Structured analytical techniques for cyber security - Gabriel Currie

okay hi everyone thanks very much for coming on so as mentioned my name is Gabriel curry I work for PwC in the cyber internal response team and I'm here to give you a brief rundown of some structured analytical techniques for cyber security so he structured analytical techniques or something it's relatively commonplace in there in the intelligence community as a whole and it's something that's kind of coming to prominence in the cyber threat intelligence community and as kind of it matures a little bit and what I'm hoping to do is give you a little bit of some of my experience of applying some of these techniques and in cyber threat intelligence in Incident Response and hopefully giving you the tools to walk

away and do the same so first of all like why do we actually want to use structured analytical techniques what's the point so the idea is that when we're doing any kind of analysis there's always some level of bias in there and and we call these generally like cognitive biases so as it says on the slide a cognitive bias is a mistake in reasoning or analysis often as a result of an analysts personal experiences or beliefs it's basically the point is that when I do some form of analysis that's always going to be colored by my own personal experiences and the way that I've approached the world in the past and the way the world has been to me and

so if another person was going to go away and do that and our system so they might come up with an entirely separate separate conclusion because they've got different experiences and the world has treated them in a different way and so there are some examples of some common perceptual and cognitive biases there I won't run through them today and but you can review them later so what we want to do is try and fix the problem of cognitive bias and I'm going to talk through kind of two broad ways that we can do that so the first of those is using analytical frameworks so we want to properly think through the exam question so try and remove some of those

cognitive biases when we're actually performing our analysis and coming to an assessment and then second of all once we've come to that assessment what we want to do is be able to clearly communicate the answers that we've come up with our assessments in a way that means the same to me as it means to you and so that's when we use something called estimate of language so diving straight into kind of the first area that we're going to look at analytical frameworks so these are relatively commonplace and some of you might have come across these in your it's privacy so perhaps the most basic example is the is the SWOT analysis strengths weaknesses opportunities and

threats so want to go through all of these examples what I'm going to do is think about how we've related them in the past to cyber threat intelligence or or thinking about threat actors so for example we've used SWOT analyses to try and to try and prompt us to kind of critically evaluate a threat actor to think about you you know what are they good at what are they bad at and for them you know and the environment that surround them what are the opportunities that they have on what are the threats that are out there for them and that's something that's relatively well-established in business the other one is called a stemple's analysis you

might have seen this come across in stuff like and so you might have also seen it referred to something like pestle which is more widely used in business stempel's just takes the same thing and just adds a couple of letters on and effectively that's a framework for considering how an environment might affect your threat actor or might affect something so you might want to consider based on what we know about a threat actor how is that how are the various elements of the environment can affect them or if we don't know anything about a threat actor how might the environment mean that they were going to behave so it's just just a way to kind of prompt

us to think about think about the question and think about threat up during a reasoned way the one that I'm going to focus on for next couple of minutes is more more deeply around actually kind of analyzing threat actor capability and so it kind of becomes useful to think about this in just kind of an easy way right guns and tanks and whatever in traditional military intelligence analysis so on the side we've got a tank it's a t-34 tank from the Soviet Union and the point is that when we're analyzing this tank the threat that that tank poses to us the threat out there is more than just the weapons that are on that tank there's a load of other things

that we need to think about when we're trying to analyze the capability of that tank cards so some of the other things that you might want to think about is well you know what's the current morale of the crew like you know people need to run that tank what's the organizational hierarchy of that vehicle and the crew and where does it fit within the wider kind of army where does it get its orders from how does it make decisions when it doesn't have orders where is the fuel how does it kind of maintain itself is it well is it well essentially exception there's all those different kind of questions which are more which allow us to evaluate the

threat of that tank poses by thinking about more than just the gun that it might have on it so we can take exactly the same principle and we can apply that to kind of cyber threat intelligence so normally we might look at some we might look at malware from a threat actor and you know the nature of the threat that that malware poses to us as an organization is more than just the threat of that malware itself so this is in effect the weapon right so there are loads of other things that we might want to think about so returning to the tank and returning to our analytical frameworks one of the frameworks that we

can borrow out there is called the tepid oil framework or the defense lines of development and effectively this is a way that the administrative Ministry of Defense users to think about threats or to think about capability and what it encourages you to do is just like in stempel's to go through a structured list of all the different things that we might want to consider but the problem with that list is that when we're looking at a tank that's kind of all makes sense right we're talking about armies when we're talking about war we're talking about malware perhaps doesn't quite make as much sense so what we need to do is change it around a little bit so I had a go at you

know trying to still keep Shepherd oil which is hotter than you might think and trying to kind of make it so that it actually fits to the to the cyber domain so a lot of those are similar but some of those might be slightly different and you can think about how all of those different elements might be applied into the cyber domain and how they might kind of prompt you to think about all of the different aspects of a threat actor and the impact that that threat might have on you so that's that's the end of our really quick run through my analytical frameworks so next we're going to look at the second question which is all

around understanding and communicating uncertainty so I've come up with some assessments around my thrill actor I've come up with some ideas about how I think they might operate and how I think they might work and what I want to do now is tell everyone about my assessments that I've made so the problem is that when I say something about my assessment that might mean a very different thing to you than it means to me so this is an example of a study that CIA did a couple of years ago well sixty years ago and effectively what they did was take took a load of terms so almost certainly highly likely very good chance etcetera etcetera and they

asked a load of people what percentage likelihood those those terms referred to so you can see that in the example of probable some people thought that meant a 25% likelihood that that thing was correct whereas to others that meant 90% as that's a really broad range of thing so when I've made an assessment I'm trying to communicate that to someone what that means is that if I say something's probable and I mean that that is 90% likely they might think that that means it's 25% likely and that's obviously a real issue and that those kind of issues are kind of cropped up all you know all throughout history so look at 2003 and the dodgy dossier from

tony blair that was used to kind of justify the invasion of iraq and that perhaps didn't have great intelligence analysis behind it and perhaps that didn't understand and communicate the uncertainty that was behind those assessments very effectively so the way that we can fix that is by actually being really clear about what we mean when we're when we're expressing that level of uncertainty so this is the this is the framework that we use at pwc and we try and incorporate into all of our reporting where there's some some degree of assessment so what we do is we make clear for every single term that we use what are the what are the probability ranges that that refers to so highly

unlikely means it's between zero and ten percent unlikely between ten and twenty five and so on and so on and so what that means is that when I say something the reader also understands what I'm saying in the same way as I mean it and then when we actually use that in reporting what we do is two things so you can see an example down on the bottom so PDV see you can be a systems assess it is highly likely that Flora so effective you're doing two things like I said first of all were being really clear about the fact that what we're saying is an assessment so it's not fact and then secondly we're adding a term

after our assessment to show how confident we actually are in that assessment so we say we assess it's highly likely so that means we think it's between seventy-five and a 90 percent chance and then we go on to talk about stuff so that's a really quick run through all of my things I'm sure I've been way too quick for time and so we can return have you got any questions I've personally found all of those intelligence techniques really useful when we've been doing our reporting we're trying to kind of bring these techniques more to the forefront and the rest of the reporting that the team is doing we found them really useful for analyzing threat actors but also just

for talking about you know when we're looking at analyzing intrusions or when we're doing any kind of subjective analysis where they're we're not 100 cent talking about facts trying to make sure that the analysis that we're doing is as rigorous and as rigorous as rigorous as possible so that's it for me and does anyone have any questions