bsides augusta 2015 - building a better analyst using cognitive psychology
TRANSCRIPT
Building a Better AnalystUsing Cognitive Psychology
Chris SandersBsides Augusta 2015
Chris Sanders
• Christian• Southerner• PhD Researcher• FireEye• GSE• BBQ Pit Master
**Disclaimer**
I’m going to talk about matters of the brain, not just the normal tech stuff.
My research for this presentation involved consultation with psychologists.
I, however, am not one….yet.
Outline
Objectives: Metacognition Perception Intuition Working Memory
“How metacognitive awareness can help you make better technical decisions during security
investigations.“
Metacognition
• Thinking about thinking• Research shows a relationship between
metacognitive awareness and cognitive performance.
• Two Components:– Knowledge of cognition (understand it)– Regulation of cognition (apply it)
The Investigation
• Investigations are an attempt to determine the ground truth of what really happened.– Is there a bad guy? – What did they do?
• Investigations introduce cognitive challenges
Perception, Reality, and Bias
Perception vs. Reality
• Perception: – “A way of regarding, understanding, or
interpreting something.”
• Reality: – “The state of things as they actually exist.”
Our investigative path depends on mindset and biases
Mindsets and Blur
• Mindsets frame how we see the world
• Quick to form and resistant to change
• The initial picture we see forms our first mindset impression
• Biases applied here carry forward
Diminishing Initial Blur
• Provide relevant information up front• Real-istic time alerting• Formalization of triage function
– Put your expertise here– Gather info, make recommendations, pass on– Smaller orgs can use partner analysis
Inattentional Blindness (IB)
• Attention – Focusing on something– Overt or covert– Attention is a limited resource– Many things fight for analyst attention
• It is very easy to miss things right in front of us
Diminishing IB
• Experienced analyst are usually less suceptible• Mastery of your environment
– Mise en place
• Controlling attention– Limit extraneous info– Direct focus– Gaze tracking
Intuition and Memory
It’s a Hard SOC Life
• Investigative knowledge is tacit– Senior analysts can’t explain their success– Junior analysts can’t effectively learn
• Knowledge transfer is limited– “Watch and learn”
Analysts rely on intuition!
Intuition• in·tu·i·tion (noun)
– The ability to understand something immediately, without the need for conscious reasoning.
• Previously not well understood, often dismissed
“It is an illusion to expect anything from intuition.” – Sigmund Freud
A Biological Basis for IntuitionPrecuneus
2.1x Larger Response
TED Talk: The Rise of Augmented Intelligence: https://www.youtube.com/watch?v=mKZCa_ejbfg
Modeling Memory
Using the Visuo-Spatial Sketchpad (VSP)
• A primary component of working memory• Allows for visual manipulation of objects• Studies show that “intuition” is directly tied to
use of VSSP (via the precuneus)
Related VSSP Usage
“If you look deep enough you will see music” – Thomas Carlyle
Visually Investigating
• Draw a picture!– It’s what your brain is doing anyway– Whiteboards everywhere
• Visualize Data Appropriately– Don’t use viz for the sake of viz (geo maps )– Incident timelines– Link graphs– Identify relationships (nouns/verbs)
Thinking Visually - Breakfast
Thinking Visually - Breach
WM Capacity Limitations
• The capacity of WM is biologically limited• WM capacity is set from birth– Humans can remember 7 items, + or - 2. – Complexity of items matters
Hard to Remember Easy to Remember
248.232.122.193 6.5.4.3
sub29203.domain3789.com sub.domain.com
domain.com/me/?id=29381913 domain.com/path/url.htm
a39e3d50ba4aeb134d95ae7aa4d6c578
system32.dll
Diminishing WM Capacity Limitations
• Source Monitoring– Which IP was $suspicious_activity associated with?– Was this file downloaded by $dropper or $attacker?– Which case was $domain
• Chunking– Grouping similar information– Mapping to an existing schema
SchemasPicture These Items
StaplerBuffaloBookFootFlag
EggsBaconGrits
SausageCoffee
Unrelated to Schema
Related to Breakfast Schema
Conclusion
• The biggest hurdle to overcome when investigating security incidents is our own cognitive limitations
• Metacognition can diminish these limitations
Thank You!
E-Mail: [email protected]: @chrissanders88
Blog: http://www.chrissanders.orgFoundation: http://www.ruraltechfund.org