SlideShare una empresa de Scribd logo
1 de 69
Descargar para leer sin conexión
Defeating Cognitive Bias 
and 
Developing Analytic Technique 
Chris Sanders 
BSides Augusta 2014
Chris Sanders 
• Christian & Husband 
• Kentuckian and South 
Carolinian 
• MS, GSE, CISSP, et al. 
• Non-Profit Director 
• BBQ Pit Master
Chris Sanders
Chris Sanders 
“[Practical Packet Analysis] gives you everything you need, step by step, to become 
proficient in packet analysis. I could not find a better book.” 
– Amazon Reviewer
Outline 
Objectives: 
 What is Analysis? 
 What is Bias? 
 Recognizing Bias 
 Defeating Bias 
 Analysis Methods 
“How to make better technical decisions in any kind 
of security analysis.“
**Disclaimer** 
I’m going to talk about matters of the brain, not 
sure the normal tech stuff. 
My research for this presentation involved 
consultation with psychologists. 
I, however, am not one.
Bias – A very personal story
2 AM
The Pain Begins 
*Dramatization
Developing Analytic Technique and Defeating Cognitive Bias in Security
Ultrasounds == Magic?
At this point… 
So, I went to see a surgeon…
“Let’s Cut it Out!” - Surgeon
Missing Parts
Thus… 
“Would it be accurate to say that I’m a medical 
miracle?” - Me 
“Absolutely.” – Surgeon
Cause and Effect 
• Cause: Bias…lots of it! 
– Confirmation Bias 
– Outcome Bias 
– Congruence Bias 
• Effect: Unnecessary Surgery 
– 1 Week Recovery 
– Financial Loss 
– Pessimism Bias
Analysis
Analysis is Everywhere 
• Making judgments based upon data 
• Security Analysis Happens for: 
– Malware Analysts 
– Intelligence Analysts 
– Incident Response Analysts 
– Forensic Analysts 
– Programming Logic Analysts 
• My main focus is network intrusion analysis, 
so this talk will be framed through that.
Network Security Monitoring 
• The collection, detection, and analysis of 
network security data. 
• The goal of NSM is escalation, or to declare 
that an incident has occurred to that incident 
response can occur.
Evolution of NSM Emphasis
The Need for Analytic Technique 
• Kansas State University Anthropological Study 
on SOCs - Key Finding: 
– “SOC analysts often perform sophisticated 
investigations where the process required to 
connect the dots is unclear even to analysts.” 
• Analysis == “Tacit Knowledge”
Analysis: Thinking About Thinking 
• We need to critically examine how we think 
about information security analysis. 
• We aren’t alone! 
– Scientific 
– Medical 
– Legal
Perception vs. Reality 
• Perception: 
– “A way of regarding, understanding, or 
interpreting something.” 
• Reality: 
– “The state of things as they actually exist.” 
Let’s take a test…
RED
GREEN
BLUE
BLACK
YELLOW
Test Results 
• Variation of Stroop Test (John Stroop, 1935) 
• Measures Cognition 
– The Process of Perception 
• Identifies Gap Between Perception & Reality 
• Used to Measure 
– Selective Attention 
– Cognitive Flexibility 
– Processing Speed
What is Bias? 
“Prejudice in favor of or against one thing, 
person, or group compared with another, 
usually in a way considered to be unfair.” 
•Perception != Reality 
•Perception is Everything, but Fallible 
•We tend to perceive what we expect/are 
conditioned to perceive
I’m Going to Show You an Image
Developing Analytic Technique and Defeating Cognitive Bias in Security
I’m Going to Show You a Picture of 
a White Vase.
Developing Analytic Technique and Defeating Cognitive Bias in Security
First Image Results 
• Prompted for Face 
– 88% See Face 
– 12% See Sax Player 
• No Prompt 
– 57% See Face 
– 43% See Sax Player
Second Image Results 
• Prompted for Vase 
– 94% See White Vase 
– 6% See Two People 
• No Prompt 
– 62% See White Vase 
– 38% See Two People
Bias Examples
Let’s Hit Closer to Home…
A Recent Example
Anchoring 
• Defined: Heavily relying on a single piece of 
information. 
• Examples: 
– Src/Dst Country -> OMG China! 
– IDS Alert Name -> It say this is X, so it must be X. 
– Timing -> It’s every 5 minutes!
Clustering Illusion 
• Defined: 
Overestimating the 
value of perceived 
patterns in random 
data. 
• Examples: 
– The great “beaconing” 
fallacy 
– Unguided 
Visualizations
Availability Cascade 
• Defined: Strong belief in something due to its 
repetition in public discourse 
• Example: 
– “Chinese Traffic is Bad.” 
– “That rule generates a lot of false positives.”
Belief Bias 
• Defined: Occurs when a decision is based on 
the believability of the conclusion. 
• Examples: 
– “We wouldn’t be a target for a nation-state 
actor.” 
– “This is probably a false positive because it’s 
unlikely someone would attack our VoIP system.”
Confirmation Bias 
