Profile picture
, 10 tweets, 2 min read
My Authors
Read all threads
One of the most common questions analysts ask me -- what do I do when I get stuck in an investigation? This happens to everyone, especially when you're inexperienced. Let's talk about that... 1/
First of all, how do you know when you're stuck? You can usually tell when you start:
- Looking at the same data over and over
- Wading through data aimlessly
- Become more easily distracted by other things
These things all lead to various forms of anxiety or doubt. Not fun. 2/
I teach 5 primary strategies for dealing with being stuck in Investigation Theory.

First, draw our your timeline. The timeline is at the heart of investigative findings. By writing it out, you can more easily spot gaps to focus your questioning. 3/
Next, leverage divergent and convergent thought. Make a list every investigative question you could ask in your situation, then pick the best one from the list and work through them all until no questions are left.

Learn more about C/D thinking here: chrissanders.org/2019/10/creati…

4/
After that, map out the data you've collected so far and compare it to your available data sources. What other data sources can you plug your data into? Perform those searches and see what you find. This is more exploratory, but that's the way this process trends eventually. 5/
If you're still stuck, focus on common areas of interest for the hosts you're dealing with.

Things like program executions, autoruns, downloaded files, user account modifications, etc. Places where you're most likely to find other anomalies. 6/
Finally, if all else fails, get some separation from the situation. Take a walk, go to lunch, or even better... sleep. Behold the power of neural optimization. This is the most underrated strategy and the simplest. 7/
If you're still nowhere, then it may be time to move on. Consider turning up some logging or setting additional alerts to follow up on the affected host later if you're still suspicious. 8/
Those are broad strokes -- I teach these strategies and their underlying concepts in my Investigation Theory class. The next online session starts in May, but I also teach it on site (min 12 folks).

networkdefense.co/courses/invest…

9/
Getting stuck is common -- it happens to everyone at some point and still happens sometimes to experienced analysts. It sucks, but there are strategies to overcome it that are incredibly effective. Once you understand how you think, you can regulate it. You're in control!

10/10
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Chris Sanders

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @chrissanders88 see all

Profile picture
Chris Sanders
@chrissanders88
I had a good question in my talk last night "What works better, having dedicated threat hunters or splitting that responsibility with existing analysts?"

Here are some thoughts I shared... 1/
I'll start by saying that I've seen it work well both ways, and it often depends mostly on the individuals and management. Anyone who tells you there is only one good way to structure that function probably hasn't been exposed to enough of it.

That said... 2/
If I'm running the SOC, all analysts have at least one more task beyond just reviewing alerts -- malware reversing, sig dev, intel, threat hunting, etc. That's critical for cognitive task diversity and also does amazing things for retention. 3/
Read 7 tweets
Profile picture
Chris Sanders
@chrissanders88
Here's the truth -- most of the underperforming analysts I see have the potential to do well, but they are limited by their managers or lack of support from their organization. 1/
Here are the top 5 manager/org factors I see holding analysts back:
- Lack of critical data sources
- No culture of learning
- Poor relationships with IT teams
- Misaligned manager/analyst priorities
- Too much managerial capitulation to strong personalities
2/
The unfortunate part about these things is most managers know and acknowledge them. They just pass the buck and make excuses. It's a lack of ownership and everyone suffers. But, here's the thing... 3/
Read 10 tweets
Profile picture
Chris Sanders
@chrissanders88
So much of what distinguishes good analysts boils down to doing the work and avoiding familiar data bias. Let me tell you about a tangible way I see this manifest. 1/
Let's say you get an alert that some malware might be on a system. There are a lot of ways to investigate, but at some point that becomes informed by the characteristics of the malware itself. 2/
You've detected one characteristic, now you need to confirm more to see if this is a false positive. Or ideally you can disprove it really quickly by the absence of some characteristics. Either way that means RESEARCH. 3/
Read 10 tweets

Related threads

Profile picture
Patrick Mills
@Patty_Mills
Small business, big impact. 
⠀⠀
"How can I help?" is one of the most common questions people ask me when talking about the Australia fires.
⠀⠀
A simple answer is : Shop local. 

