EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Are you giving your analysts the right tools?

Chris O'Brien April 9, 2019

Are you giving your analysts the right tools?

By Chris O'Brien, Senior Director Intelligence

A former boss of mine used to say that “‘analysis’ isn’t a job title. It’s a skill. A thing that we all do as part of our jobs.” I came to my current role through a pretty non-standard route, but then again I don’t think there is a standard one. Analysis used to be the reserve of military or the government, or prefixed with some qualifying ‘vertical’ such as ‘financial’, ‘political’ or ‘business’ analyst.

Like most other job titles, ‘analysis’ was not really seen as a function until somebody would stand up and say, “I do analysis as a full-time job” – then nobody around them could challenge them.

Back when I was running an incident handling team, we lived in such a world. Our team were not ‘Analysts’ (apparently). The Analysts (deliberate use of a capital ‘A’) were the elite – what they did was special and expert, the shaman of the cybersecurity team. The term was being misused and my old boss (although perhaps with ulterior motives) was probably on to something.

Times have changed somewhat. Analysis, particularly in a CTI (cyber threat intelligence) context, now has clearer definition. There is proven value in the work of talented individuals who spend valuable brain cycles tracking threats and understanding the tangled web of threat actors and how they relate (or not) to intrusion sets. In addition we spend a great deal of time trying to understand the TTPs (tactics, techniques and procedures) employed, how they are grouped into campaigns and all the way down the stack to detection capability.

In recent years we have seen this role evolve from the part-time activities of the more multi-talented security professionals into a discipline in its own right.

So how do we support these new analysts? Well, we can start by identifying the key activities that they conduct:

  • Data management: I know, but this is super important. The age-old adage tells us “garbage in, garbage out” and this is so true with CTI analysis. Mastering the complex data structures that analysts build in their minds is by far the hardest challenge we have to face today – but it is so important. How quickly can you turn the ideas of your analysts into actionable defense in your network? To make analytical outputs truly valuable requires them to be structured and curated so they can be easily queried and understood; otherwise you are simply accruing technical debt for when you need to use it.
  • Provenance and semantic equivalence management: Another mention of ‘management’ in a list of analyst skills! But seriously, this is probably the most overlooked part. Knowing where all your data came from, understanding how it has been handled and what it says when compared to your own data is at the very core of what analysis is. Don’t wait until you are handling a security incident to ask the question: “But where did that decision come from?” At that point you are talking about a manual reverse engineering effort.
  • Pivoting and visualization: The part that most people will associate with CTI analysis is that ‘Beautiful Mind’-style graph of nodes and edges that we all expect to see from our analysis tooling. Making assertions about data that leads to an obvious pivot to some new node is an important exercise for an analyst to practice. Visualization makes it stick but there’s the catch: It works only if you have done the steps above first. If you start with a blank canvas each time (rather than with a view of the data you have managed, complemented by visualized provenance and semantic equivalence analysis), you can expect a lot of wasted analyst cycles and possibly divergent thought.
  • Analysis of competing hypotheses (ACH): Don’t stop at pretty graphs. ACH is actually something that most good analysts do in their heads all the time, but the ability to record the decisions that analysts make in a balanced way – recognizing the evidence that supports and refutes certain trains of thought and then tracks those hypotheses through time – is a current best-practice. Looping this back around to your data management, provenance and semantic equivalence management can mean that your intelligence starts to feed and water itself.

You want blockchain? Sure. Machine Learning? Of course. But let’s get the basics right first.

Core technologies that allow you to manage data, provenance and the functions of analysis are foundational – but often overlooked. I’ve seen highly sophisticated analysis techniques conducted using pivot tables in spreadsheets. It was slow, clunky and quite manual but it still implemented the very core functions that make analysis a tradecraft rather than a pseudo-science/art-form.

We hope you enjoyed this post. Subscribe to our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2021 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo