Defeating Cognitive Bias and Developing Analytic Technique

uh are you guys excited about bze Augusta get pumped up get pumped up we've got an All-Star lineup today uh we had uh we had an absolute wonderful first year last year how many folks were here last year for bid austa good number of folks So you you're repeat customers so thank you for coming back uh we must have did pretty good last year uh so we're very excited about this year um again we have a great lineup of speakers we have some of the world's best blue te right here in Augusta Georgia to present to you guys uh we've got some of the best defenders we've got some of the best incident responders and uh so we've

got a really great lineup today I'm very excited about it so I don't want to spend too much time uh because I want to get out of the way and let our rock stars take it from here so uh first up we have Mr Chris Sanders so you may know Chris from uh the number of books that he has written or co-authored uh he's also uh involved with the rural technology fund so it's a nonprofit that uh gives back to uh high school students and uh others to help them along with their technology education uh so he's doing a lot of good in the world and we're we're very thankful to have him here today so please join me in

welcoming Mr Chris [Applause] Sanders all right thank you'all for having me thank You' all for coming out to to bsides and certainly see me talking on this Saturday morning there a lot things that aru better things you might be doing but I'm glad yall are here um also excited to be in the blue team room excited to be around blue teamers I try to make fun of the red teamers as much as possible I assume as soon as we left they all put on ski masks do in Red Team scenarios so they could be a hoodies hoodies hoodies as well yeah sure um absolutely so um really excited to be here real excited to give this uh this talk um again Doug

get told a lot about me my name's Chris Sanders uh I really enjoy um blue teaming information security network security monitoring um that's my day job when I'm not doing that I'm a barbecue guy I used to have pictures of myself on here um realized I'm already standing here people don't want to see me so I put pictures of pool pork and ribs cuz why not and it's Georgia right Georgia probably has the best barbecue car I'm from South Carolina and I say Georgia that mustard based sauce I don't know about it um aside from that I do direct the rural technology fund I started that in 2008 recognizing that I was from a rural area that didn't really

have a lot of opportunity um for folks who were interested in in high-tech careers um so we provide scholarships internships um and other resources for students who are kind of in the same um need group there um as far as my career um I got my real first Dr job and security working for the Army research lab uh work for the Department of Defense in that capacity uh and then later on for uh for spay War helping us set up and run different portions of security operations centers uh in that capacity uh got kind of tired of the the government bit after a while and decided to go into the private sector uh so I

worked with a company called in Guardians for a while if you're familiar with sanss uh in Guardians was started by a few of the SS faculty mostly an offensive penetration testing shop um but with some defensive blue teamw work as well and that's what I kind of focused on while I was there while also kind of dabbling in the offensive uh work which I feel kind of really helped enrich my my blue team uh level of expertise um beyond that uh after that I went to uh to Mania right about the time of the firey acquisition uh I lead a small team um within a bigger product group there the product is called the thread analytics platform and I leave

the Intel based detection portion of that team which I think our our product group is pretty well represented here today uh I think there's five or six of us here so always excited for that uh as Doug say I've written a few books uh I know it's early in the morning and people are sleepy so I'm going to try to wake people up by giving away one of these now I've got two of them to give away one's going to be given to a volunteer later so if you might want have volunteer be thinking about it I'm going to get one away now with a trivia question so if you want to copy the book um this this obviously

just came out recently practical packing analysis the second edition came out in 2011 with the third plan for next year so for the first edition does anybody know and I'm going to go with the first hand I see when I finish the question does anybody know when the first edition or practical pack analysis was released 2006 nope 2008 nope I saw you 2009 no I saw you 2007 there we go [Applause] [Music] I don't know I think it take four people I the booko um so yeah if here I'm not going to Har on this too much but if you're all at all interested in what I talk about today a lot of it's kind of

discussed in some degree in the uh the new book which is written with my co-author Jason Smith just sitting in the audience right there okay so today's a pretty fun talk uh it's a little different than than a lot of things I've talked about it's a little less in the weeds technical it's a little higher level and I I generally like to uh to give a sentence that says what you're going to take away from the talk uh in this case it's how to make better technical decisions than any kind of security analysis um I'm a network security monitoring guy but I think a lot of what I talk about today is applicable to to many other types of

security analysis whether that's malware analysis uh you know even analysis security analysis of code for instance web application analysis any of those things but more or less despite the very boring title of the talk um we're going to talk about some cool thoughts about analysis about bias and how to recognize it and defeated and improve analysis in really any security situation uh my disclaimer I give here is I'm going to talk about a lot of things I'm probably not really qualified to talk about uh specifically kind of matters of the brain some things that kind of dealt more in Psychology than necessarily in security um so I'm while I've uh I talked to quite a few