• Defined: Interpreting data during analysis with 
a focus on confirming one’s preconception. 
• Ego is a big factor here 
• Examples: 
– “I think this is nothing.” 
– “I think there is something going on here.”
Impact Bias 
• Defined: Tendency to overestimate the 
significance of something based on the 
potential impact. 
• Signature/Alert Naming + Lack of Experience 
Contribute to this. 
• Example: 
– “The alert says this is a known APT1 back door, so 
I need to spend all day looking at this.”
Irrational Escalation 
• Defined: Justifying increased time investment 
based on existing time investment when it 
may not make sense. 
• Sunk Cost Fallacy 
• Example: 
– “What do you mean this is nothing? I’ve spent all 
day looking at this. I’ll spend all day tomorrow 
digging into it; I’m sure I’ll find something else 
there.”
Framing Effect 
• Defined: Interpreting information differently 
based on how or from whom it was 
presented. 
• Important in interaction with other analysts 
• Example: 
– Old Vet: “Steve doesn’t know what he is doing, so 
if he is telling me this it probably doesn’t mean 
much.” 
– New Guy: “None of the more experienced guys 
said anything about this, so it must not matter.”
Overconfidence Effect 
• Defined: Excessive confidence in ones own 
decisions, especially in light of contrasting 
data. 
• Example: 
• 99% Paradox – “I’m 99% sure this is right.” 
• One psych study suggest this statement is 
wrong ~40% of the time.
Pro-Innovation Bias 
• Defined: Excessive optimism and biased 
decisions based on an invention of one’s own 
making being involved in the analysis. 
• Invention == System / Code / Concept 
• Example: 
– “My tool can do that.” 
– “I wrote that signature so I know it’s accurate.” 
– “This fits perfectly in my model!”
There are over 100 types of bias. 
How can we overcome them?
Overcoming Bias
What Can We Do? 
• Preconception and Bias Cannot Be Fully 
Avoided 
• Therefore: 
– Develop Repeatable Analytic Technique 
– Recognize Key Assumptions 
– Allow them to be Challenged
Analytic Techniques 
Common Techniques: 
– Relational 
Investigation 
– Differential 
Diagnosis
Relational Investigation 
• “Link Analysis” 
• Commonly Used in Criminal Investigations 
• Focuses on Entities, Relationships, 
Interactions, and Degrees of Separation
Relational Investigation
Setting the Stage – Primary Relationships
Partial Story – Secondary Relationships
Full Attack Diagram – Tertiary Relationships
Differential Diagnosis 
• Commonly Used in 
Medical Diagnosis 
• Relies on Lists of 
Possibilities, and 
Systematically 
Eliminating 
Possibilities
Differential Diagnosis
Incident M&M 
• Dr. Ernest Codman at Mass. General Hospital 
• Post-Patient Meetings to Discuss What 
Occurred and How to Better It 
• Incident M&M 
1. Handler/Analyst Presents Case 
2. Followed by Alternative Analysis
Alternative Analysis 
• Developed by Richards Heuer Jr. (FBI) 
• Series of Peer Analysis Methods 
• Designed to Help Overcome Bias and Improve 
Quality of Analysis
Group A / Group B 
• Group A – Presenting Analyst/Team 
• Group B – Secondary Analyst/Team 
• Two Independent Analysis Efforts 
• Note are Compared During the Presentation 
• Identify Differing Conclusions from Same Data
Red Cell Analysis 
• Peer Focus on Attacker’s Viewpoint 
• Questioning in Relation to Attackers Perceived 
Goals 
• Requires Some Offensive Experience 
• Best Executed by Red Team if Available
What If Analysis 
• Focus on Cause/Effect of Actions That May 
Not Have Actually Occurred 
– What is the attacker had done X? How would you 
have changed your approach? 
– What if you didn’t stumble across X in Y data? 
• Enhances Later Investigations
Key Assumptions Check 
• Presenter Identifies Assumptions During 
Analysis 
• Peers Challenge Assumptions 
• Pairs Well with “What If” Analysis 
– “What if it were possible for that malware to 
escape that virtual machine?” 
– “Would you come to the same conclusion if you 
knew this was APT3 instead of APT1?”
Incident M&M Best Practices 
• Limit Frequency 
• Set Expectations 
• Require a Strong Mediator 
• Keep it at the Team Level – No Sr. Managers 
• Encourage Servant Leadership 
• Discourage Personal Attacks 
• Write it Down!
Conclusion 
• The Era of Analysis is Upon Us 
• Bias is Inevitable – Learn to Recognize It 
• Overcome Analysis Hurdles With: 
– Analytic Technique 
– Alternative Analysis
Thank You! 
E-Mail: chris@chrissanders.org 
Twitter: @chrissanders88 
Blog: http://www.chrissanders.org 
Book Blog: http://www.appliednsm.com 
Testimony: http://www.chrissanders.org/mytestimony

