One of the unique challenges of forensic analysis is that we're focused both on determining what events happened and the disposition of those events (benign or malicious). A failure to do one well can lead to mistakes with the other. 1/
Generally speaking, analysts interpret evidence to look for cues that spawn more investigative actions. Those cues can be relational (indicate the presence of related events), dispositional (indicate the malicious or benign nature of something), or even both at the same time. 2/
Not only do we have to explore relationships, but we also have to characterize and conceptualize them. That means we're constantly switching between cause/effect analysis and pattern matching of a variety of sorts. 3/
We're rarely at a shortage of relationships to investigate, but the dispositional cues help give us a sense of priority. We investigate the relationships that are more likely to be malicious. 4/
There's the potential to fall into the trap of a cascade effect here. Once you decide one event is malicious, you inherently decide everything associated with it (cause or effect) is also malicious. The opposite is also true, but sometimes to a lesser extent. 5/
That's to say we are more likely to associate guilt than we are to absolve it and let things off the hook, from my research. Some variables at play there... 6/
With all this, it means that if you misdispose something as benign, you overlook the whole chain of events. If you misdispose as malicious, you waste a lot of time. Trust and time are the most critical and non replenishable resources the analyst has. 7/
Cognitively, I'm seeing some evidence that analysts who are more aware of this consideration -- relational vs dispositional cues -- have greater success making decisions and efficiently using their time. 8/
I've talked about the concept of gravity some findings in an investigation "pull" analysts toward them. The more analysts acknowledge dispositions consciously, the more control they seem to have over an entity's gravity. 9/
A novice analyst gets sucked into investigating an IP on any level of suspicion it's evil. An expert recognizes some probability it's evil and uses that to determine how much time they should spend on it. They adjust as the facts do. They are more gravitationally aware. 10/
As with many things happening between our ears, there is some nuance here that's hard to capture on Twitter. But as always, being a good analyst is hard. We can make it easier by better understanding some of these processes and the steps along the path to expertise. 11/11

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Chris Sanders 🍯

Chris Sanders 🍯 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @chrissanders88

27 May
One of the things we struggle with in investigations as analysts is even talking about them in an educated way. Someone asks you how you found something and it's, "I looked in the logs". Well, no... you did a lot more than that! 1/
You identified a cue that made you think there were other related events to be found, and those events could indicate an attack. Then you considered which of those events would be most meaningful to disposing the timeline you found. 2/
After that, you formed an investigative question that helped you hone in on exactly what you're looking for. With the question formed, you queried the log evidence to return a data set that you hoped would provide an answer. 3/
Read 10 tweets
25 May
When I write about analyst skills I often want to add a section about metacognitive skills. However, it's sometimes redundant because those skills appear alongside all the other skills analysts leverage.
For example, good analysts often know their limitations. They know what evidence sources they are weak in (knowledge regulation) and seek alternative investigative pathways to reach conclusions (knowledge regulation). That's essential metacognitive stuff.
Sometimes that's easy to deal with. There are a lot of ways to prove program execution (OS logs, prefetch, registry, and so on) and most mid-level analysts are comfortable with at least one of them. Not knowing one isn't a massive burden because you can use others.
Read 11 tweets
20 Apr
Let's talk about PREVALENCE ANALYSIS. This is one of the most useful concepts for analysts to understand because it drives so many actions. Prevalence is basically what proportion of a population shares a specific characteristic. 1/
First, prevalence is often an anomaly detection technique. Let's say you've found a process running with a name you don't recognize. If it's running on every host on the network you might say it's more likely to be benign. 2/
If the process is only running on one or a couple of hosts, that could be a bit more suspicious. Is there a common thread between the hosts? A pattern? There's more work here. 3/
Read 15 tweets
5 Apr
From recent research...

Upon notification of potential malware infection, SOC analysts tend to spend more time trying to confirm the malware infection, whereas IR/DF analysts tend to assume infection and move toward understanding impact.
Usually, this results in different investigative actions. Confirming infection focuses more on the leading portion of the timeline relevant to the current event. Exploring impact focuses more on the trailing portion of the timeline.
Sometimes the investigative actions can look the same, but that depends on the malware and how the infection presents. Even with similar investigative actions, the intent is different.
Read 7 tweets
2 Apr
The natural thing for inexperienced analysts to want to do is jump to the worst case scenario and begin investigating that thing. After all, the bad thing is very bad! But, that's usually a bad idea for at least three reasons. 1/
First, all investigations are based on questions. You use existing evidence to drive questions whose answers you pursue in evidence. If there is no evidence that indicates the very bad thing, you are probably jumping the gun by looking for it. It's a reach. 2/
Second, the very bad thing is often very hard to investigate. Exfil is a prime example. The techniques for investigating and proving data exfil are often time-consuming and cognitively demanding. Now you're distracting yourself from the actual evidence you already have. 3/
Read 8 tweets
12 Mar
Over and over again, I observe that highly skilled analysts do something that might seem counter intuitive, but is key to their success.

They constantly review the facts -- what they know. That's the current timeline and the relationships they've uncovered.
Inexperienced analysts resist this sometimes because it feels like it takes up a lot of time. But it's worth the time. This is where analysts discover timeline gaps, identify new investigative questions, and prioritize their next move.
As you might imagine, revisiting the facts depends highly on documenting what you know when you come to know it. That's a habit that gets formed over time but can form faster if you understand the value and are deliberate about it.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!