psychologists and and psychiatrists as well and researching some of this stuff uh that's not actually what I'm you know that's not what my degree is so take that with a grant solve for what it's worth so we're going to start this with a very personal story about an instance in which Vice really affected me personally the story happened in I guess it was February or March um and it starts at about 2: a.m. um unlike the red teamers I go to bed at a reasonable time um so well which is about 10:00 but uh so I'm to sleep at 2: a.m and then uh I wake up with a horrible stomach ache um and I don't mean like like just like

the normal stomach ache like something was wrong like I felt like like I was going to die for some reason I'm very fortunate very blessed my wife is actually a family medicine doctor so I finally I tried to tough it out for a while and you know man I and just take it but then I I just couldn't so I roll over you know honey wake up something the drawing you know stomach's killing me it's not a sick pain just like a real throbby pain don't know what to do so we talk a little bit and she's like oh it sounds like there's something wrong with your gold L right and she's a doctor I

trust her I'm like okay she says well just to make sure and make sure it's not you know inflamed or something like that we probably need to go see someone now so we end up the er um fortunately not the ER that that these guys were working at um but we end up at the ER and I see a doctor there so he does some tests does some questioning uh checks my blood decides my gallbladder is probably not inflamed but you think there's a gall stone there right if you ever had G Stones you probably know it's not a pleasant thing so he's like I think you have a gallstone we want to ultrasound it we can't really do that here right

now for some reason so they s me basically um they said tomorrow morning go see your family doctor and they will get you into an ultrasound um so that's what we did uh Al my wife's the family doctor for ethical reasons she obviously can't see me as a patient so much so we went to see one of our good friends uh who saw me and referred me for the ultrasound um I'm pretty sure ultrasounds are mostly magic this is this is not my ultrasound but this is what a what a goall is supposed to look like on an ultr um I guess I don't know if this space is the goite or that space is I

don't think here sometimes um but anyway I got the ultrasound at this point you know the family doctor said she thought she agreed with that that kind of initial diagnosis I got the ultrasound um the uh the tech who read the ultrasound was like oh yeah you got your gallblader is there and it's full of stones right which it's not a real big deal it's it's full of stone so you probably want to have it out fair enough um so at this point again my wife thinks it's the gallbladder um the ER doctor felt like it was that family doctor agreed radiologist uh B they confirmed that right that's what he tested for and that's what he

confirmed so I went to see a surgeon and if you've ever been to a surgeon before the one thing they love to do is cut so so he said he said let's cut it out without hesitation at all um so sure enough I've never had I never had surgery before other than having like my tonsils taken out when I was in kindergarten so I was like all right let's do some surgery so they got to use the cool Little D viny robot um cut in there and get in there and take it out so that's all fine and good I wake up after the surgery doctor standing there that's weird I expected a nurse doctor

was standing there he said well you're okay that's good but there's a problem not the first thing you want to you want to hear when you wake up out your surgery especially when you're under the effects of anesthesia to some degree he said well we went to take out your gallbladder and we couldn't do it okay why not he said well Chris you are one of the 0.02% of people in the world who are born without a gallbladder

so at this point I thought he was messing with me right I was on anesthesia I was like no he's kidding and even like and you know my wife came in and Ellen and she she was like no that's real at this point my you know my wife the same hospital she works in so I thought she'd put him up to it this is this can't be real um but sure enough after I went home and slipped it off and woke up out of the anesthesia uh was like no really you were born without it uh matter of fact here's the proof this is me this this is a very personal story uh this is my liver this big thing

here which I'm very proud of very nice looking liver I just say so myself and this is where the gallbladder is supposed to be I don't think most you like I can say it can be anywhere you probably believe me at this point i' same with the doctors than me this is where my gallbladder is supposed to be and it wasn't uh so more or less again I was one .2% of people born of without a gol ladder so I you know I use this all the time I I got to ask my surgeon would this classify me as a medical miracle and absolutely yes I tried to get him to write it out on like a Prescription Pad

so I can frame it um didn't get that far but anyways um this is relevant because uh it's a good example of bias um so the fortunate thing is that that major stomach ache I had and it haven't had it hasn't reoccurred so whatever caused it don't know but as long as it doesn't happen again I guess we're good so that's a good thing for me the bad thing is this is caused by a lot of a lot of bias right there are many types of bias and we're going to talk about them in this case the three that I really think came into play were confirmation bias outcome bias and congruence bias um more

specifically to kind of sum those all up together uh you know we had several doctors who thought it was one thing we had a radiologist who said hey look for this one thing and because he was looking for that thing he he found that thing um going back and you know talking to the surgeon afterwards and he re you know he reexamined those ultrasound scans he's like now I can see where this is kind of hazy you know they don't know really what it was you know gas bubbles things like that in the intestines it's hard to say um but because he was looking for it he he thought he saw what he wanted to see right we've all heard

that phrase before and that's the example of confirmation bias so that was the cause and what caused that for me uh it was really relevant for my life the effect of that was obviously very negative right so you know I had recovery for what was essentially unnecessary surgery the recovery was longer because once they got in there and couldn't find the gallblader they kind of had to root around and try to find it which I I most mostly equate to being in a networking closet and try to trace cables back all done that so so it's here's some small intestin I'm follow that and you know that's that's not pleasant so um so obviously there there's some