Más contenido relacionado

La actualidad más candente

Crowdsourced Probability Estimates: A Field Guide
Crowdsourced Probability Estimates: A Field GuideCrowdsourced Probability Estimates: A Field Guide
Crowdsourced Probability Estimates: A Field GuideTony Martin-Vegue
 
What is the story with agile data keynote agile 2018 (Magennis)
What is the story with agile data keynote   agile 2018 (Magennis)What is the story with agile data keynote   agile 2018 (Magennis)
What is the story with agile data keynote agile 2018 (Magennis)Troy Magennis
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responsejeffmcjunkin
 
Risk Management and Reliable Forecasting using Un-reliable Data (magennis) - ...
Risk Management and Reliable Forecasting using Un-reliable Data (magennis) - ...Risk Management and Reliable Forecasting using Un-reliable Data (magennis) - ...
Risk Management and Reliable Forecasting using Un-reliable Data (magennis) - ...Troy Magennis
 
Learning About At-Risk Veterans Using 
Online Network Surveys
Learning About At-Risk Veterans Using 
Online Network SurveysLearning About At-Risk Veterans Using 
Online Network Surveys
Learning About At-Risk Veterans Using 
Online Network SurveysSean Taylor
 
Effective Fraud Investigations: 10 Keys to a Successful Outcome
Effective Fraud Investigations: 10 Keys to a Successful OutcomeEffective Fraud Investigations: 10 Keys to a Successful Outcome
Effective Fraud Investigations: 10 Keys to a Successful OutcomeCase IQ
 
Ellicium Solutions - Making Data Science Work
Ellicium  Solutions - Making Data Science Work Ellicium  Solutions - Making Data Science Work
Ellicium Solutions - Making Data Science Work Ellicium Solutions Inc.
 
Putting the Magic in Data Science
Putting the Magic in Data SciencePutting the Magic in Data Science
Putting the Magic in Data ScienceSean Taylor
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Skepticism at work - Logical Fallacies. ASQ Buffalo
Skepticism at work - Logical Fallacies. ASQ BuffaloSkepticism at work - Logical Fallacies. ASQ Buffalo
Skepticism at work - Logical Fallacies. ASQ BuffaloASQ Buffalo NY
 
NTXISSACSC4 - Hacking Performance Management, the Blue Green Game
NTXISSACSC4 - Hacking Performance Management, the Blue Green GameNTXISSACSC4 - Hacking Performance Management, the Blue Green Game
NTXISSACSC4 - Hacking Performance Management, the Blue Green GameNorth Texas Chapter of the ISSA
 
