Know what information can be obtained from typical technical sources such as WHOIS, DNS, malware analysis, social media, document metadata etc..
1. Technical sources
When an attack occurs, it leaves traces that allow analysts to investigate the available information from technical resources. These resources include network and infrastructure data, digital forensics, malware analysis, social media, and the dark web. By examining evidence from WHOIS records, DNS data, IP addresses, and network traffic analysis, analysts can map out an adversary’s infrastructure and uncover hidden relationships. Digital forensics helps reconstruct attack timelines and recover crucial evidence, while malware analysis reveals the functionality and origin of malicious software. Insights from social media and the dark web can further expose threat actor behaviours, tactics, and evolving strategies. Together, these technical sources provide a comprehensive view of the threat landscape, enabling organisations to anticipate, respond to, and mitigate cyber threats more effectively.
Understand the format of data and be able to interpret it accurately
2. Data Format
To understand the importance of using data effectively, it is important to work with different data formats, as each has its own uses and challenges:
- Standard Formats:?Using standardised formats such as STIX986 (Standard Threat Information Expression language) enhances the efficacy of information sharing, and surpasses traditional written reports' capabilities, especially when managing voluminous datasets. However, adherence to a standard format necessitates a comprehensive understanding of its fields and components. The transition between different standards, such as from STIX to OpenIOC, may result in the inadvertent loss or unintended inclusion of data fields, which underscores the need for meticulous attention during data conversion processes.
- Machine-readable Formats:?In the domain of automated processing, it is essential to provide data in a structured, machine-readable format, such as JSON, XML, or CSV. These formats facilitate the swift and accurate handling of data by computational systems, thus ensuring efficiency and precision.
- Simple and Flexible Formats: The usage of simple and flexible formats that support database auto-population proves advantageous for effective data management. This approach is particularly beneficial in contexts involving extensive datasets where manual data entry is not only impractical but also prone to errors.
3. Data Interpretation
The interpretation of data requires an understanding of the context and quality of the information obtained:
- Contextual Awareness:?Accurate data interpretation rely on the contextual knowledge that surrounds the data. This includes, but is not limited to, the source of the data, the timing of its collection, and pertinent background information. For instance, data derived from a honeypot configured to detect brute-force attacks is far more contextualised and, hence, more valuable than data whose origins are less specifically defined.
- Data Quality:?The integrity of data is essential. Any deficiency in Attributes such as completeness, accuracy, relevance, and timeliness (CART) can render threat intelligence less effective and potentially lead to squandering resources.
- Source Reliability:?The credibility of the source is critical to establish the trustworthiness of the data. The 5x5x5 system, prevalent in UK policing, and the Admiralty Code/NATO System provide standardised frameworks for assessing the reliability of sources and the confidence in the information provided. Look to C4. Source Reliability and Grading to learn more.
- Corroboration:?To ensure the accuracy and reliability of information, corroboration with additional sources is advisable. It is crucial to distinguish between multiple reports that emanate from a singular source and true corroboration which involves validation by disparate sources.
- Cognitive Biases:?Awareness of cognitive biases is essential in data interpretation. An over-reliance on established mental models can skew analysis, leading to biased outcomes. Employing analytical techniques such as the Analysis of Competing Hypotheses (ACH) and the devil’s advocate technique can mitigate these biases effectively.
4. Data Use
The application of data must be clear, concise, and purpose-driven to ensure its actionability:
- Actionability:?Data should be presented in a manner that is straightforward, succinct, and readily actionable. This often involves the translation of technical data into business terms to facilitate comprehension among non-technical stakeholders.
- Purposeful Presentation:?It is vital to present information in a manner tailored to the specific needs of the audience, avoiding the pitfalls of overloading them with excessive data or overly complex information. For instance, executive summaries should be succinct and devoid of technical jargon.
- Data Visualisation:?The use of visual aids such as charts, graphs, and other illustrative tools can significantly enhance the comprehensibility of large datasets, making complex data more accessible and understandable.
While technology is indispensable in data analysis, the role of human analysts in the interpretation of results, contextualisation of data, and making informed decisions is irreplaceable. Comprehensive training to understand data formats, evaluate source reliability, recognise biases and effective communication is crucial for precise data interpretation and informed decision-making in cybersecurity.
