visi stark Profile picture
Mar 26, 2021 7 tweets 2 min read Read on X
A quick thread on observer bias…
In 2011, I was fortunate to be a part of @Mandiant, when the threat intelligence team was just beginning to coalesce. Back then, threat activity came in 3 flavors: APT, FIN, and everything else, and it was a problem...
I created the UNC concept specifically to thwart a form of Observer Bias I had witnessed both inside and outside the IC. If newly observed activity wasn’t quickly attributed to a known threat group it wasn’t deemed important
This, in turn, caused analysts to “try” to fit observed activity into existing groups or have their (often painstaking) reporting lost in the noise, or worse, have their budgets trimmed. This bias caused several attribution cross-pollinations that took years to untangle
The UNC concept is that it’s ok to group correlated observations without needing to make any larger assertions until sufficient data is available. A sort of catch-and-release to let the little graph-clusters grow up :)
Over time these clusters converge or fade away helping to differentiate persistent actors from singleton-events. As they converge, larger patterns emerge that can be used to assess sophistication, targeting, goals, and eventually… attribution
Simply making it ok to draw a box around the observables and give them a name that could crop up again relieved much of this pressure. Especially once they started to converge and be promoted to the likes of #APT41 and #FIN11
Hopefully, somewhere inside @FireEye there is still a wiki with my quote “We should be handing out UNCs like candy”, because we should. :)

Plug: If you enjoy high-precision, flexible, collaborative, intelligence analysis and reporting tools, consider @vtxproject synapse

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with visi stark

visi stark Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(