The bush fires have severely affected tourism in smaller cities of Australia.
The best thing you can do to help these communities is visit them, stay in local hotels, eat at family-owned restaurants and shop local stores. Today we stumbled upon Martin's Orchard on the side of the road as we were driving up the coast.
Two lovely women were standing inside a little roadside shed selling what they had left of nectarines for the season.
So we kindly asked if we could purchase everything they had and loaded two tray beds of fresh, tasty nectarines. After some very heartfelt hugs, we kept it moving
Read 4 tweets
Profile picture
Nicole Bedera
@NBedera
As a researcher who studies college sexual assault, one of the most common questions I'm asked is, "My daughter is starting college soon and I'm so concerned about campus sexual violence. What do I do as a parent?" Here's my answer:
The reality is that nothing you or your daughter can do will guarantee that she won't experience violence in college. Victims don't "cause" rape, which means they can't necessarily prevent it either.
The very best thing you can do is develop an open and non-judgmental relationship with your daughter around issues of sex and her personal autonomy. Those are the best predictors that survivors will talk to their parents following an assault.
Read 22 tweets
Profile picture
#CareerCoach 🇿🇦🇿🇼
@MsPhiona
One of the most common questions I get asked is how to negotiate your salary during the recruitment process. Here is a thread of all the threads I have done on this topic.

#SalaryNegotiation #PhionaCareerCoach
What to say when recruiters and potential employers ask about your current salary and you want to avoid disclosing your current pay.
Some salary negotiating tips
Read 9 tweets
Profile picture
Ben Wilbrink
@benwilbrink
Logic and the achievement test item, what about them?

Logic is demanding discipline. Medieval scholars were excellent logicians, rumor has it. Yet there is a lot of logic in everyday reasoning also, not rigorous at all. Expect pseudo-logic to play havoc with test items.
Logic is not the same as reasoning. Logic is a formal discipline, not touching on the real world.
- All animals can fly.
- I am an animal.
- Therefore I can fly.
In logic it is possible to posit a false premise, ‘all animals fly’, and yet have a perfectly valid syllogism.
Test items implicitly of explicitly asking the student to assume a certain state of affairs to be true are ambiguous: how is the student to know she has to reason according to the rules of logic, or not?

In principle, all context questions in math are of this type!
Read 38 tweets
Profile picture
Namu Jooniverse🌲🌱🍃
@Salionysus
BTS Mystersy au : 'THE SAVIOUR'
Characters:
RM > Moon Jin> Seoki
SG > August Jh> Hope
JM> Jim Tae> V
JK > Jay
I need my characters to talk n behave in a specific way so keep in mind this is fictional. It doesn't portray the real behaviour of members.
The story will have 7-8 choices which will majorly affect the storyline. No matter how funny or simple it looks, please think twice before you choose as your choice can save a life.
I have the storyline, but it may take a while to update the chapters.
Prologue: 'This is his 3rd victim so far'said a male voice.
'Has there been a connection?' Another answered.
'The same one as before' the first man says.
'Do we have a murder weapon?'
'He always uses a different one.'
The two officers converse over the dead body of a young boy
Read 214 tweets
Profile picture
Asad
@AmazonFBAGuy
One of the most common questions from new sellers on Amazon

"How do I get to the first page really fast?"

A short thread on this...
1 - You don't.

The days of massive giveaways and flooded reviews are gone. You can't incentivize, cheat or play the system the way we used to.

if you do that now, you risk a lifetime ban.

Amazon became Amazon through customer trust, they shut down anything that risks this.
2 - Amazon is smarter than you

You can't game the system. You can't beat A9. You can't boost yourself artificially and hold a top rank.

The system is made to reward top quality products and sellers.

You wanna win? Be a top performer.
Read 12 tweets

Trending hashtags

#Benghazi #gunviolence #PhionaCareerCoach #QuestionforMatt #Espionage #investigation #nothingtoseehere #YangGang #Questions #indictments #RussiaHoax #DomesticViolence #Yang2020 #AcademicTwitter #wikileaks #docs4gunsense #RETWEET #nonpartisanmyass #scandal #Brennan #itpaystoplay #healthcare #YOW19 #sharewiththem #LOCKHERUP
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!