Financial loss there and and quite it cause another type of bias which is pessimism bias and that for me says you know even though my wife's a doctor and she like to hear this it makes me have a little less faith in maybe you know the Radiology side of the house right and that's something I can't help but just based upon experience that's how I feel about it so that's an interesting personal story there so I'll step back and kind of relate this less about me and more about what we all do as a job um real quick how many people do some type of analysis their job just show hands so basically everybody great good

room then um so analysis essentially is making judgments based upon data right again I talk about this in terms of network security monitoring and that's one way to look at it but you have a bunch of data and a human interprets that data and makes a decision right that's essentially analysis without a fancy definition happens in a lot of different ways um this talk again it's framed through the scope of network security monitoring um real briefly network security monitoring is is um kind collecting network data detecting bad things in it pulling in a bunch of other data sources doing analysis human based analysis and coming to a the decision on whether something bad has happened or not is everything leading up

to incident response so once I make the decision that incident occurred I hand that to inci of responders and they go do their thing and that's a separate process right follow okay so I mentioned collection detection and Analysis and that's something I I call the NSM cycle you collect data you detect bad stuff in you perform analysis to determine if something bad has happened right and it's a cycle and one feeds into another um I don't really think that's necessarily how those things have evolved over time and that linear cycle I think there's been different emphasis in those areas um specifically uh I think originally uh in the past most people were in this this detection era

where folks just realized I could detect bad things in massive piles of data right and that was good that's when when you had things like snort that came out and you were able to do intrusion detection really kind of robustly um the thought pattern to this time was collect as much data as possible so I can perform as much detection as possible and that worked for a while uh it didn't work forever uh because for a couple reasons um the biggest of which is that networks got faster right we can't you know 20 years ago we collect all the data in our Network and store it for at least a little bit of time nowadays even

on smaller networks we can't necessarily uh collect data and store it for more than even a couple hours in some cases you know we talk about very robust data TOS like full packet capture for instance or log data TOS from a ton of different loging sources uh even even just a simple bro sensor you fired up on a mediumsized network and you're going to U be screening for resources uh pretty soon so now us kind of into the collection era and this is the era when folks really started thinking about uh the data they were collecting um and kind of gearing that more towards the goals of their detection uh processes right so instead of saying I want

everything I only want things for maybe these ports right or I only want these data sources for this amount of time right there are a couple different ways to do that generally it's be some type of risk-based approach where I'm going to say as an organization my biggest fear is XYZ happening you know all my web servers crashing because I measured downtime on web servers by millions of dollars per second like Amazon.com or something like that uh and then you translate those to technical risks right so I want I want to detect attacks against these devices from these types of threat actors uh whether more casual attackers or more sophisticated attackers and based upon that I'm going

to to find my collection strategy and that's where I think uh we are right now is kind of this uh this collection area um for most people and that's where they're just a lot of people are just entering it where they're really starting to think about um you know what data sources they they should use and some are kind of in the middle of it where they're really kind of getting through the weeds and some are more towards the uh the end of it where they really started to nail down what data sources they want um I talked a and I talk my talk yesterday at security onion con was was kind of uh um in this area

how many people in this room where at security onion conference a lot that's great I hope you all enjoyed the talk yesterday um so this talk as promised yesterday is about the future and that's what I call the analysis era um and this is an era where folks you know they're detecting based upon a very solid collection strategy um and you know then it's kind of then what right we have we have this great collection strategy we're only getting the data we need we've got really robust detection with all the great tools out there like cot and bro and and some of the statistics based stuff and and that's great but how do I do analysis better and faster in

order to get to that decision of whether something bad happened or not right so in interesting study that kind of led me into this talk was done by Kansas State University do we have Kansas State people in here okay good enough I'll take it I'll take it U so an interesting Kansas State study is going on right now um it's it's ongoing but they've released some preliminary uh papers and findings and basically what they did is they they got a bunch of anthropologists together and they said we want to send these anthropologists and put them in a security operations center and we want to have them kind of learn the culture and basically do an anthropological

study of uh of kind of how that works right and anthropology is kind of the study of culture so it's sock culture so to speak and there are a lot of interesting findings I highly recommend reading the paper if if you Google you can find it or I think I have a URL maybe later here um but the quote here that I thought was fascinating said sock analysts often perform sophisticated investigations where the process required to connect the dots is unclear even to the analysts right to me that's unacceptable I don't think that that's a good thing and for my experience in socks it's certainly true right all the all the guys who are good at analysis if you ask

