The natural thing for inexperienced analysts to want to do is jump to the worst case scenario and begin investigating that thing. After all, the bad thing is very bad! But, that's usually a bad idea for at least three reasons. 1/
First, all investigations are based on questions. You use existing evidence to drive questions whose answers you pursue in evidence. If there is no evidence that indicates the very bad thing, you are probably jumping the gun by looking for it. It's a reach. 2/
Second, the very bad thing is often very hard to investigate. Exfil is a prime example. The techniques for investigating and proving data exfil are often time-consuming and cognitively demanding. Now you're distracting yourself from the actual evidence you already have. 3/
Third, it creates and reinforces a sort of impact bias where you tend to overestimate the significance of other indicators/behaviors based on the potential impact. 4/
That's to say if you jump to investigating the bad thing absent evidence often, you reinforce its significance in your own mind and are even more likely to do it in the future absent some sort of correction. Bad habits breed bad habits. 5/
Good analysts do forecast events based on what they know. If malware was installed, it's logical to think about the next step -- persistence, additional downloads, etc. But... 6/
Thinking too many steps ahead is where time gets wasted and important things get missed. Take the evidence you have and try to start building forward or backward in the timeline relative to that thing. 7/
It's okay to identify a big gap between something like initial infection and lateral movement. But, take one of those two relationships and work forward/backward from it. Don't start throwing darts in between them if you don't have to. 8/8
• • •
Missing some Tweet in this thread? You can try to
force a refresh