I am my worst enemy — A first person look at Insider Threat
I am my worst enemy — A first person look at Insider ThreatI am my worst enemy — A first person look at Insider Threat
I am my worst enemy — A first person look at Insider ThreatAhmed Masud
 
Applying Psychology To The Estimation of QA
Applying Psychology To The Estimation of QAApplying Psychology To The Estimation of QA
Applying Psychology To The Estimation of QAPaula Heenan
 
The Data Errors we Make by Sean Taylor at Big Data Spain 2017
The Data Errors we Make by Sean Taylor at Big Data Spain 2017The Data Errors we Make by Sean Taylor at Big Data Spain 2017
The Data Errors we Make by Sean Taylor at Big Data Spain 2017Big Data Spain
 
Economically driven Cyber Risk Management
Economically driven Cyber Risk ManagementEconomically driven Cyber Risk Management
Economically driven Cyber Risk ManagementOsama Salah
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
Open source intelligence analysis
Open source intelligence analysisOpen source intelligence analysis
Open source intelligence analysiszapp0
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 

La actualidad más candente (20)

Crowdsourced Probability Estimates: A Field Guide
Crowdsourced Probability Estimates: A Field GuideCrowdsourced Probability Estimates: A Field Guide
Crowdsourced Probability Estimates: A Field Guide
 
What is the story with agile data keynote agile 2018 (Magennis)
What is the story with agile data keynote   agile 2018 (Magennis)What is the story with agile data keynote   agile 2018 (Magennis)
What is the story with agile data keynote agile 2018 (Magennis)
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident response
 
Risk Management and Reliable Forecasting using Un-reliable Data (magennis) - ...
Risk Management and Reliable Forecasting using Un-reliable Data (magennis) - ...Risk Management and Reliable Forecasting using Un-reliable Data (magennis) - ...
Risk Management and Reliable Forecasting using Un-reliable Data (magennis) - ...
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR
 
Learning About At-Risk Veterans Using 
Online Network Surveys
Learning About At-Risk Veterans Using 
Online Network SurveysLearning About At-Risk Veterans Using 
Online Network Surveys
Learning About At-Risk Veterans Using 
Online Network Surveys
 
Effective Fraud Investigations: 10 Keys to a Successful Outcome
Effective Fraud Investigations: 10 Keys to a Successful OutcomeEffective Fraud Investigations: 10 Keys to a Successful Outcome
Effective Fraud Investigations: 10 Keys to a Successful Outcome
 
Ellicium Solutions - Making Data Science Work
Ellicium  Solutions - Making Data Science Work Ellicium  Solutions - Making Data Science Work
Ellicium Solutions - Making Data Science Work
 
Putting the Magic in Data Science
Putting the Magic in Data SciencePutting the Magic in Data Science
Putting the Magic in Data Science
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Skepticism at work - Logical Fallacies. ASQ Buffalo
Skepticism at work - Logical Fallacies. ASQ BuffaloSkepticism at work - Logical Fallacies. ASQ Buffalo
Skepticism at work - Logical Fallacies. ASQ Buffalo
 
NTXISSACSC4 - Hacking Performance Management, the Blue Green Game
NTXISSACSC4 - Hacking Performance Management, the Blue Green GameNTXISSACSC4 - Hacking Performance Management, the Blue Green Game
NTXISSACSC4 - Hacking Performance Management, the Blue Green Game
 
I am my worst enemy — A first person look at Insider Threat
I am my worst enemy — A first person look at Insider ThreatI am my worst enemy — A first person look at Insider Threat
I am my worst enemy — A first person look at Insider Threat
 
Applying Psychology To The Estimation of QA
Applying Psychology To The Estimation of QAApplying Psychology To The Estimation of QA
Applying Psychology To The Estimation of QA
 
The Data Errors we Make by Sean Taylor at Big Data Spain 2017
The Data Errors we Make by Sean Taylor at Big Data Spain 2017The Data Errors we Make by Sean Taylor at Big Data Spain 2017
The Data Errors we Make by Sean Taylor at Big Data Spain 2017
 
Economically driven Cyber Risk Management
Economically driven Cyber Risk ManagementEconomically driven Cyber Risk Management
Economically driven Cyber Risk Management
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information Risk
 