them how they do it they generally can't tell you right more more often it's hey just watch me you know sit shoulder Sur shoulder surf for a while and and you'll pick it up and while that's certainly reasonably effective in some cases um it's not the greatest and that creates a situ situation and a scenario where we have tacit knowledge when I say tacit knowledge that's saying that's knowledge that cannot be codified kind of into words right and that's a problem because really when you think of collection detection and Analysis everything we do leads up to this this human analysis point where we are making these decisions if we can't tell people how we make these decisions and thus train

people on how to make these decisions better I think we're kind of not doing the best job we can do right that's a problem for me so that's kind of why I wanted to think and talk a little bit about kind of this analysis era moving forward the good thing about this is that we're not alone in right when we talk about thinking about thinking which is what this really is for for lack of a better phrase U we're not the first people that really have to look Inward and do this um right I've talked about the medical field already quite a bit but this one of those where they've really had this revolution in the past

uh uh you know kind of between like 1900 and 1960 or 1970 where they really started looking inward in defining their diagnostic methods how they get from um symptoms um to uh testing for things to a diagnosis right which isn't really too different than what we do we have symptoms and alert we do tests looking at data and ruling things out and we do a diagnosis is this an incident or is it not right very similar uh and there's similar stories in legal and scientific Fields as well like physics Fields chemistry astrophysics Etc you can find similar parallels so that's good so we don't have to reinvent the wheel here right we can look at how a lot of these

folks have uh have kind of thought about how they think and apply some those things which is what I'm going to kind of talk about a little bit here um you know again another field that's probably more more relevant to a lot of us is the traditional Military Intelligence right we talk about threat intelligence like this new sexy thing um but it's been around for thousands of years really um and certainly within the the scope of the United States we've been doing it for a couple hundred years and quite honestly we're pretty darn good at it so applying some of those more traditional intelligence approaches and how they think about how they think is very useful for

us so one of the key things to start out with here when you start thinking about how we think is the concept of perception versus reality right two different things uh perception by definition is a way of regarding understanding or interpreting something whereas reality is a state of things actually as they exist right so perception how we see something something reality how it really is follow so I want to do an example of this so I need a volunteer who doesn't mind coming up here I saw you first you get a free copy of the book for volunteer not yeah so I need you to uh what's your name sir PE PE all right so I need you

to stand right here and face of the screen you want stand back just a few steps here so I'm going to have PE do a little test so right there what does that say red okay what color is it red okay so here's the deal I'm going to go through these pretty quick and I want you just as fast as you can tell me the color of the text okay right everybody follow what's going on here so I'm so let's just do this in example real quick red okay that's what we're going to do we're go through a few of these okay red green blue black purple everybody get in my hand okay so that is a variation on something

called a street test um anybody ever heard of a stre test before you've seen myth boers you might have seen them do one of these actually recently um so it was developed by John St in 1935 and it used to measure cognition I talked about perception in reality I didn't talk about cognition right there's a gap between perception and reality how long it takes to get from one to the other is what we call cognition right the St test is used to measure cognition right you notice um with this test obviously that the word is the same color of the text so you know this is blue it says blue this is black and it says black um this

is purple uh but it says yellow right so you notice when he was going through the there was a clear Gap in that right um I'm glad that happened when I gave this talk locally at at our SSA chapter and the guy just bre right through and didn't even didn't F was kind of ruin the example but anyway in this case it it identified that Gap um between perception and reality um a lot of a lot of different places give this test um to potential employees or I know the military uses this test in a lot of varying scenarios um to kind of measure um your rate of cognition they break that down into selective attention cognitive

flexibility and processing speed um which are all very fancy words but essentially mean how fast you can um take what you see and actually digest that down as what it really is right and that applies an analysis right uh we have cognition of what we think things are uh and then we have actual reality or perception of what we think things are and an actual reality of what they really are right and there's a lot of things that affect that particularly bias and bias by definition Prejudice in favor of or against one thing person or group with another usually in a way considered to be unfair so this definition is more geared towards people and bias against people but it really

applies to really any scenario um anything um that we perceive and there's an actual different reality there can be an effect of bias in it again based on perception that perception reality are different um and because of that uh we've all heard the same the saying that kind of perception is everything uh and it really is uh especially as an analyst because we start there no matter what we start with perception um and that's fallible uh and thus we kind of tend to perceive what we expect to uh perceive or condition to so we do another test this one doesn't uh require someone come up here but it's going to require everyone um so I'm going to show you um

an image clearly I'm going to show it for about 5 seconds and you're going to see some things clearly um so I'm going to show for about 5 seconds I'm going to flip off of it don't say out loud what you see just keep it to yourself and then I'm going to I'm going to ask for some participation right ready okay show of hands how many people saw the saxophone player everybody okay okay show hands how many people saw the face okay a few less that was about 70% I think about 90% for the uh the taxone player about 70% for the face so that's interesting so we going to do a different one I'm going to show you a

