Building a Better AnalystUsing Cognitive Psychology

Chris SandersBsides Augusta 2015

Chris Sanders

• Christian• Southerner• PhD Researcher• FireEye• GSE• BBQ Pit Master

**Disclaimer**

I’m going to talk about matters of the brain, not just the normal tech stuff.

My research for this presentation involved consultation with psychologists.

I, however, am not one….yet.

Outline

Objectives: Metacognition Perception Intuition Working Memory

“How metacognitive awareness can help you make better technical decisions during security

investigations.“

Metacognition

• Thinking about thinking• Research shows a relationship between

metacognitive awareness and cognitive performance.

• Two Components:– Knowledge of cognition (understand it)– Regulation of cognition (apply it)

The Investigation

• Investigations are an attempt to determine the ground truth of what really happened.– Is there a bad guy? – What did they do?

• Investigations introduce cognitive challenges

Perception, Reality, and Bias

Perception vs. Reality

• Perception: – “A way of regarding, understanding, or

interpreting something.”

• Reality: – “The state of things as they actually exist.”

Our investigative path depends on mindset and biases

Mindsets and Blur

• Mindsets frame how we see the world

• Quick to form and resistant to change

• The initial picture we see forms our first mindset impression

• Biases applied here carry forward

Diminishing Initial Blur

• Provide relevant information up front• Real-istic time alerting• Formalization of triage function

– Put your expertise here– Gather info, make recommendations, pass on– Smaller orgs can use partner analysis

Inattentional Blindness (IB)

• Attention – Focusing on something– Overt or covert– Attention is a limited resource– Many things fight for analyst attention

• It is very easy to miss things right in front of us

Diminishing IB

• Experienced analyst are usually less suceptible• Mastery of your environment

– Mise en place

• Controlling attention– Limit extraneous info– Direct focus– Gaze tracking

Intuition and Memory

It’s a Hard SOC Life

• Investigative knowledge is tacit– Senior analysts can’t explain their success– Junior analysts can’t effectively learn

• Knowledge transfer is limited– “Watch and learn”

Analysts rely on intuition!

Intuition• in·tu·i·tion (noun)

– The ability to understand something immediately, without the need for conscious reasoning.

• Previously not well understood, often dismissed

“It is an illusion to expect anything from intuition.” – Sigmund Freud

A Biological Basis for IntuitionPrecuneus

2.1x Larger Response

TED Talk: The Rise of Augmented Intelligence: https://www.youtube.com/watch?v=mKZCa_ejbfg

Modeling Memory

Using the Visuo-Spatial Sketchpad (VSP)

• A primary component of working memory• Allows for visual manipulation of objects• Studies show that “intuition” is directly tied to

use of VSSP (via the precuneus)

Related VSSP Usage

“If you look deep enough you will see music” – Thomas Carlyle

Visually Investigating

• Draw a picture!– It’s what your brain is doing anyway– Whiteboards everywhere

• Visualize Data Appropriately– Don’t use viz for the sake of viz (geo maps )– Incident timelines– Link graphs– Identify relationships (nouns/verbs)

Thinking Visually - Breakfast

Thinking Visually - Breach

WM Capacity Limitations

• The capacity of WM is biologically limited• WM capacity is set from birth– Humans can remember 7 items, + or - 2. – Complexity of items matters

Hard to Remember Easy to Remember

248.232.122.193 6.5.4.3

sub29203.domain3789.com sub.domain.com

domain.com/me/?id=29381913 domain.com/path/url.htm

a39e3d50ba4aeb134d95ae7aa4d6c578

system32.dll

Diminishing WM Capacity Limitations

• Source Monitoring– Which IP was $suspicious_activity associated with?– Was this file downloaded by $dropper or $attacker?– Which case was $domain

• Chunking– Grouping similar information– Mapping to an existing schema

SchemasPicture These Items

StaplerBuffaloBookFootFlag

EggsBaconGrits

SausageCoffee

Unrelated to Schema

Related to Breakfast Schema

Conclusion

• The biggest hurdle to overcome when investigating security incidents is our own cognitive limitations

• Metacognition can diminish these limitations

Thank You!

E-Mail: chris@chrissanders.orgTwitter: @chrissanders88

Blog: http://www.chrissanders.orgFoundation: http://www.ruraltechfund.org