Open source intelligence analysis
Open source intelligence analysisOpen source intelligence analysis
Open source intelligence analysis
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 

Similar a Developing Analytic Technique and Defeating Cognitive Bias in Security

DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101Felipe Prado
 
Psych Chapters 1-6 Midterm #1
Psych Chapters 1-6 Midterm #1Psych Chapters 1-6 Midterm #1
Psych Chapters 1-6 Midterm #1Darrel Adams
 
Critical thinking ny_hospital_10_may2011
Critical thinking ny_hospital_10_may2011Critical thinking ny_hospital_10_may2011
Critical thinking ny_hospital_10_may2011Ethan Chazin MBA
 
Brighttalk reason 114 for learning math - final
Brighttalk   reason 114 for learning math - finalBrighttalk   reason 114 for learning math - final
Brighttalk reason 114 for learning math - finalAndrew White
 
Heuristics, bias and critical thinking in testing distribution
Heuristics, bias and critical thinking in testing   distributionHeuristics, bias and critical thinking in testing   distribution
Heuristics, bias and critical thinking in testing distributionMatt Mansell
 
Ethan Chazin Critical Thinking Program
Ethan Chazin Critical Thinking Program Ethan Chazin Critical Thinking Program
Ethan Chazin Critical Thinking Program Ethan Chazin MBA
 
Critical Thinking for Software Testers
Critical Thinking for Software TestersCritical Thinking for Software Testers
Critical Thinking for Software TestersTechWell
 
Accident investigation BY Muhammad Fahad Ansari 12IEEM14
Accident investigation BY Muhammad Fahad Ansari 12IEEM14Accident investigation BY Muhammad Fahad Ansari 12IEEM14
Accident investigation BY Muhammad Fahad Ansari 12IEEM14fahadansari131
 
The Social Transmission of Choice: An Exploratory Computer Simulation with Ap...
The Social Transmission of Choice: An Exploratory Computer Simulation with Ap...The Social Transmission of Choice: An Exploratory Computer Simulation with Ap...
The Social Transmission of Choice: An Exploratory Computer Simulation with Ap...Edmund Chattoe-Brown
 
Effective Accident Investigation Training by IOSH
Effective Accident Investigation Training by IOSHEffective Accident Investigation Training by IOSH
Effective Accident Investigation Training by IOSHAtlantic Training, LLC.
 
Investigating Misconduct: Reaching a Decision and Determining Root Causes
Investigating Misconduct: Reaching a Decision and Determining Root CausesInvestigating Misconduct: Reaching a Decision and Determining Root Causes
Investigating Misconduct: Reaching a Decision and Determining Root CausesCase IQ
 
Psy1 chapter1
Psy1 chapter1Psy1 chapter1
Psy1 chapter1mfischa
 
Scenarioplanningpsychologicalperspective 140128032626-phpapp01
Scenarioplanningpsychologicalperspective 140128032626-phpapp01Scenarioplanningpsychologicalperspective 140128032626-phpapp01
Scenarioplanningpsychologicalperspective 140128032626-phpapp01Aziz Alizadeh
 
Reasons and rationalizations
Reasons and rationalizationsReasons and rationalizations
Reasons and rationalizationsDusya Vera
 

Similar a Developing Analytic Technique and Defeating Cognitive Bias in Security (20)

Baworld adapting to whats happening
Baworld adapting to whats happeningBaworld adapting to whats happening
Baworld adapting to whats happening
 
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
DEF CON 27 - workshop - KRISTY WESTPHAL - analysis 101
 
Psych Chapters 1-6 Midterm #1
Psych Chapters 1-6 Midterm #1Psych Chapters 1-6 Midterm #1
Psych Chapters 1-6 Midterm #1
 
Critical thinking ny_hospital_10_may2011
Critical thinking ny_hospital_10_may2011Critical thinking ny_hospital_10_may2011
Critical thinking ny_hospital_10_may2011
 
Brighttalk reason 114 for learning math - final
Brighttalk   reason 114 for learning math - finalBrighttalk   reason 114 for learning math - final
Brighttalk reason 114 for learning math - final
 
Heuristics, bias and critical thinking in testing distribution
Heuristics, bias and critical thinking in testing   distributionHeuristics, bias and critical thinking in testing   distribution
Heuristics, bias and critical thinking in testing distribution
 