picture of a white vase for a couple seconds and I just want you I just want you to see if you see it right okay who saw the white Bas everybody did anybody see anything different this one always doesn't work as well okay fair enough these don't work as well on person as they they do uh online for my testing which is interesting but anyways so this an example of uh of conditioning to see things right obviously for the first picture I didn't tell you what to expect effect so different people saw different things it was pretty close a lot closer than my control groups but generally speaking um you know in this case y you

would have been in the in the second group for the no prompt y'all were about 90 and 70 which is about what I've seen more in person uh when uh I did prompt 80% saw the face and 12% saw the saxophone player which is interesting Divergence of those statistics for the second image um everybody here saw two people which is great I think it might have something to do with maybe the largest screen size all the controllers did this on small screen but anyways you see the difference here and what I'm trying to get across is that people see different things right it's kind of a Cheesy way of demonstrating it but people to say

different things based upon whether they're prompted or not and whether they're told what to expect to see just like the uh the radiologist saw a gallbladder full of stones because he was told to expect to see that right similar type deal so let's talk about how this relates specifically to bias and Analysis um I've got a couple quick examples and then uh I've got a couple specific ones um so here's here's one that's real close to home here's an example of some flow data you notice it's kind of cut off here but there are line numbers here 1 2 34 all the way through 12 um what line number if you were going to you know if you're looking

at these field and you want to investigate something what line number might you be drawn towards first most people said six right why is that s country is China right so that's that's biased right we're biased to to think um you know and the coming out work for probably doesn't help this perception all the time um but generally we're biased to think that uh anything coming through from China is bad um which isn't really necessarily the greatest buys to have there's plenty of legitimate uh s websites and servers and things you talk to in China that legit um in this case um you know one thing I might have been drawn to more specifically is line number two um

because there's a there's a known uh Port right there for for a known service that might be interested whereas everything else is high Port of Port 22 um that's a good example of bias and what we've kind of been conditioned as an industry to look for right um here's a more recent example Adrian I might appreciate this one um does anybody remember this the kasperski post where they they found the uh the malware that um I guess they they attributed to a potential AP group and they showed it on the screen it turns out it was just a social engineering toolkit yeah so um that was pretty funny of course de Kenny wrote the social

engineering toolkit um so he saw that and he's like oh this is my code and it's being you know attributed to something these bad guys created which is pretty funny and this is a case of kind of a vendor bias where they really want to find this really cool exciting thing um that they can share with the community which is is kind of a noble thing right you find good intelligence you want to share it uh but in this case they you know the blinders on a little bit and they there's some more due diligence that could have been done there so I think that's a great recent example so let's talk about some specific specific types of bias and I've

got seven or eight of these going to go through pretty quickly uh the first is called anchoring that's relying heavily on a single piece of information that was that first example I showed right everybody saw CN in there and that was the bad one right we all do this um you know I try not to put too much faith in GOP lookups but even I you know sometimes I do especially if you have all of them that are the same you find one outlier then you want to look at that one IDs alert name is another big one um is is if you see the alert name and you put too much weight in that that

it says it's this piece of malware um so really think it's got to be that piece of malware when in fact it may be first of all it may not be something bad at all it may just be kind of a random sequence of bites second of all it may be something bad but it may not be that specific type of malware so just because you see the alert and then you look for how that malware should work but the malware you're seeing Works differently don't dismiss it it's probably just a different piece of malware that might use the same components right folks who write malware are just as lazy as folks who write a legitimate Cod they reuse

stuff so it's it's very possible it's in a different piece of malare uh 's a big one we'll talk about that a little more later uh so clustering Illusions a different one can anybody tell me what's uh where the bad stuff is here you can't because it's useless this is a useless visualization right I hate useless visualizations and this is generally one of them now if it were forc directed that would be cool maybe not but um so that's basically overestimating the value of perceived patterns in random data um looking at visualizations they're useless they're one of them so in this case whatever this red means people might think it's bad or maybe these outliers are bad and

who knows what that means um another one of the examples is what I call the great beaconing fallacy um and this is this is one of the ones I know when I when I worked with the sock and spay War I was the the team leader of the IDS group there and I had a band words list and beaconing was on it because anytime any analyst saw something that was going in in like a periodic manner like every five minutes or every hour it's it's AP or it's it's China or it's it's something bad because it's beacy right if you wanted to write something that detects beaconing basically you're going to write a really good normal traffic

detector right cuz lots of things Beacon right if I'm riding a a piece of software that needs to check in every now and then I'm not going to write some random number generator have a check in at 3 47 52 and seven minutes right it's going to go on an interval that's how people generally rock cod so when something's doing something at a at a relatively the same time rate it doesn't inherently mean it's bad sure some bad things do that um but that alone is generally not one of the best things to to go on when you're looking at L thata and that's that's really related to Cluster and illusion and it's looking for patterns

