A quick thread on observer bias…
In 2011, I was fortunate to be a part of @Mandiant, when the threat intelligence team was just beginning to coalesce. Back then, threat activity came in 3 flavors: APT, FIN, and everything else, and it was a problem...
I created the UNC concept specifically to thwart a form of Observer Bias I had witnessed both inside and outside the IC. If newly observed activity wasn’t quickly attributed to a known threat group it wasn’t deemed important
This, in turn, caused analysts to “try” to fit observed activity into existing groups or have their (often painstaking) reporting lost in the noise, or worse, have their budgets trimmed. This bias caused several attribution cross-pollinations that took years to untangle
The UNC concept is that it’s ok to group correlated observations without needing to make any larger assertions until sufficient data is available. A sort of catch-and-release to let the little graph-clusters grow up :)
Over time these clusters converge or fade away helping to differentiate persistent actors from singleton-events. As they converge, larger patterns emerge that can be used to assess sophistication, targeting, goals, and eventually… attribution
Simply making it ok to draw a box around the observables and give them a name that could crop up again relieved much of this pressure. Especially once they started to converge and be promoted to the likes of #APT41 and #FIN11
Hopefully, somewhere inside @FireEye there is still a wiki with my quote “We should be handing out UNCs like candy”, because we should. :)
Plug: If you enjoy high-precision, flexible, collaborative, intelligence analysis and reporting tools, consider @vtxproject synapse
• • •
Missing some Tweet in this thread? You can try to
force a refresh