Ethan Chazin Critical Thinking Program
Ethan Chazin Critical Thinking Program Ethan Chazin Critical Thinking Program
Ethan Chazin Critical Thinking Program
 
Wilbanks Can We Simultaneously Support Both Privacy & Research?
Wilbanks Can We Simultaneously Support Both Privacy & Research?Wilbanks Can We Simultaneously Support Both Privacy & Research?
Wilbanks Can We Simultaneously Support Both Privacy & Research?
 
sixblindmen (2).pdf
sixblindmen (2).pdfsixblindmen (2).pdf
sixblindmen (2).pdf
 
Overview of Cognitive Biases
Overview of Cognitive BiasesOverview of Cognitive Biases
Overview of Cognitive Biases
 
Critical Thinking for Software Testers
Critical Thinking for Software TestersCritical Thinking for Software Testers
Critical Thinking for Software Testers
 
Accident investigation BY Muhammad Fahad Ansari 12IEEM14
Accident investigation BY Muhammad Fahad Ansari 12IEEM14Accident investigation BY Muhammad Fahad Ansari 12IEEM14
Accident investigation BY Muhammad Fahad Ansari 12IEEM14
 
The Social Transmission of Choice: An Exploratory Computer Simulation with Ap...
The Social Transmission of Choice: An Exploratory Computer Simulation with Ap...The Social Transmission of Choice: An Exploratory Computer Simulation with Ap...
The Social Transmission of Choice: An Exploratory Computer Simulation with Ap...
 
Effective Accident Investigation Training by IOSH
Effective Accident Investigation Training by IOSHEffective Accident Investigation Training by IOSH
Effective Accident Investigation Training by IOSH
 
Investigating Misconduct: Reaching a Decision and Determining Root Causes
Investigating Misconduct: Reaching a Decision and Determining Root CausesInvestigating Misconduct: Reaching a Decision and Determining Root Causes
Investigating Misconduct: Reaching a Decision and Determining Root Causes
 
Psy1 chapter1
Psy1 chapter1Psy1 chapter1
Psy1 chapter1
 
Scenarioplanningpsychologicalperspective 140128032626-phpapp01
Scenarioplanningpsychologicalperspective 140128032626-phpapp01Scenarioplanningpsychologicalperspective 140128032626-phpapp01
Scenarioplanningpsychologicalperspective 140128032626-phpapp01
 
Reasons and rationalizations
Reasons and rationalizationsReasons and rationalizations
Reasons and rationalizations
 
What is research
What is researchWhat is research
What is research
 
Essentials op3
Essentials op3Essentials op3
Essentials op3
 

Más de chrissanders88

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoringchrissanders88
 
Hacking Food - BSides Augusta 2017
Hacking Food - BSides Augusta 2017Hacking Food - BSides Augusta 2017
Hacking Food - BSides Augusta 2017chrissanders88
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoringchrissanders88
 
SOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation LabyrinthSOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation Labyrinthchrissanders88
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budgetchrissanders88
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoringchrissanders88
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
 

Más de chrissanders88 (8)

2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
 
Hacking Food - BSides Augusta 2017
Hacking Food - BSides Augusta 2017Hacking Food - BSides Augusta 2017
Hacking Food - BSides Augusta 2017
 
BSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security MonitoringBSA2016 - Honeypots for Network Security Monitoring
BSA2016 - Honeypots for Network Security Monitoring
 
SOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation LabyrinthSOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation Labyrinth
 
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a BudgetCISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budget
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014
 

Último

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 

Último (20)