that may first of all may not really be there it's like all may or may not have any need availability cascad is an interesting one strong belief in something due to its repetition of public discourse again a traffic tour from China is bad so because of availability Cascade and that being said so much we're going to think it's bad um internally in a sock we're going to talk about false positives right if you listen to a lot of analysts and and in your sock and they say oh rule XYZ always generates false positives if you hear that enough you might just start eventually dismissing that rule right when it may be a perfectly good rule it

may initi eventually lead to something that's just useful for detecting um so you have to be careful of of um thinking about uh you know just because you hear something more and more and more it doesn't always mean it's true that's from an industry and an internal sof perspective so belief B is isn't interesting because it occurs when a decision is based on the believability of the conclusion uh this is really big at the management level right uh this one is a is a fun one uh we wouldn't be a target for a nation state actor um you know right now I think most people are thinking everybody's going to be a Target which is good A lot of people

could be um you know 5 years ago most of the private sector was saying oh why why would a nation state government um who wants to steal Secrets Target us right I think we all know now there's plenty of reasons why someone would be targeted um even as far as like retail and and point of sale type things most retailers would think oh why would they want to attack us and steal all these credit card numbers that seems kind of obvious to me but a lot of people were were kind of Blindsided when that happened to a lot of these big retail providers recently um this also happens as well uh you know with different and segmented uh networks

I see this a lot when folks have a network that serves a single purpose like it's where all your printers exist it's where all of your your voice phones exist it's your secure network segment it's your scaa network segment like why would anybody you know why would someone attack there um or furthermore it's okay this is an alert that says a Windows uh web server exists or better say in Jinx web server exists in my SC a network and I don't have any of those there so this must be a false positive probably not the best betag some they set up one in there either one of your own people unintentionally or somebody with nefarious

intentions confirmation bu I talked about that a little bit already uh interpreting data during analysis with a focus on confirming one's own preconception this is what happened again with the radiologist in my situation um ego is kind of a big thing here uh analysts who have been doing this a while and I'm guilty of it myself is if I I tend to want to follow my heart a little bit and if I think this is the uh the bad thing um that's happening I tend to want to confirm that with findings instead of you know trying to think outside the box or even sometimes accept someone else's conclusion and place it my own right so

we have to keep our OS in check when we're doing this type of analis impact bias is the tendency to overestimate the significance of something based on the potential impact um a couple things I see really big that that kind of contribute to this are the the naming of the signat alert uh and lack of experience right so in this case you know if I have an alert that's named you know uh you know AP1 back door and I'm a junior analyst I might think oh man this could be a really big deal I need to spend three days analyzing this right even though it may be very clear that it's a false positive right so and this

go goes both ways uh you know it's it's um as opposed to AP back door it could be um you know PHP remote file include well this is kind of you this is something I see all the time and uh this is a just a web server that's sitting out our DMZ so it's probably not worth my looking at or spending a lot of time on little impact right of course I think most of us especially in this room know that some of these things that that are of somewhat initial lower consequence could lead to things um that are bigger rather so that's something to keep in mind there um rational escalation is an interesting one it's also called some

cost fallacy or gamblers fallacy um it's to say that just because I've spent um you know all day analyzing this thing I should probably spend an extra two or three days just to make sure cuz I've already spent all this time otherwise that time's wasted um this is a really easy trap to fall into and generally when you fall into it you're not going to realize it um you know I've done it before as well I just most people just don't like to think that the time they spent doing something is wasted um generally I'm of the opinion that um if you're ruling something out is a true positive it's not wasting time it's doing your job that kind of equates the

most of your job a lot uh framing effects a good one uh interpreting information differently based upon how or from whom it was presented uh this is a a big uh cultural thing within the security operations center uh we all have uh you know social clicks and in those environments we see folks of varying levels of expertise uh so you know just because um this junior analyst tells me something I may ignore it whereas if a senior analyst tells it to me I may I may actually internalize it and do something with it that's something to watch out for obviously you know you it's natural you want someone less experienced you may put a little less faith in something

they say in that regard that's that's to some degree natural um but when it gets down to to like a click based thing I think this guy's a jerk so I think what he's saying is wrong that's when you gota kind of watch out because then you miss things right um I've done that lots of people do that that's also a good way to alienate newer analysts in your organization if you don't watch out certainly don't want to do that overconfidence effect um we we've kind of talked about this a little bit I I like to talk about the 99% Paradox um generally when when people I read a study that said when people say I'm 99%

sure this is right um that means they're wrong only about 40% of the time right um so that's an interesting to watch but it's related to overc confidence um when there may be data that suggest otherwise we all have OS um nobody's without one but it's another one play here and pro-innovation biases is the last one we're going to talk about in the scope of biases um it's optimism based upon one's own inventions um being involved in the analysis and this is especially uh critical in and um and what we do cuz in blue team and write like we like write a lot of our own tools first of all we write our own signatures we write

