Over and over again, I observe that highly skilled analysts do something that might seem counter intuitive, but is key to their success.
They constantly review the facts -- what they know. That's the current timeline and the relationships they've uncovered.
They constantly review the facts -- what they know. That's the current timeline and the relationships they've uncovered.
Inexperienced analysts resist this sometimes because it feels like it takes up a lot of time. But it's worth the time. This is where analysts discover timeline gaps, identify new investigative questions, and prioritize their next move.
As you might imagine, revisiting the facts depends highly on documenting what you know when you come to know it. That's a habit that gets formed over time but can form faster if you understand the value and are deliberate about it.
Anecdotally, different specialties form this documentation habit better than others. For example, IR consultants get here quicker because there is usually a greater burden of continual reporting to the client. You see less of that in a lot of SOCs.
So, in practice, the nature of the reporting structure often defines how analysts document things during the investigation.
In reality, the documenting feeds the review which makes the analysts better and more efficient. Every analyst needs to understand and embrace this.
In reality, the documenting feeds the review which makes the analysts better and more efficient. Every analyst needs to understand and embrace this.
Tactically, every analyst gets better when they make a habit of reviewing the facts periodically. Not just when you're stuck... but also after integrating new findings and completing investigative questioning chains.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