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 

Developing Analytic Technique and Defeating Cognitive Bias in Security

  • 1. Defeating Cognitive Bias and Developing Analytic Technique Chris Sanders BSides Augusta 2014
  • 2. Chris Sanders • Christian & Husband • Kentuckian and South Carolinian • MS, GSE, CISSP, et al. • Non-Profit Director • BBQ Pit Master
  • 4. Chris Sanders “[Practical Packet Analysis] gives you everything you need, step by step, to become proficient in packet analysis. I could not find a better book.” – Amazon Reviewer
  • 5. Outline Objectives:  What is Analysis?  What is Bias?  Recognizing Bias  Defeating Bias  Analysis Methods “How to make better technical decisions in any kind of security analysis.“
  • 6. **Disclaimer** I’m going to talk about matters of the brain, not sure the normal tech stuff. My research for this presentation involved consultation with psychologists. I, however, am not one.
  • 7. Bias – A very personal story
  • 9. The Pain Begins *Dramatization
  • 12. At this point… So, I went to see a surgeon…
  • 13. “Let’s Cut it Out!” - Surgeon
  • 15. Thus… “Would it be accurate to say that I’m a medical miracle?” - Me “Absolutely.” – Surgeon
  • 16. Cause and Effect • Cause: Bias…lots of it! – Confirmation Bias – Outcome Bias – Congruence Bias • Effect: Unnecessary Surgery – 1 Week Recovery – Financial Loss – Pessimism Bias
  • 18. Analysis is Everywhere • Making judgments based upon data • Security Analysis Happens for: – Malware Analysts – Intelligence Analysts – Incident Response Analysts – Forensic Analysts – Programming Logic Analysts • My main focus is network intrusion analysis, so this talk will be framed through that.
  • 19. Network Security Monitoring • The collection, detection, and analysis of network security data. • The goal of NSM is escalation, or to declare that an incident has occurred to that incident response can occur.
  • 20. Evolution of NSM Emphasis
  • 21. The Need for Analytic Technique • Kansas State University Anthropological Study on SOCs - Key Finding: – “SOC analysts often perform sophisticated investigations where the process required to connect the dots is unclear even to analysts.” • Analysis == “Tacit Knowledge”
  • 22. Analysis: Thinking About Thinking • We need to critically examine how we think about information security analysis. • We aren’t alone! – Scientific – Medical – Legal
  • 23. Perception vs. Reality • Perception: – “A way of regarding, understanding, or interpreting something.” • Reality: – “The state of things as they actually exist.” Let’s take a test…
  • 24. RED
  • 25. GREEN
  • 26. BLUE
  • 27. BLACK
  • 29. Test Results • Variation of Stroop Test (John Stroop, 1935) • Measures Cognition – The Process of Perception • Identifies Gap Between Perception & Reality • Used to Measure – Selective Attention – Cognitive Flexibility – Processing Speed
  • 30. What is Bias? “Prejudice in favor of or against one thing, person, or group compared with another, usually in a way considered to be unfair.” •Perception != Reality •Perception is Everything, but Fallible •We tend to perceive what we expect/are conditioned to perceive
  • 31. I’m Going to Show You an Image
  • 33. I’m Going to Show You a Picture of a White Vase.
  • 35. First Image Results • Prompted for Face – 88% See Face – 12% See Sax Player • No Prompt – 57% See Face – 43% See Sax Player
  • 36. Second Image Results • Prompted for Vase – 94% See White Vase – 6% See Two People • No Prompt – 62% See White Vase – 38% See Two People
  • 38. Let’s Hit Closer to Home…
  • 40. Anchoring • Defined: Heavily relying on a single piece of information. • Examples: – Src/Dst Country -> OMG China! – IDS Alert Name -> It say this is X, so it must be X. – Timing -> It’s every 5 minutes!
  • 41. Clustering Illusion • Defined: Overestimating the value of perceived patterns in random data. • Examples: – The great “beaconing” fallacy – Unguided Visualizations
  • 42. Availability Cascade • Defined: Strong belief in something due to its repetition in public discourse • Example: – “Chinese Traffic is Bad.” – “That rule generates a lot of false positives.”
  • 43. Belief Bias • Defined: Occurs when a decision is based on the believability of the conclusion. • Examples: – “We wouldn’t be a target for a nation-state actor.” – “This is probably a false positive because it’s unlikely someone would attack our VoIP system.”
