By Chris O'Brien, Senior Director Intelligence
A former boss of mine used to say that “‘analysis’ isn’t a job title. It’s a skill. A thing that we all do as part of our jobs.” I came to my current role through a pretty non-standard route, but then again I don’t think there is a standard one. Analysis used to be the reserve of military or the government, or prefixed with some qualifying ‘vertical’ such as ‘financial’, ‘political’ or ‘business’ analyst.
Like most other job titles, ‘analysis’ was not really seen as a function until somebody would stand up and say, “I do analysis as a full-time job” – then nobody around them could challenge them.
Back when I was running an incident handling team, we lived in such a world. Our team were not ‘Analysts’ (apparently). The Analysts (deliberate use of a capital ‘A’) were the elite – what they did was special and expert, the shaman of the cybersecurity team. The term was being misused and my old boss (although perhaps with ulterior motives) was probably on to something.
Times have changed somewhat. Analysis, particularly in a CTI (cyber threat intelligence) context, now has clearer definition. There is proven value in the work of talented individuals who spend valuable brain cycles tracking threats and understanding the tangled web of threat actors and how they relate (or not) to intrusion sets. In addition we spend a great deal of time trying to understand the TTPs (tactics, techniques and procedures) employed, how they are grouped into campaigns and all the way down the stack to detection capability.
In recent years we have seen this role evolve from the part-time activities of the more multi-talented security professionals into a discipline in its own right.
So how do we support these new analysts? Well, we can start by identifying the key activities that they conduct:
- Data management: I know, but this is super important. The age-old adage tells us “garbage in, garbage out” and this is so true with CTI analysis. Mastering the complex data structures that analysts build in their minds is by far the hardest challenge we have to face today – but it is so important. How quickly can you turn the ideas of your analysts into actionable defense in your network? To make analytical outputs truly valuable requires them to be structured and curated so they can be easily queried and understood; otherwise you are simply accruing technical debt for when you need to use it.
- Provenance and semantic equivalence management: Another mention of ‘management’ in a list of analyst skills! But seriously, this is probably the most overlooked part. Knowing where all your data came from, understanding how it has been handled and what it says when compared to your own data is at the very core of what analysis is. Don’t wait until you are handling a security incident to ask the question: “But where did that decision come from?” At that point you are talking about a manual reverse engineering effort.
- Pivoting and visualization: The part that most people will associate with CTI analysis is that ‘Beautiful Mind’-style graph of nodes and edges that we all expect to see from our analysis tooling. Making assertions about data that leads to an obvious pivot to some new node is an important exercise for an analyst to practice. Visualization makes it stick but there’s the catch: It works only if you have done the steps above first. If you start with a blank canvas each time (rather than with a view of the data you have managed, complemented by visualized provenance and semantic equivalence analysis), you can expect a lot of wasted analyst cycles and possibly divergent thought.
- Analysis of competing hypotheses (ACH): Don’t stop at pretty graphs. ACH is actually something that most good analysts do in their heads all the time, but the ability to record the decisions that analysts make in a balanced way – recognizing the evidence that supports and refutes certain trains of thought and then tracks those hypotheses through time – is a current best-practice. Looping this back around to your data management, provenance and semantic equivalence management can mean that your intelligence starts to feed and water itself.
You want blockchain? Sure. Machine Learning? Of course. But let’s get the basics right first.
Core technologies that allow you to manage data, provenance and the functions of analysis are foundational – but often overlooked. I’ve seen highly sophisticated analysis techniques conducted using pivot tables in spreadsheets. It was slow, clunky and quite manual but it still implemented the very core functions that make analysis a tradecraft rather than a pseudo-science/art-form.
We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.