our own tools um and because of that we kind of want to use them a lot right when I write code I want to use it for everything fair enough right but sometimes not all tools are going to be the best for every scenario uh if I write a signature of course I want to believe it's going to be the best signature ever um I write rules um to some degree for a living right now and so when someone tells me it's a false posit it kind of hurts me right in the feelings here um but uh you have to realize that that you just can't you just have to watch that it's another ego thing

there so I've listed a lot of bias here um I think I went through maybe about 10 different time kinds if you go to if you go to Google and go to Wikipedia and search for C list of cognitive biases there's a page called that um it has over 100 types of bias listing right I picked a few of the ones that I see the most um in socks and ones I think they're most impactful to us but there's over a hundred of them various different kinds um so that's a big challenge right um it's all related to our mindset and Analysis a mindset itself is not a good thing it's not a bad thing it's just a

thing right it's just something we have to be aware of um when we try to overcome these biases so what can we do I guess that's the big thing I'm explain the problem so I wouldn't be doing any justice if I didn't say how we can uh work on fixing it um first of all is admitting again a mindset is not a good thing it's not a bad thing it's just a thing we have to deal with preconception and bias also cannot be fully avoided right they're going to happen they're going to happen for a number of reasons they relate to um your parents your friends uh your social background your economic background uh the country you grew up in

the country you're born in the country you live in now um even so the states um right so someone um raised in South Carolina May do things a lot different than someone raised in New York City for instance a lot of things go into that and we can't always uh control that so therefore I think there's three things we can do uh the number one thing is develop repeat analytic technique that's converting that tasset knowledge I talked about earlier to something that can be more easily structured and uh and kind of taught um so to speak and the other two um kind of relate and that's recognizing key assumptions then allowing those to be challenged right so

when we when we produce reports whether it's an NSM uh report or something like that uh a result of an investigation uh we need to identify the assumptions we're making and then let folks challenge those and be kind of okay with it um so analytic technique there's generally um there's generally a three-step process right we have an input um a lot of times it's an alert uh and then there's an investigation and then we have the option um to escalate it um so that's that's pretty basic that's pretty high level and that's not quite as deep as we want to get so there's a couple options here uh two of the big U options I I've looked into are

think it's called relational investigation and differential diagnosis these are actually taken from other fields you know I talked about this is not just our problem these are Tak methods taken from other fields that we can then uh use to enhance our own analysis right so I'm going to go into these just very very quickly um if you're really interested in them I have blog post out and the book covers them a bit too uh but one of these is called relational investigation I think we've all seen cop shows like inyp blue and things like that where they paste all the the 8 by1 of of people and and put receipts on the wall and draw the

strings in between them right that's relational investigation is what that's called it focuses on entities relationships and kind of the interaction between things um here's kind of a scenario of what that would look like right so you're investigating a primary set of subjects identifying how they relate to each other ideally at that point you're also identifying things that might relate as a secondary relationship and you're building webs U more or less investigating additional degrees of subjects and building a web of how everything works together right starting small going bigger that's how you go from something like this uh which is a snort alert for a PDF file download to something like this where you see that

PDF file drops a bad file um something like this where you see that that bad file that was dropped open up a back door and attacker used it to an attack to attack a network right I'll make these slides available so don't worry about trying to digest all right now the other option here is differential diagnosis this is borrowing from our friends in the medical community uh and it kind of relies I if you ever seen house houses that's why I have a picture of house up here right they always have these really complex scenarios and they put them on a whiteboard and they list all the possible solutions and do testing to kind of remove the ones that

don't F anybody ever seen that show hands seen that lot people okay so differential diagnosis basically works like this you identify list of symptoms consider an evaluate the most common diagnosis first uh list all the possible diagnosis uh prioritize them and start eliminating them based upon candidate conditions right uh so very simply so you just have you have a scenario you have an alert I think it could be okay it could be five of these possible things right take the most obvious one which is going to be it you know 80 or 90% of the time eliminate it if you can then perform testing whether that's getting more peap data and looking for this getting more net flow

data and looking for whatever um it's actually doing host based forensics on the host itself um potentially that and you start eliminating things till hopefully you're only left with um again I have some some examples of this on the blog that you can you can read through they're more detailed uh the last thing I'm really going to talk about here is um incident Eminem stands for morbidity and mortality uh this is borrow from the medical field uh created by someone called Dr Ernest Codman at Mass General Hospital which is basically Harvard's Hospital uh he was a surgeon in the early 1900s and he more or less realized that uh they weren't doing a good enough job

uh in cases where people were were dying or um having bad outcomes so not doing a good enough job of basically doing kind of an after action thing and talking about how that happened in making it better so he started morbidity and mortality confidences and this is basically where a surgeon would get up when they had a patient who had a bad outcome or died and they would talk about their process from diagnosis to surgery and everything they did then their peers would do some strategic questioning of that uh and from that you know hopefully you can produce an after action report that would help everybody be better at their job so this is something that was actually adopted and

