialize your knowledge. Use your IOC database, your commercial TIP, OneNote, Excel, Wiki, IR ticketing system, whatever you have to capture artifacts, IOC, notes (2/x).
Tag your data (hopefully you have a consistent tagging scheme); organize it; capture enrichment data and attributes that may allow for future correlation. Does this take extra time? Is it annoying sometimes in the face of an active campaign or IR operations? You bet (3/x).
Read 9 tweets
Profile picture
CYINT_dude
@CYINT_dude
#threatintel thread! For the past couple of weeks I've focused on #threatintel REQUIREMENTS. As a consultant working with clients to develop their programs, I focused on this a lot--requirements are important. As a full-time analyst, it's much harder: because OPS!
But, really honing-in on the requirements--the specific questions that customers have, the topics they are interested in, how they can best consume information--has been a valuable investment. Here's what I've learned or re-discovered...
For each requirement (or set of requirements), there is information you need to answer the question and a process to follow to fulfill the requirement. Sometimes you'll have the information you need; sometimes you won't which means that you have to go get it (collection).
Read 16 tweets

Related threads

Profile picture
David Mullings
@davidmullings
A #thread about what has and has not worked for me since launching my first startup in Feb 2002 with my brother, striking some big deals, raising capital, losing money and rebuilding.

I hope you find it thought-provoking
We built some hype around @realvibez with our branded car, sponsoring events like Stages, ATI, Blink and Reggae Sumfest but we also knew that we had to be authentic - the website actually had to have the content on it
We did not want sugar-coated B.S. interviews so we focused on cold, hard truths when I asked questions.

Hence why I asked Collie Buddz about racism in this interview -
Read 61 tweets
Profile picture
Awe Onisokuso
@sarnchos
Africa's largest livestock producers listed in order of magnitude.

1. Ethiopia - 54 million cattle
2. Sudan - 42m
3. Tanzania - 24.5m
4. Nigeria - 20m

The advantages of extensive grazing grounds in the top 3 are obvious.

#THREAD
Nigeria can easily top the group and attain Africa's leadership position in livestock production IF it can get ITS LIVESTOCK FEED INDUSTRY right.

*Institutionalisation of ranching *Kickstarting a proper feed industry
*More training of livestock farmers

How do we achieve this?
Farmers (including herders and other livestock producers should be encouraged to form local associations that will help them gain access to training, pool funds to invest in equipment and also access loans from development institutions, Agric banks, and even foreign NGOs.
Read 13 tweets
Profile picture
AeroDynamic Women
@AeroWomen
#Thread of responses from women in aerodynamics to the question, 'what would you like to see in order for women's career progression in your field to be sustained and better supported?'

Responses incl. career flexibility, mentoring and more women in leadership roles #WomeninSTEM
1. "I think young female engineers need to see more female role models and mentors in my field. Having a visible example of someone that looks like you and is succeeding in their field is important. Having an opportunity to meet with a mentor like that can be very powerful."
2. "I would like to see that any career promotion is based on own merits and value added to the company or the society independently of the gender. I want that women are measured with the same rules as men and are given equal opportunities."
Read 68 tweets
Profile picture
#MeTooIndia
@IndiaMeToo
#Thread #JNU #MeToo: ICC just made sure no woman will ever find the courage to report a sexual violation to them. They said the complaint "was frivolous" and hence not proven conclusively. The story doesn't clarify whether "malicious intent" was proven. indianexpress.com/article/india/…
#JNU #sexualharassment #MeToo: In that case, here's what the POSH Act states. Malicious intent has not been proven. And the mere inability to prove the case doe NOT merit punishment as harsh as being recommended by JNU ICC.
So what are the punishment suggested? For starters she's being treated like a common criminal. Please remember this is a student we are talking about.
Read 7 tweets
Profile picture
Ali Khan
@coffeeandcrm
#Thread on new features and updates announced in release notes of #MSDyn365 Oct'18: docs.microsoft.com/en-au/business…. This is an excellent longread. Thread is just #TLDR for #CE specific/related features

#PowerApps #CDS #Flow #USD #Sales #FieldService #USD #Portals #AzureML
Starting with #MSDyn365 #Sales updates:
1. Playbooks: Think of it as Barney Stinson's playbook. Basically set of "automated repeatable sales activities" that help in winning opportunities. Looks like it'll be a set of activities which could be assigned to users
2. #MSDyn365 #Sales will feature deeper integration with LinkedIn, including capability to send InMail and adding LinkedIn related step in Business Process Flows

3. Out of the box @MicrosoftTeams integration
Read 31 tweets
Profile picture
The Chris Mosier
@TheChrisMosier
This is America for LGBTQ people in Mississippi: the law singles out three religious beliefs for special protection: that marriage means 1 man & 1 woman, that sexual relations should only happen inside such a marriage, & that gender is “immutable” & corresponds to sex at birth.
In MS, a person, an organization, or a corporation may refuse to serve a same-sex couple marriage celebration at your for-profit hotel or restaurant, refuse lodging at your hotel, or refuse to provide any marriage-related services if you hold one of those beliefs. 2/
In MS, "marriage-related services" relate to “photography, poetry, videography, DJ services, wedding planning, printing, publishing or similar marriage-related goods or services" 3/
Read 16 tweets

Trending hashtags

#01IndonesiaMaju #Fil #Sonnfjord #StopLeavingNeverlandNOW #Sivakumar #Jayalalithaa #Mai2018 #MJInnocent #Hinduness #Internet #Technology #DigitalPatriots #Bonus #AmeliaCobburn #AAIHS #ScienceFacts #SuburbanErasure #ApolloHospital #MSM #PhDLife #concertphotography #JokowiLagi #TrumpRussia #MJ #CitiesImagined
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!