  • 44. Confirmation Bias • Defined: Interpreting data during analysis with a focus on confirming one’s preconception. • Ego is a big factor here • Examples: – “I think this is nothing.” – “I think there is something going on here.”
  • 45. Impact Bias • Defined: Tendency to overestimate the significance of something based on the potential impact. • Signature/Alert Naming + Lack of Experience Contribute to this. • Example: – “The alert says this is a known APT1 back door, so I need to spend all day looking at this.”
  • 46. Irrational Escalation • Defined: Justifying increased time investment based on existing time investment when it may not make sense. • Sunk Cost Fallacy • Example: – “What do you mean this is nothing? I’ve spent all day looking at this. I’ll spend all day tomorrow digging into it; I’m sure I’ll find something else there.”
  • 47. Framing Effect • Defined: Interpreting information differently based on how or from whom it was presented. • Important in interaction with other analysts • Example: – Old Vet: “Steve doesn’t know what he is doing, so if he is telling me this it probably doesn’t mean much.” – New Guy: “None of the more experienced guys said anything about this, so it must not matter.”
  • 48. Overconfidence Effect • Defined: Excessive confidence in ones own decisions, especially in light of contrasting data. • Example: • 99% Paradox – “I’m 99% sure this is right.” • One psych study suggest this statement is wrong ~40% of the time.
  • 49. Pro-Innovation Bias • Defined: Excessive optimism and biased decisions based on an invention of one’s own making being involved in the analysis. • Invention == System / Code / Concept • Example: – “My tool can do that.” – “I wrote that signature so I know it’s accurate.” – “This fits perfectly in my model!”
  • 50. There are over 100 types of bias. How can we overcome them?
  • 52. What Can We Do? • Preconception and Bias Cannot Be Fully Avoided • Therefore: – Develop Repeatable Analytic Technique – Recognize Key Assumptions – Allow them to be Challenged
  • 53. Analytic Techniques Common Techniques: – Relational Investigation – Differential Diagnosis
  • 54. Relational Investigation • “Link Analysis” • Commonly Used in Criminal Investigations • Focuses on Entities, Relationships, Interactions, and Degrees of Separation
  • 56. Setting the Stage – Primary Relationships
  • 57. Partial Story – Secondary Relationships
  • 58. Full Attack Diagram – Tertiary Relationships
  • 59. Differential Diagnosis • Commonly Used in Medical Diagnosis • Relies on Lists of Possibilities, and Systematically Eliminating Possibilities
  • 61. Incident M&M • Dr. Ernest Codman at Mass. General Hospital • Post-Patient Meetings to Discuss What Occurred and How to Better It • Incident M&M 1. Handler/Analyst Presents Case 2. Followed by Alternative Analysis
  • 62. Alternative Analysis • Developed by Richards Heuer Jr. (FBI) • Series of Peer Analysis Methods • Designed to Help Overcome Bias and Improve Quality of Analysis
  • 63. Group A / Group B • Group A – Presenting Analyst/Team • Group B – Secondary Analyst/Team • Two Independent Analysis Efforts • Note are Compared During the Presentation • Identify Differing Conclusions from Same Data
  • 64. Red Cell Analysis • Peer Focus on Attacker’s Viewpoint • Questioning in Relation to Attackers Perceived Goals • Requires Some Offensive Experience • Best Executed by Red Team if Available
  • 65. What If Analysis • Focus on Cause/Effect of Actions That May Not Have Actually Occurred – What is the attacker had done X? How would you have changed your approach? – What if you didn’t stumble across X in Y data? • Enhances Later Investigations
  • 66. Key Assumptions Check • Presenter Identifies Assumptions During Analysis • Peers Challenge Assumptions • Pairs Well with “What If” Analysis – “What if it were possible for that malware to escape that virtual machine?” – “Would you come to the same conclusion if you knew this was APT3 instead of APT1?”
  • 67. Incident M&M Best Practices • Limit Frequency • Set Expectations • Require a Strong Mediator • Keep it at the Team Level – No Sr. Managers • Encourage Servant Leadership • Discourage Personal Attacks • Write it Down!
  • 68. Conclusion • The Era of Analysis is Upon Us • Bias is Inevitable – Learn to Recognize It • Overcome Analysis Hurdles With: – Analytic Technique – Alternative Analysis
  • 69. Thank You! E-Mail: chris@chrissanders.org Twitter: @chrissanders88 Blog: http://www.chrissanders.org Book Blog: http://www.appliednsm.com Testimony: http://www.chrissanders.org/mytestimony