is used all over my wife as a doctor does this now she has one she has to attend every month um it didn't go so well for him at the time um surgeons at the time were pretty confident and didn't like having to be questioned so he got sarily fired um after he came up with this idea but he went on to have a pretty long distinguished career talking about good enough um for an incident uh morbidity mortality U it's kind of the same thing but in this case the Handler the analyst kind of presents the case and people will then um you know pile on and give some alternative analysis so there's several different alternative

analysis techniques uh these were um the kind of The Godfather of this was Richard SE Jor who was an FBI intelligence analyst who wrote A a really great book uh called um uh intelligence for um I just blanked on it's in the notes I'll send it to you later um he wrote a book on an intelligence analysis for uh for government military folks and this is very very helpful so there a couple different techniques right here I'm a little shorter on time um so I'm not going to go through them but basically there's methods of strategically questioning folks um during this kind of Eminem process right because you want to make sure you're doing that in a

constructive manner um because not everybody especially those of us um with a little bit ego certainly don't like to be uh to have their methods question in a way that's not constructive or positive for the whole group that makes sense so there a couple of those I'm I'm going to skip through those now for the purpose of time um a couple best practices for for these Eminem conferences I used to conduct these at spay War when I when I ran part of the sock there um and they were very productive I think Jason would agree he worked for me in the stock there and they were U they definitely helped our quality of analysis um I say you limit

the frequency of them especially initially um they require a strong mediator because those things can get kind of heed at times um you want to set expectations obviously um on what this purpose is this isn't uh this isn't tied to someone's pay this isn't tied to their job success this is just something we do to make everybody better um because everyone working together obviously going to acheve quite a bit more um and the big thing at the bottom I guess is writing it down um these things are useless if you don't produce an after action report I generally recommend that the person who's giving the presentation takes feedback from all the other folks and produces that report

says what they would have done differently if there is anything uh and how that could be improved upon uh later on um so that's going to pretty much wrap it up for me um you know just to conclude I I really think that we're moving more towards an era where while detection and collection are going to be important uh eventually we start having to think about how we think about analysis how to improve that and turn that tcid knowledge um really into something that can be codified so the next generation of analysts who come up um aren't relegated to shoulder surfing with uh with more uh senior level analysts to actually get the skills they

need um to the job uh beyond that bias is inevitable um think about the the gap between perception and reality the things that can cause you to be biased during the cognition process from one to the other uh and think about ways you can overcome that talked about analytic technique and codifying things um after action alternative analysis on incident morbidity and mortality um and those are all really great techniques again um if you're interested uh the book has a lot in there the blog has a lot of this as well um and yeah that's it any questions uh so the biggest problem I've run into trying to get analysts to change or at least to come to a way of

thinking about incidents is that initial triage you've got 30 seconds you're looking at that one row you're try to determ do I go further do I not how do we make that type of analysis more predictable more repeatable more with a higher hit rate well I think that starts you know how do you make the the initial Tri the question was how do you make the initial triage analysis where you're initially looking at that alert and determining if if it needs more investigation how do you make that kind of more efficient um I think while there is analysis um part to that uh I think it starts with good collection and good detection um making sure that that

you're presenting first all presenting the anal analyst with enough context to make a good decision quickly um I'm generally have the opinion give the analysts as much information as they they need or maybe at least easily available to them uh to make that decision so that's I think that's the big key there that's almost I would say more of a collection problem with that initial trie

as moving more and more towards you know data Big Data automated collection automated analysis SPS out system how do you avoid the problem where I guess I would call it Cascade failure signatures is you have you set up a signature let's say to detect a certain you know outbound communication and you know got other automated to tell you okay when you see this get the name of the machine get the IP get the process get all this where they end up confirming each they basically end up erly confirming each other because you set up this signature with with the initial bias this yeah so I think it has to do a lot with AB of levels of abstraction from

the data right so I think when you give an analyst an output that says this you know we deter this is bad because this IP is bad you need to tell them why you determined that IP was bad right so you know we have we have a big problem right now where people just want to use lists of things and call that intelligence which is kind of a big deal right it's not enough for me if someone gives me an IP and says this is bad that tell me why it was bad that includes uh you know was it just extracted from some malware that was kind of detonated uh was it a known C2 for an attacker um you know that's um

one of those things and not only that I want to know timing information was it bad yesterday or was it bad a year ago because if it's bad a year ago it may certainly not be bad now so I think when you talk about automated analysis Solutions you know analysis itself will can and should and never will be automated fully but it's certainly okay to have machines helping you make some of those initial decisions as long as you are factor in those things like where did this come from why is it mad and how long ago was it mad the biggest example is out microsoft.com as it first call check your you end up black

sure well I guess yeah and the thing is just just being very careful with what you do with that data um you know it's never a good idea to to hook up some type of automated Mal sandbox to an IPS right mod right so sure any other questions all right thanks folks